Zscaler API Token for MCAS with Just in Time access

Hi there,

I’m trying to integrate Zscaler with our MS Defender for Cloud App environment to synchronize the unsanctioned apps and get logs from Zscaler to Defender for Cloud. I’ve followed @NathC great topic here:
[Guide] Integrate Zscaler with Microsoft Cloud App Security (MCAS)
And also Zscaler’s official resources:
Integrating with Microsoft Cloud App Security

The status is the following:

  • NSS Server in our Azure environment OK
  • The connection from the NSS to Zscaler is OK
  • The connection from NSS to MCAS is OK

I’ve generated a Token from MCAS portal using my Security Administrator rights. I can validate this token on Zscaler - Partners integration page and the unsanctioned App synchronization works fine.

The problem comes that the integration is failed after some time. I highly suppose that the problem comes from the fact that the Token is generated by my account which doesn’t have a 24X7 Security Administrator right → We use Privileged Identity Management. I’ve raised Zscaler support for this assumption and wait for an answer.

In the official Zscaler documentation, it is not explicitly explained where to get the token, but Zscaler refers to these pages Managing API tokens to create an application context access App. This makes sense because the access won’t rely anymore on my user context but on an application.
I’ve then created the application, assigned the appropriate permission, and generated the token per PowerShell using this Microsoft resource :
Create an app to access Microsoft Defender for Cloud Apps without a user

The Token I create looks valid in JWT as I get the expected output in MS Screenshots. However, this token doesn’t work on Zscaler “Partner Integration” which makes me think that the MCAS Portal Security Extension is where I would need to generate the token.

My questions are the following:

  • Did anyone leaded a successful Zscaler - MCAS integration? If yes how was the token generated?
  • Is the Token generated the same used in Zscaler Portal AND in the NSS Server to send logs to MCAS ?

Thanks for any feedback! :slight_smile:

Cyril

Hi Cyril,

We successfully got the Zscaler / MCAS Integration going last year and the same token was used on the NSS server for automatic uploads. The curl command output showed the unsanctioned apps and was good to go.

It worked for 6+ months and then the token showed as invalid in the portal. We generated a new token which lasted a month and now each token we generate lasts a day or less. Zscaler believes the issue is on the MSFT end but waiting to hear back. We did generate the token as a Cloud App Global Admin but it still fails after some time.

1 Like

Hi Raj,

Thanks for you feedback. It appears that you experience the same symptoms as I do. Do the account who’s created the Token got the Global Admin Rights for Cloud Apps from the Azure AD ? If yes has it Just in Time access activated?
On my side, I’ve now added my account directly into Defender for Cloud Apps as Global Admin or more specifically, I needed to ask the other colleague, admin of Cloud Apps, to do it for me because when trying to assign the rights yourself, MS will refuse because the account already has the Global Admin rights through “Security Administrator” role in Azure AD.
Since Monday, the Token doesn’t expires anymore confirming my supposition. This workaround works but is on my view not the best as the Token is still linked to an admin account and now this account has 24X7 Rights expanding the attack surface.
I’ve answered back Zscaler Support about this but still couldn’t propose another solution. I will keep like this for the moment.

Cheers!