Support
      Back to home
      1. SecureDynamics Knowledge Base
      2. Support

      How to Merge ZIA and ZPA Tenants in Zscaler

      A step-by-step guide to consolidating ZIA and ZPA services under a single Zscaler tenant for unified management and seamless integration.

      Overview

      If your organization initially deployed Zscaler Private Access (ZPA) and later purchases Zscaler Internet Access (ZIA), a tenant merge is required to consolidate both services under one unified management portal. This process must be performed by the Zscaler Support Provisioning Team and may take several business days. This article outlines what to expect and how to initiate the process.

      SecureDynamics is here to help every step of the way. We take a white glove service approach to guide your team through this process with minimal effort on your part, ensuring everything is executed correctly and smoothly.

      Why Is Tenant Merging Necessary?

      ZPA and ZIA are distinct services within the Zscaler cloud. When added separately, they are provisioned under different tenants. Merging them into a single tenant enables:

      • Centralized policy management
      • Unified logging and reporting
      • Seamless integration across Zscaler services

      Learn more: Understanding ZPA, ZIA, and Zscaler Client Connector Clouds

      Step-by-Step: Merging ZIA and ZPA Tenants

      Customer Preparation

      • Before the actual merge, Zscaler requires syncing all production ZPA users into the ZIA portal. This ensures that once ZIA services are linked to the Zscaler Client Connector (ZCC) portal, users will not face authentication issues when accessing Internet services via ZIA.

      Example – Syncing Users from ZPA to ZIA via Azure AD:

      Let’s say your organization uses Azure Active Directory (Azure AD) and already has it integrated with ZPA:

        1. Log into the ZIA Admin Portal with your ZIA tenant credentials.
        2. Navigate to: Administration > Authentication > SCIM Configuration.
        3. Enable SCIM provisioning in ZIA - using Zscaler's online help as a checklist.
        4. In Azure AD:
          • Go to Enterprise Applications > Zscaler Internet Access (or create a new app if needed).
          • Complete the SCIM configuration for the IdP - again using Zscaler's online help as a checklist
          • Under Provisioning, set the mode to Automatic.
          • Select the same users and groups already assigned for ZPA access.
          • Run a test sync and confirm users appear under ZIA Admin Portal > Administration > Users.

      For other IdPs like Okta or Ping, follow the appropriate SCIM provisioning guides.

      • Prepare your end users that they will soon see the ZIA options show up in ZCC and could experience some traffic related issues depending on how the App/Forwarding Profiles are configured.
      • Deploy a safe, best practices forwarding configuration for all the available App Profiles.

      1. Submit a Support Ticket

      • Open a case with Zscaler Support requesting a ZIA and ZPA tenant merge.
      • Include both tenant IDs (ZIA and ZPA) and any relevant company contact details.

      2. Zscaler Support Review & Initial Sync

      • The Provisioning Team will verify ownership of both tenants.

      3. Backend Merge by Zscaler

      • Zscaler engineers will then complete the backend merging process, which includes:
        • Migrating user data
        • Synchronizing policies
        • Aligning authentication and configurations

      4. Testing and Validation

      • Once the merge is complete, Zscaler will notify your team.

      • Validate both ZIA and ZPA functionality:
        • Check that Zscaler Service Entitlement shows both services enabled in the Mobile Admin Portal
        • Confirm access to the Mobile Admin section via the ZIA portal
      • Deploy a safe, best practices forwarding configuration for all the available App Profiles.
        • After Zscaler has successfully integrated the Client Connector Portal with ZIA, proceed with the following steps to deactivate ZIA for production ZPA users. This will help prevent any potential connectivity issues.
          • Log into the Client Connector Portal through the ZIA/ZPA admin portal.
          • After logging in, go to Administration and select Forwarding Profile.
          • Edit the Forwarding Profile settings and set the ZIA Forwarding Action to "None" for the Trusted, VPN Trusted, and Off Trusted Network categories, as illustrated below.
          • Repeat these steps for all forwarding profiles to ensure consistency across your configurations.

      Screenshot

      5. Final Confirmation

      • Report any discrepancies to Zscaler Support.
      • Once all services are verified, you may close out the case.

      6. Continue Phased Rollout of Users to ZIA

      • Develop a new Application/Forwarding Profile in alignment with your Rollout Plan and incorporate the necessary user groups into ZIA as required.
      • Once you are prepared to enable ZIA for all users, update the existing Application/Forwarding Profile according to your rollout plan to ensure a smooth transition for all users.

      What to Expect

      • Timeframe: The merge can take several business days depending on complexity and support queue.
      • Policy Adjustments: Some settings may require manual updates post-merge.
      • User Impact: There may be minor, temporary disruptions—plan the merge during a maintenance window when possible.