Using SCIM for identity management allows for quick removal of users. When you delete users in your system, the same users are quickly removed from the Zscaler database. Users that are no longer in your organization will not have access to your private applications.

Deleting users in SCIM applies to users connected to ZPA using the Zscaler Client Connector (Z App). Users accessing applications via Browser Access can not be removed from ZPA using SCIM.

To start the removal process, delete the user from within your IdP. Following a SCIM update from the IdP to ZPA, the user is automatically removed from ZPA. You can verify that the user is no longer in ZPA by going to the SCIM Users page and checking the table for the user name.

If the IdP is Okta, users are not deleted. Instead, users are deactivated. Deactivated users can no longer access your private applications.