icon-zpa.svg
Secure Private Access (ZPA)

Configuring ZPA Administrators

This article describes how to add a new admin. You can add up to 5,000 admins. For a complete list of ranges and limits per feature, see Ranges & Limitations.

To add a new admin:

  1. Go to Configuration & Control > Administration Control > Administrators.
  2. Click Add.

    The Add Administrator window appears.

  3. In the Add Administrator window:
    • Admin ID: Enter a username. The username must be an email address, and the domain name must match your organization's domain name.
    • Email: (Optional) Enter an email address for the admin. Updates about ZPA are sent to this email address.
    • Phone: Enter a phone number. This field is required because the phone number is used for password recovery purposes.
    • Role: Select a predefined role or a custom role for the admin. You can click Clear Selection to remove any selections. To learn more, see About Roles.

      If your organization is subscribed to Shift and ZPA, the admin roles for both services are displayed. In this situation, Zscaler recommends selecting either the ZPA Administrator or ZPA Read Only Administrator role when creating new admin accounts for ZPA.

    • Status: Select whether to enable or disable the admin.
    • Two-Factor Authentication: If you want this admin to use two-factor authentication (2FA), do not make a selection here. Continue to configure the admin's account and save. After saving, direct the admin to log in with the credentials you provide. After they have logged in, you can then enable this feature for their account by
      1. In the Administrators page, within the table, locate the admin you want to modify and click the Edit icon.
      2. In the Edit Administrator window, under Two Factor Authentication, select On.
      3. Under Two-Factor Auth Type, select one of the following authentication types. You can click Clear Selection to remove any selections:
        • If you select YUBIKEY, enter the YUBIKEY Token ID.
        • If you select TOTP, a window with a barcode appears once you save your changes (see image below). Scan the barcode using a two-factor authentication app (e.g., Google Authenticator) to complete configuration. You can also click Copy TOTP Key to copy the key to the clipboard so you can enter the key into the authentication app manually.

          Two-Factor Authentication Details window

          During the admin's next login to the ZPA Admin Portal, they will be required to enter the passcode generated by the authentication app.

          Login Page with Passcode field for the ZPA Admin Portal

      Close
      .
    • Force Password Reset: Select Yes to force the admin to reset their password at login.
    • Pin Session: Select Yes to ensure that a session token is only used for a user to whom it was issued. This setting provides additional security and ensures that the session token mapped to the user to whom it was issued cannot be reused in subsequent or new sessions.
    • Password: Enter a password for the admin. The password must be at least 8 characters in length, and include at least one uppercase letter, one special character, and one number.
      • Exclamation point (!)
      • Number sign (#)
      • Dollar sign ($)
      • Percentage sign (%)
      • Ampersand (&)
      • Single quote (')
      • Left parenthesis (()
      • Right parenthesis ())
      • Asterisk (*)
      • Plus sign (+)
      • Comma (,)
      • Hyphen (-)
      • Period (.)
      • Forward slash (/)
      • Colon (:)
      • Semicolon (;)
      • Less than sign (<)
      • Equals sign (=)
      • Greater than sign (>)
      • Question mark (?)
      • At sign (@)
      • Left bracket ([)
      • Right bracket (])
      • Circumflex or caret (^)
      • Underscore (_)
      • Backtick or grave symbol (`)
      • Left angle bracket ({)
      • Pipe (|)
      • Right angle bracket (})
      • Tilde (~)
      Close

Passwords included in the compromised password list are rejected when creating or updating a password. Contact Zscaler Support to learn more.

  • Confirm Password: Re-enter the password for the admin.

  1. Click Save.

When an admin logs in for the first time, the ZPA Admin Portal displays an End User Subscription Agreement (EUSA). The admin must accept the EUSA to proceed.

If admin A with ZPA Administrator privileges performs certain operations on admin B, another user with ZPA Administrator privileges, active sessions are revoked for admin B. To learn more, see About Roles.

Related Articles
About AdministratorsConfiguring ZPA AdministratorsEditing ZPA AdministratorsAbout RolesConfiguring Administrator Roles