We are currently doing a Proof-of-Value with ZPA and ZIA, focusing on iOS devices for now.
We use our Azure AD as the IdP. Manual sign-on works in ZApp.
Our devices are enrolled to Intune. For O365 apps (Outlook, OneDrive, …) we use the Microsoft Authenticator app to provide cross-app SSO (sign-in once, access all O365 apps without additional login).
Our expectation is that the ZApp also connects to the Authenticator app and use the same, existing, valid token. This is not happening. User has to open ZApp and authenticate to Azure AD once more.
I think Zapp would need to include ADAL/MSAL libraries to support “broker-assisted single sign-on”.
(Android / iOS docs)
Or is there anything we can do with mobile app config?
We had a lead with the Apple Kerberos SSO extension. But our devices are internet only (never on corporate network), so they don’t have line-of-sight to the Domain Controller / KDC. So that won’t work.