Secure Private Access (ZPA)
About Microtenants
Contact Zscaler Support to enable this feature for your organization.
A Microtenant is a delegated administrator responsibility that is assigned to an admin by an admin with Microtenant administrator privileges. Microtenants are defined by an authentication domain and assigned to admins based on country, department, and company for role-based administration control.
Microtenants provide the following benefits and enable you to:
- Delegate the responsibilities of an admin.
- Manage the configuration of shared application segments, segment groups, servers, server groups, App Connectors, App Connector groups, and policies exclusive to users within their country, department, and operating company.
- View the dashboard and logs exclusive to the users within their country, department, and operating company.
- Share application segments between different Microtenants.
A Microtenant is created within a tenant and is used when departments or subsidiaries within an organization want to manage their configurations independently. For example, an organization can delegate the responsibilities of admins directly to the acquired or merged company admins so that they can manage their configurations independently. In the following diagram, admin groups A and B are from USA and India. Both admin groups have access to different tenants but share the same global resources (e.g., applications, App Connectors, etc.). The Microtenant admin assigns the different Microtenants to both admin groups so each group gets their own Microtenant in addition to still having access to the global resources.
Zscaler recommends you consider the following before configuring a Microtenant:
- App Profile Configuration in the Zscaler Client Connector Portal
Admins that want to map machine tunnels to their respective Microtenant must have a one-to-one mapping between an app profile and the individual Microtenant. For example, a tenant has the following app profiles in the Zscaler Client Connector Portal:
Rule Number Policy Name User Groups Machine Token 1 Early_Adopters Beta_Grp None 2 China_Users PRC_Grp None 3 Default All Machine_Token_from_Default_Tenant The following Microtenants are configured:
Microtenant Number Name Authentication Domain 1 Microtenant_for_US_Users us.com 2 Microtenant_for_China_Users prc.com 3 Default All In this example, all machine tunnels enroll against the Default Microtenant. This allows all users to access the Default Microtenant resources over the machine tunnel.
Close
- Configurations That Can Only Be Managed or Configured by the Default Microtenant Admin
- IdP Configuration
- Enrollment (CA) Certificates
- Log Streaming Service
- Microtenants
- SAML Attributes
- Zscaler Client Connector Portal Links
Contact the Default Microtenant admin if you need help configuring or managing certain features and use cases.
Close
- Disaster Recovery Configuration
The Microtenants feature is not supported when disaster recovery is enabled. When Disaster Recovery Mode is activated, all users have access to all applications that are designated for disaster recovery. In the following diagram, user A and B are from USA and India and have access to separate applications when disaster recovery is disabled. After disaster recovery is enabled, both users have access to all applications that are designated for disaster recovery.
When in Disaster Recovery Mode, ZPA Private Service Edges and App Connectors mapped within a default or custom Microtenant provide traffic to only applications designated for disaster recovery. To learn more, see Understanding Disaster Recovery.
Close
- Supported Features within a Microtenant
Disaster Recovery settings configurations are read-only for custom Microtenant admins.
- API Key Management
Browser Access with CORS and Client Hostname Validation features are only supported for regular tenants. In addition, Inspect Traffic with ZIA- or Source IP Anchor-enabled applications are only supported for regular tenants. To learn more, see Configuring Application Segments.
- App Connector Management
IdP configuration, SAML attributes, and authentication settings configurations are read-only for custom Microtenant admins.
Enrollment (CA) certificates are read-only for custom Microtenant admins.
- Dashboard & Diagnostics
Log receiver configurations are read-only for custom Microtenant admins.
- Notification Management
AppProtection policies are only supported for regular tenants.
- Privileged Remote Access (PRA)
- Private Service Edge Management
Zscaler Client Connector download links configurations are read-only for custom Microtenant admins.
There can be situations where users from one Microtenant need to access one or more application segments from another Microtenant. Applications that are present in a Microtenant can be shared with other Microtenants. If an application is not shared with any other Microtenant, it can be moved to the Default Microtenant. To learn more, see Sharing Defined Application Segments and Moving Defined Application Segments.
About the Microtenants Page
On the Microtenants page (Configuration & Control > Administration Control > Microtenants), you can do the following:
- View a list of applied filters available from the current and previous user sessions. Applied filters must be saved to the user session first before they can be viewed. Use the drop-down menu to select the applied filters to view. To learn more, see Using Tables.
- Hide the filters on the page by clicking Hide Filters. Click Show Filters to display the filters.
- Refresh the Microtenants page to reflect the most current information.
- Filter the information that appears in the table. By default, no filters are applied. You can also save applied filters to your preferences so that they're visible in future user sessions. To learn more, see Using Tables.
- Add a new Microtenant.
- Expand all the rows in the table to see more information about each Microtenant.
- View a list of all Microtenants. For each Microtenant, you can see:
- Name: The name of the Microtenant.
- Description: The description of the Microtenant.
- Authentication Domain: The authentication domain used to authenticate the admins to the Microtenant.
- Status: The status of the Microtenant.
Privileged Approvals: The privileged approval for the Microtenant. Enable to allow approval-based access even if no Authentication Domain is selected. The Emergency Access and Emergency Access Users pages are not visible for Microtenants with Privileged Approvals disabled. This field is Disabled by default.
The Privileged Approvals option is only supported for applications that have Privileged Remote Access enabled. To learn more, see Configuring Defined Application Segments.
Users mapped to Microtenants that are using ZPA Private Service Edges reauthenticate when the Microtenant is disabled.
- Delete a Microtenant.
- Modify the columns displayed in the table.
- Display more rows or a different page of the table.
- Go to the Administrators page to add new admins or manage existing admins.
- Go to the Roles page to add new admin roles or manage existing roles.
- Go to the Audit Logs page to view and download admin log records.
- Go to the Acceptable Use Policy page to view or update the AUP for your user portals.
- Go to the Client Sessions page to view or delete current sessions.
- Go to the Disaster Recovery page to view critical application segments, ZPA Private Service Edge groups, or App Connector groups that are designated for disaster recovery. You can also configure the Disaster Recovery settings.
When Disaster Recovery is enabled and Disaster Recovery Mode is activated, all users have access to all applications that are designated for disaster recovery.
Go to the Integrations page to set up File Transfer via Zscaler Internet Access (ZIA).
The Integrations page is read-only for Microtenant admins.
- Go to the Client Connector IP Assignment page to manage Zscaler virtual IP addresses and view IP bindings for use with server-to-client connectivity.
