Configure Zscaler ZSCloud for automatic user provisioning with Microsoft Entra ID

In this article, you learn how to configure Microsoft Entra ID to automatically provision and deprovision users and/or groups to Zscaler ZSCloud.

Prerequisites

To complete the steps outlined in this article, you need the following:

- A Microsoft Entra user account with an active subscription. If you don't already have one, you can Create an account for free. - One of the following roles: - Application Administrator - Cloud Application Administrator - Application Owner..

• A Zscaler ZSCloud tenant.
• A user account in Zscaler ZSCloud with admin permissions.

Step 1: Add Zscaler ZSCloud from the gallery

Before you configure Zscaler ZSCloud for automatic user provisioning with Microsoft Entra ID, you need to add Zscaler ZSCloud from the Microsoft Entra application gallery to your list of managed SaaS applications.

1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.

2. Browse to Entra ID > Enterprise apps > New application.

   

3. In the search box, enter Zscaler ZSCloud.

4. Select Zscaler ZSCloud in the results and then select Add.

   

Step 2: Assign users to Zscaler ZSCloud

Microsoft Entra users need to be assigned access to selected apps before they can use them. In the context of automatic user provisioning, only the users or groups that are assigned to an application in Microsoft Entra ID are synchronized.

Before you configure and enable automatic user provisioning, you should decide which users and/or groups in Microsoft Entra ID need access to Zscaler ZSCloud. After you decide that, you can assign these users and groups to Zscaler ZSCloud by following the instructions in Assign a user or group to an enterprise app.

Important tips for assigning users to Zscaler ZSCloud

• We recommend that you first assign a single Microsoft Entra user to Zscaler ZSCloud to test the automatic user provisioning configuration. You can assign more users and groups later.

• When you assign a user to Zscaler ZSCloud, you need to select any valid application-specific role (if available) in the assignment dialog box. Users with the Default Access role are excluded from provisioning.

Step 3: Set up automatic user provisioning

This section guides you through the steps for configuring the Microsoft Entra provisioning service to create, update, and disable users and groups in Zscaler ZSCloud based on user and group assignments in Microsoft Entra ID.

1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.

2. Browse to Entra ID > Enterprise apps > Zscaler ZSCloud.

3. Select the Provisioning tab:

   

4. Select + New configuration.

   

5. In the Admin Credentials section, enter the Tenant URL and Secret Token of your Zscaler ZSCloud account, as described in the next step.

6. To get the Tenant URL and Secret Token, go to Administration > Authentication Settings in the Zscaler ZSCloud portal and select SAML under Authentication Type:

   

7. Select Configure SAML to open the Configure SAML window:

   

8. Select Enable SCIM-Based Provisioning and copy the Base URL and Bearer Token, and then save the settings. In the Azure portal, paste the Base URL into the Tenant URL box and the Bearer Token into the Secret Token box.

9. After you enter the values in the Tenant URL and Secret Token boxes, select Test Connection to make sure Microsoft Entra ID can connect to Zscaler ZSCloud. If the connection fails, make sure your Zscaler ZSCloud account has admin permissions and try again.

   

10. Select Create to create your configuration.

11. Select Properties on the Overview page.

12. Select the Edit icon to edit the properties. Enable notification emails and provide an email to receive quarantine notifications. Enable Accidental deletions prevention. Select Apply to save the changes.

    

13. Select Attribute Mapping in the left panel and select users.

14. Review the user attributes that are synchronized from Microsoft Entra ID to Zscaler ZSCloud in the Attribute Mappings section. The attributes selected as Matching properties are used to match the user accounts in Zscaler ZSCloud for update operations. Select Save to commit any changes.

    Attribute	Type	Supported for filtering	Required by Zscaler ZSCloud
    userName	String	✓	✓
    externalId	String		✓
    active	Boolean		✓
    name.givenName	String
    name.familyName	String
    displayName	String		✓
    urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department	String		✓

15. Select Groups.

16. Review the group attributes that are synchronized from Microsoft Entra ID to Zscaler ZSCloud in the Attribute Mappings section. The attributes selected as Matching properties are used to match the groups in Zscaler ZSCloud for update operations. Select Save to commit any changes.

    Attribute	Type	Supported for filtering	Required by Zscaler ZSCloud
    displayName	String	✓	✓
    members	Reference
    externalId	String		✓)

17. To configure scoping filters, refer to the instructions provided in the Scoping filter article.

18. Use on-demand provisioning to validate sync with a small number of users before deploying more broadly in your organization.

19. When you're ready to provision, select Start Provisioning from the Overview page.

Step 4: Monitor your deployment

Once you configure provisioning, use the following resources to monitor your deployment:

1. Use the provisioning logs to determine which users are provisioned successfully or unsuccessfully
2. Check the progress bar to see the status of the provisioning cycle and how close it's to completion
3. If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states the application provisioning quarantine status article.

Additional resources

• Managing user account provisioning for enterprise apps
• What is application access and single sign-on with Microsoft Entra ID?

Related content

• Learn how to review logs and get reports on provisioning activity