Secure Internet and SaaS Access (ZIA)
Integrating with Microsoft Azure
You can connect your Microsoft Azure organization to Zscaler 3rd-Party App Governance to gain continuous visibility and governance for third-party apps installed in the Microsoft Azure environment, including automation of your vetting and governance processes.
Prerequisite
A user with Global Administrator privileges is required to connect 3rd-Party App Governance to Microsoft Azure and Office 365.
Connecting Microsoft Azure to 3rd-Party App Governance
To connect Microsoft Azure to 3rd-Party App Governance:
- Click the Connect icon in the left-side navigation.
The Integrations window appears.
- In the Integrations window, click Add next to Azure AD. You are prompted to sign in if you haven't already done so.
A consent window appears.
- Click Accept. Ensure not to select Consent on behalf of your organization to have application permissions rather than delegated permissions. All privileges are read-only, and you can see a detailed list of permissions and data here.
This consent step only allows reading of the apps in your workspace. Additional consent steps are required for the revocation and banning of apps. By default, 3rd-Party App Governance users who are not explicitly granted revocation rights are unable to perform revoke operations.
After connection is achieved, it might take a while to pull and ingest all relevant application data depending on the size of your tenant. During this time, a message is displayed that the domain is still being processed. After integration is completed, a success message appears, and the number of domains is updated. You then receive an email from Zscaler when the domain is ready for further review. To learn more about the integration statuses of a domain, see Status.
Viewing and Managing Microsoft Azure Integration
You can click Microsoft Azure in the Integrations window to expand and view the list of added domains along with information such as First connected, Last Synced, and Status.
- Domain: The name of the domain integrated with 3rd-Party App Governance.
- First connected: The date and time the domain was added, and the person who added the domain.
- Last Synced: The date and time the domain was last synced. If the domain has yet to sync, N/A is displayed. If the duration of the sync is excessive, the last sync time is highlighted in red.
When there are multiple domains, 3rd-Party App Governance displays the last sync with the most excessive time duration to indicate an issue so you can expand, view the domain, and take the relevant actions.
- Status: The integration status of the domain. One of the following statuses is displayed:
- Error: Failure to achieve a connection. The error message displays the reason for the failure. Contact Zscaler Support if you require further assistance.
- In progress: Connection is achieved and 3rd-Party App Governance is ingesting the relevant data. It might take a while to pull and ingest all relevant application data depending on the size of your tenant. During this time, a message is displayed that the domain is still being processed. You then receive an email from Zscaler when the domain is ready for further review.
- Success: The integration is completed successfully and the last sync time is updated.
Reconnecting Microsoft Azure to 3rd-Party App Governance
You might need to reconnect Microsoft Azure to 3rd-Party App Governance if an error is displayed (e.g., Grant Expired). To reconnect Microsoft Azure to 3rd-Party App Governance:
- Click Microsoft Azure in the Integrations window to expand and view the list of added domains.
- Click the Reconnect icon next to the relevant domain.
A confirmation window appears.
- Click Confirm to continue.
A consent window appears. After consent is granted, the connection is updated.
Deleting a Microsoft Azure Connection
You can delete a Microsoft Azure connection to 3rd-Party App Governance. To delete a Microsoft Azure connection:
- Click Microsoft Azure in the Integrations window to expand and view the list of added domains.
- Click the Delete icon next to the relevant domain.
A confirmation window appears.
- Click Confirm to continue.
The connection is successfully deleted.
Permissions and Data Collected
The following table lists the permissions and data collected after integration.
The "Read and modify applications" permission listed in the following table is an optional permission that can be granted to 3rd-Party App Governance to support additional functionalities. This permission is not required for initial onboarding and is only requested to perform specific activities.
Which permissions do we use? | What data do we get? |
Maintain access to data you have given access to
| The scope is present so we can request refresh tokens off of Microsoft Graph API
|
Read audit log data
| User-related directory and applications activity audit
|
Read directory data
| User sign-ins and applications user, users group membership, users OAuth permissions assignments, directory applications list, service principles, role assignments, users and groups, name of your organization |
Read all users' full profiles
| Users avatar, basic user information
|
Read all usage reports
| Usage metadata
|
Read and modify applications
| This scope can be granted to 3rd-Party App Governance when a 3rd-Party App Governance Admin wants to revoke an app or restrict a particular app's access. |