icon-unified.svg
Experience Center

SCIM Configuration Guide for Microsoft Azure AD

This guide provides information on how to set up Microsoft Azure Active Directory (AD) to use SCIM in Private Applications. This configuration information is different from setting up Azure AD as an IdP for Private Applications.

Prerequisites

Ensure that you have:

  • A premium Azure AD subscription
  • An existing directory in Azure AD
  • A Private Applications account with an administrator role that allows you to add a SCIM Configuration

Configuring SCIM for Identity Management

Using SCIM allows you to quickly remove users from Private Applications when you delete them in your user directory. To use SCIM, you must configure it in Azure AD.

The following procedure applies to SCIM configurations for Private Applications in Azure AD. You need to begin the SCIM configuration process in the Admin Portal to get the required information in steps 5 and 6.

  1. Log in to the Azure portal and go to Azure Active Directory > Enterprise applications in the left-side navigation.
  2. Click All applications, then click the Zscaler Private Access (ZPA) application you added (in steps 1 to 4) as part of configuring Azure as an IdP. To learn more, see Configuration Guide for Microsoft Azure AD.
  3. Click Provisioning in the left-side navigation.
  4. Select Automatic from the Provisioning Mode drop-down menu.
  5. In the Tenant URL field, enter the SCIM Service Provider Endpoint that is provided when enabling SCIM in the Admin Portal.
  6. In the Secret Token field, enter the Bearer Token that is provided when enabling SCIM in the Admin Portal.
  7. Click Test Connection. The Azure Active Directory attempts to connect to the SCIM endpoint. When the connection is successful, a verification message appears.
    If the attempt fails, error information is displayed. Resolve any errors before moving forward.
  8. Click Save after a successful connection to save your credentials.
  9. Set the Provisioning Status to On.
  10. Set the Scope to Sync only assigned users and groups.
  11. Click Save again to start the Azure AD provisioning service.

After SCIM is enabled, Zscaler checks if a user is present in the SCIM database. Based on this information, Zscaler decides if the user is allowed or blocked access to Private Applications. Customers need to ensure SCIM user sync is complete prior to enabling SCIM policies for these users, otherwise the Private Applications service does not recognize the users and evaluate policies for them. After SCIM Sync is enabled, Zscaler recommends waiting a minimum of 48 hours, or up to a week, before enabling SCIM policies. It can take up to several days for the IdP to completely sync all user information to Private Applications. Zscaler recommends that SCIM Sync be enabled in advance, prior to enabling SCIM Attributes for Policy. To learn more, see Enabling SCIM for Identity Management.

Related Articles
SCIM Configuration Guide for OktaSCIM Configuration Guide for Microsoft Azure AD