Zscaler OAuth2 Authentication
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This playbook obtains OAuth2 access tokens for Zscaler Internet Access (ZIA) integrations using Zscaler ZIdentity OAuth and returns the token response.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Zscaler Internet Access |
| Source | View on GitHub |
Additional Documentation
📄 Source: Oauth2Authentication/readme.md
This playbook provides OAuth2 authentication capabilities for Zscaler Internet Access (ZIA) integration with Microsoft Sentinel. It handles the authentication flow required to obtain and manage access tokens for secure API communication with Zscaler services.
Overview
The Zscaler-Oauth2-Authentication playbook is designed to:
- Authenticate with Zscaler ZIA using OAuth2 credentials
- Obtain and refresh access tokens automatically
- Provide secure credential management through Azure Key Vault
- Enable other Zscaler playbooks to leverage centralized authentication
Prerequisites
Before deploying this playbook, ensure you have:
-
Zscaler Configuration - A Zscaler Internet Access (ZIA) subscription with API access enabled - An Azure AD application registration for OAuth2 authentication - OAuth2 client credentials from Azure AD:
- Client ID (Application ID)
- Client Secret
- Tenant ID
-
Azure Resources - An existing Azure Key Vault - The client secret stored in Key Vault with the name
client-secret- Appropriate permissions to deploy Azure Logic Apps and modify Key Vault access policies -
Required Information - OAuth2 Scope (typically
api://[your-app-id]/.default) - Azure AD Tenant ID - Key Vault name
Deployment
Option 1: Deploy via Microsoft Sentinel Content Hub (Recommended)
When deploying the full Zscaler solution from Content Hub, you will see an Authentication Configuration step where you need to provide:
- Key Vault Name: The name of your Azure Key Vault containing the client secret
- OAuth2 Client ID: Your Azure AD Application ID (GUID format)
- OAuth2 Scope: The scope for token requests (e.g.,
api://166a33fa-7009-42ad-bf3b-1f6fcffb6395/.default) - Azure AD Tenant ID: Your Azure AD tenant ID (GUID format)
These parameters will automatically configure the OAuth2 Authentication Logic App during deployment.
Option 2: Deploy Standalone Playbook
Click the button below to deploy only the Zscaler-Oauth2-Authentication playbook:
When deploying standalone, you'll need to provide the same parameters during deployment.
Post-Deployment Configuration
After deployment, complete these steps:
1. Store Client Secret in Key Vault
Ensure your client secret is stored in the Key Vault you specified:
az keyvault secret set \
--vault-name <YOUR_KEYVAULT_NAME> \
--name client-secret \
--value <YOUR_CLIENT_SECRET>
2. Grant Key Vault Access to Logic App
The Logic App uses a system-assigned managed identity. Grant it access to read secrets:
# Get the Logic App's managed identity object ID
LOGIC_APP_IDENTITY=$(az logic workflow show \
--resource-group <YOUR_RESOURCE_GROUP> \
--name Zscaler-Oauth2-Authentication \
--query identity.principalId -o tsv)
# Grant Key Vault Secrets User role
az role assignment create \
--assignee $LOGIC_APP_IDENTITY \
--role "Key Vault Secrets User" \
--scope /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.KeyVault/vaults/<KEYVAULT_NAME>
Alternatively, use the Azure Portal: 1. Navigate to your Key Vault 2. Go to Access control (IAM) 3. Click Add role assignment 4. Select Key Vault Secrets User role 5. Assign access to the Zscaler-Oauth2-Authentication Logic App
3. Verify Configuration
Test the authentication by manually running the Logic App:
- Open the Logic App in the Azure Portal
- Click Run Trigger → Manual
- Check the run history to verify successful OAuth2 token retrieval
- The response should contain an
access_token
Troubleshooting
Common Issues
"Parameter value missing" error in Key Vault connection
- Ensure the Key Vault name was provided during deployment
- For existing deployments, update the connection:
bash
az resource update \
--ids "/subscriptions/<SUB_ID>/resourceGroups/<RG>/providers/Microsoft.Web/connections/Keyvault-Zscaler-Oauth2-Authentication" \
--set properties.alternativeParameterValues.vaultName="<KEYVAULT_NAME>"
"Forbidden" error when accessing Key Vault
- Verify the Logic App's managed identity has the "Key Vault Secrets User" role
- Check that the secret client-secret exists in the Key Vault
OAuth2 token request fails - Verify the Client ID, Tenant ID, and Scope are correct - Ensure the client secret in Key Vault is valid - Check that the Azure AD application has the required API permissions
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊