ZIA and Azure AD Idp


(Omar ) #1

Hi all,

We want to configure Azure AD to be used as SAML Idp authentication for ZIA.
In the ZIA Help portal’s prerequisites it lists that you must have an AD Premium Subscription while on Microsoft (https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/zscaler-zscloud-tutorial) it points out you only need a normal subscription which is free.

Can you tell us why we need an Azure AD premium subscription as, in our case, it is only used for authentication and Auto provisioning users on Zscaler.

(Todd) #2

Omar, To map the user role to a security group it requires a P5 level subscription. These are used for SAML attributes for things like ZPA entitlement and Policy settings. But Authentication would certainly work.

-Todd Harcourt-

(Omar ) #3

Thanks Todd,
In a scenario where you use the normal Azure subscription and Sync the users to Zscaler (Which will only email addresses) and later on we upgrade to the Azure premium subscription will it sync with Zscaler and update the user Hosted DB seamlessly.

(Todd) #4


If you are referring to the security groups, auto-provisioning will pull the attributes in when the user authenticates. But those will need to be configured on Azure first. OR you will need to run SCIM which will automate the process for ZIA. SCIM is not available for ZPA currently.

I also have to state that I have not confirmed Azure license requirements for SCIM support, although I would suspect that it is the same.

Best regards,

-Todd Harcourt-