Secure Internet and SaaS Access (ZIA)
Authorizing a Custom Zscaler Connector for Microsoft Applications
The Zscaler service supports custom, client-side connector onboarding for access to the following Microsoft applications: Exchange, Microsoft Information Protection (MIP) Labels, OneDrive, SharePoint, Microsoft Azure Blob Storage, and Teams. With this functionality, instead of requiring full administrator credentials, the Zscaler service can use a minimum set of credentials to access your Microsoft applications.
When you create a custom connector for a Microsoft application, you must provide the Client ID, Client Secret, and Tenant ID in the ZIA Admin Portal so that the Zscaler service can access the application.
To create a custom connector for a Microsoft application:
- 1. Create the custom connector and client secret.
This section covers how to register your ZIA API client application in Microsoft Entra ID and configure the client credentials.
- a. Register the application or service.
- Sign in to Azure portal.
- In the Azure Services section, click App registrations.
The App registrations page is displayed. - Click New registration.
The Register an application window opens.
In the Register an application window:
- Name: Enter a name for the application that is representative of the Zscaler connection you are creating (e.g.,
Zscaler OneDrive Connector
). - Supported account types: Ensure that this option is set to the Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) value.
- Redirect URI (optional): Select Web as the platform, then provide the URL of the Zscaler account (e.g.,
https://admin.zscalertwo.net/
). Save the URL for later use.
- Name: Enter a name for the application that is representative of the Zscaler connection you are creating (e.g.,
- Click Register.
The application is registered and the application's Overview page is displayed. Copy the Application (client) ID and Directory (tenant) ID values from the Overview page and save them for later use.
Close - b. Configure and copy the client secret.
- Go to Certificates & secrets in the left-side navigation of the app and then click New client secret on the Client secrets tab.
The Add a client secret pane opens.
- In the Add a client secret pane:
- Description: Provide information about the client's secret.
- Expires: Select the appropriate expiration time from the drop-down menu.
- Click Add.
The client secret value is generated and displayed.
- Copy the secret value immediately and save it for later use.
The client secret value is displayed only once and cannot be retrieved after you navigate away from the page.
Close
- a. Register the application or service.
- 2. Generate API permissions for the connector.
You must assign specific API permissions for each Microsoft connector you create for the Zscaler service.
- Go to API permissions in the left-side navigation and then click Add a permission under Configured permissions.
The Request API permissions pane is displayed.
See image. - On the Microsoft APIs tab, click an API to assign permissions (i.e., Microsoft Graph). To learn more, see the complete list of API permissions.
- Click Application permissions.
See image. - In the Select permissions list, select each necessary permission for the connector.
- Click Add permissions.
See image.
The permissions appear in the Configured permissions list on the API permissions page.
See image. - If admin consent is required (such as SharePoint permissions), select Grant admin consent.
- In the Grant admin consent confirmation window, select Yes.
- Go to API permissions in the left-side navigation and then click Add a permission under Configured permissions.
- 3. Add role assignments (for Microsoft Azure Blob Storage only).
If you are setting up a custom connector for Microsoft Azure Blob Storage, you must add additional role assignments in Azure to ensure that the Zscaler service can properly access the application.
Go to Azure Services > Enterprise Applications.
Copy the Tenant ID and the Application name matching the ID from when you created the custom connector and client secret.
Go back to the Azure portal home page, then go to Subscriptions and select your subscription.
Go to Access Control (IAM) > Role Assignments > Add > Add role assignment.
- Search
Storage Contributor
. Select Storage Blob Data Contributor and Storage Account Contributor and then click Next. You must do this separately for each role. Click Select members and add the application as a member to Storage Blob Data Contributor and Storage Account Contributor, then select Review + assign.
- 4. Create Private Key JSON file (Microsoft SharePoint only).
If you are adding SharePoint as a SaaS Application tenant to ZIA, you need to create a private key JSON file and upload your public certificate to Azure.
- a. Create a self-signed certificate.
- Open the terminal on your computer.
Keytool -genkey -alias selfsigned -keyalg RSA -keypass <keypassword> -storepass <keystorepass> -keystore Keystore.pfx -keysize 2048 -validity 1461
Enter your custom information and press
Enter
.Execute the following script:
Keytool -export -keystore keystore.pfx -alias selfsigned -file ketstore.cer
Enter the source keystone password that you set in the first script.
You will have two files ready:
keystore.pfx
andkeystore.cer
.
- b. Upload the certificate file to the created client connector.
In the Azure portal, go to App registrations and click on the client connector you created. In the left-side navigation, go to Manage > Certificates & secrets.
Click the Certificates tab and then click Upload certificate.
- In the Description field, enter a description for the certificate.
- Upload the public certificate CER file and click Add.
- c. Create a private key JSON file.
- Go to your certificate uploaded on the Azure portal. For help viewing this, refer to the Microsoft documentation.
Enter and run the following command on the PFX file to obtain the public certificate where <certname> is the name of the certificate in the previous step. The command asks for your source keystore password which you set in a previous step:
openssl pkcs12 -in
<certname>
.pfx
Enter and run the following command to obtain your decrypted private key:
openssl pkcs12 -in
<certname>
.pfx -nocerts -nodes -out
Create a new file with the following format and paste in the private key and certificate:
{“private_key”: ”<Private Key>”, “public_cert”: ”<Certificate>” }
Format the private key and certificate as one line between the parentheses. Enter \n for every line break from the original formatting. See the following example:
{ "private_key":"-----BEGIN PRIVATE KEY-----\nXXXXXXXXXXXXXXXXXX\nXXXXXXXXXXXXXXXXXX\nXXXXXXXXXXXXXXXXXX\n-----END PRIVATE KEY-----\n", "public_cert":"-----BEGIN CERTIFICATE-----\nXXXXXXXXXXXXXXXXXX\nXXXXXXXXXXXXXXXXXX\nXXXXXXXXXXXXXXXXXX\n-----END CERTIFICATE-----\n" }
- Save the file in the JSON format.
- a. Create a self-signed certificate.
- 5. Authorize the custom connector.
To authorize a custom connector, you must first manually update the Azure login URL to grant permissions for the application on the tenant. After that, you must provide the Client ID, Client Secret, and Tenant ID in the ZIA Admin Portal so that the Zscaler service can access the application. You can create custom connectors for Microsoft SaaS application tenants or for MIP accounts.
- Creating a Custom Connector for a SaaS Application Tenant
- In the ZIA Admin Portal, go to Administration > SaaS Application Tenants.
- Click Add SaaS Application Tenant.
The Add SaaS Application Tenant page is displayed. - Under Choose the SaaS Application Provider, select a Microsoft SaaS application.
- In the Tenant Name field, provide a name.
- Copy the following URL and paste it in a separate browser tab:
https://login.microsoftonline.com/common/adminconsent?
<client_id>
&state=administration/add-casb-tenants&
<redirect_uri>
. - In the URL, replace the
client_id
parameter with the Application (client) ID that you copied earlier, and replace theredirect_uri
with the Redirect URI that you copied earlier. - Press
Enter
on your keyboard.
A Microsoft window appears listing the permissions requested by the Zscaler service.
See image. - Click Accept.
You return to the Add SaaS Application Tenant page. - In the Authorize the SaaS Application section, select Custom for the SaaS Connector.
Enter the values for the Client ID, Client Secret, and Tenant ID that you copied earlier, then click Authorize.
If you're onboarding SharePoint, also upload the JSON file you created and formatted in the previous section.
See image.- In the ZIA Admin Portal, click Save and activate the change.
After adding the tenants, you can configure the Data at Rest Scanning DLP policy, Malware Detection policy, and Scan Configuration. You can also view reports and data for the tenants in the SaaS Security Report, Insights, and Logs.
Close - Creating a Custom Connector for an MIP Account
- Go to Administration > Labels and Tags.
- In the Microsoft Information Protection (MIP) Labels tab, click Add MIP Account.
The Add MIP Account window appears.
- Copy the following URL and paste it in a separate browser tab:
https://login.microsoftonline.com/common/adminconsent?client_id=<client_id>&state=administration/mip-labels&redirect_uri=
<redirect_uri>
. - In the URL, replace the
client_id
parameter with the Application (client) ID that you copied earlier, and replace theredirect_uri
with the Redirect URI that you copied earlier. - Press
Enter
on your keyboard.
A Microsoft window appears listing the permissions requested by the Zscaler service.
See image. - Click Accept.
- Return to the Add MIP Account window.
- Select Custom for the SaaS Connector.
- Enter the values for the Client ID, Client Secret, and Tenant ID that you copied earlier, then click Validate.
See image.
The Add MIP Account window reappears, displaying the next window for account details.
- In the Add MIP Account window, under Account Name, enter a name you want to associate with the Microsoft account. It must be unique.
- Click Save and activate the change.
The MIP account is added to the ZIA Admin Portal. The MIP Account displays a status of Validation Successful if the account is authorized. It displays a status of Validation Failed if the account is not authorized. If the status on the MIP account is Validation Failed, you can try the authorization process again by clicking Reauthorize on the Edit MIP Account window.
- Change the Label Retrieval field for the MIP account.
- Creating a Custom Connector for a SaaS Application Tenant
When creating custom connectors, provide the following application-specific API permissions to ensure that the Zscaler service has the access it needs.
- API Permissions for Microsoft Applications
In the following API tables, you need to select a different application from the Request API permissions page for each row of the Microsoft API column. For example, Azure requires selecting the same user_impersonation permission for both Azure Storage and Windows Azure Service Management.
- ExchangeClose
Microsoft API Microsoft Permissions Associated Zscaler Actions Microsoft Graph APIs Mail.ReadWrite Apply Email Tag Label MailboxSettings.Read Scanning Directory.Read.All Scanning User.Read.All Scanning Mail.Send Quarantine Organization.Read.All Scanning AuditLog.Read.All Scanning Member.Read.Hidden Scanning Reports.Read.All Scanning - Microsoft Azure Blob StorageClose
Microsoft API Microsoft Permissions Associated Zscaler Actions Azure Storage API user_impersonation - Discover Storage Account
- Scanning
Windows Azure Service Management API user_impersonation - Discover Storage Account
- Scanning
- Microsoft Information Protection (MIP)Close
Microsoft API Microsoft Permissions Associated Zscaler Actions Microsoft Graph API InformationProtectionPolicy.Read.All Scanning Microsoft Information Protection Sync Service API UnifiedPolicy.Tenant.Read Scanning Microsoft Rights Management Services APIs Content.DelegatedWriter Apply MIP Labels to File Content.Writer Apply MIP Labels to File Content.SuperUser Scanning Content.DelegatedReader Scanning - OneDriveClose
Microsoft API Microsoft Permissions Associated Zscaler Actions Office 365 Management API ActivityFeed.Read Scanning Microsoft Graph People.Read.All Scanning Group.Read.All Scanning Sites.Manage.All Scanning and Quarantine Sites.ReadWrite.All - Remove Sharing
- Restore Quarantined File
- Remove External Collaborators
- Remove External Collaborators and Shareable Link
- Remove Public Shareable Link
- Remove Internal Shareable Link
- Quarantine
- Quarantine to User Root Folder
- Remove File
Files.ReadWrite.All - Scanning and Quarantine
- Quarantine to User Root Folder
Directory.Read.All Scanning GroupMember.Read.All Scanning Organization.Read.All Scanning AuditLog.Read.All Scanning Application.Read.All Scanning Reports.Read.All Scanning - SharePoint
- TeamsClose
Microsoft API Microsoft Permissions Associated Zscaler Actions Office 365 Management APIs ActivityFeed.Read Scanning Microsoft Graph APIs TeamMember.Read.All Scanning Chat.UpdatePolicyViolation.All Block Message TeamsAppInstallation.ReadForUser.All Scanning TeamsAppInstallation.ReadWriteSelfForUser.All Notify User (ZscalerWorkflow Automation) TeamsAppInstallation.ReadWriteAndConsentForTeam.All Notify User (ZscalerWorkflow Automation) Sites.Selected Scanning TeamsActivity.Read.All Scanning TeamsAppInstallation.ReadForChat.All Scanning ChannelSettings.Read.All Scanning Channel.ReadBasic.All Scanning People.Read.All Scanning Group.Read.All Scanning Sites.Read.All Scanning Sites.ReadWrite.All - Remove Sharing
- Restore Quarantined File
- Remove External Collaborators
- Remove External Collaborators and Shareable Link
- Remove Public Shareable Link
- Remove Internal Shareable Link
- Quarantine
- Quarantine to User Root Folder
- Remove File
ChatMessage.Read.All Scanning Directory.Read.All Scanning User.Read.All Scanning ChannelMember.Read.All Scanning GroupMember.Read.All Scanning Files.Read.All Scanning Team.ReadBasic.All Scanning Chat.Read.All Scanning ChannelMessage.Read.All Scanning ChannelMessage.UpdatePolicyViolation.All - Notify User (ZscalerWorkflow Automation)
- Notify User
Organization.Read.All Scanning AuditLog.Read.All Scanning Chat.ReadBasic.All Scanning Application.Read.All Scanning ChatMember.Read.All Scanning TeamsAppInstallation.ReadForTeam.All Notify User (ZscalerWorkflow Automation) Reports.Read.All Scanning
- Exchange