Zscaler App login issue -- uses my infosys when given with my client account

When logging in to the Zscaler app installed on my Companies machine, it is picking my company account instead of taking my client account which am trying to use when logging in…

I clearly give my client email id and hit login, but it will automatically pick my Infosys account and throw me AD error —AADSTS50177: User account ‘**********@ad.infosys.com’ from identity provider ‘https://sts.windows.net/63ce7d59-2f3e-42cd-a8cc-be764cff5eb6/’ does not exist in tenant ‘XX’ and cannot access the application ‘zscloud.net’(Zscaler) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account…

Is this happened to anyone?

1 Like

Hi @sumanthdandaboina, I can think of a few things that may be happening here, but all will require more diagnostics. Do you have a support ticket open, they are best poised to help you resolve this?

1 Like

Hey @skottieb I already opened it. go an advice that i have add my company domain as a tenant in our client Azure in order to accept this. OR i have to wait until April where Zscaler planned to release new update where it will support multi domains.
ticket # 02338424 for reference

For users with multiple Azure AD identities, when zScaler requests an identity ticket, is there a way to “hint” to the user’s browser which identity provider it should retrieve the identity ticket from? Today it looks like my browser is simply sending whatever identity I used last, which is often not the identity that the zScaler is looking for.

IIRC adding whr=<userdomain.com> to the IDP config url should get AAD select the correct tenant.

Is there any solution for this issue as I am also facing the same issue, It is directly taking my company O365 login instead of customer login and show the same error.

we are also facing same issue is there any solution identified .

Found solution,
You have to add your Client email account under “email & app accounts” which will resolve the issue. Once you add client account there, it will start prompting to select which account to use everywhere where ever Azure authentication is present.

Note: This option to add client email account is only available from OS Build version 1809 & 1909 versions.

thank you so much it’s worked but unable to configured both Tenant O365 ID under " Add a Work or School Account " option , Tested build version 1909

you can configure it. this will not make any difference… we are only adding Emil account here. Only microsoft O365 apps will be using this client ID you added.

Sometimes this solution didn’t work, seems an intermittent problem, see: Zscaler App tries to authenticate wrong tenant id

Yes… Microsoft behavior is unpredictable… No answer from them as well when this is asked for them…

I tried the solution suggested by @skottieb . It suffice the requirement and Zapp always picks the userdomain in domain registered laptop and triggers option to input user id in 3rd party laptop.

SAML Url: https://login.microsoftonline.com/<–Request Id–>/saml2/whr=<userdomain.com>

However there is a catch. We could edit the SAML url in ZIA portal whereas we are unable to Edit SAML url in ZPA portal. In case of ZPA, we need to completely reconfigure SAML configuration which need downtime.