ZTNA IDP setup?

Question regarding adding a ZTNA Identity Provider, in the docs it mentions to create a new tenant but later it also mentions the users it synchronises ties in with Centrals AAD Sync setup.  Does this mean we should be using the same AAD Tenant the Sync is using or a separate tenant for ZTNA?? If it's supposed to use separate AAD tenant for ZTNA IDP?  Just asking as I was assuming it should use the same AAD Tenant used for Centrals user sync, so the same users are authenticating unless this is by design (isolation) but then wouldn't the ZTNA AAD Tenant need to have B2C or multitenant setup for the ZTNA tenants apps??

Sorry this part was unclear in the start-up guide whether using a separate ZTNA AAD Tenant was by design?

  • You can and should use the same AAD Tenant. 

    It will use the same groups, already sync to Central via AAD Sync. 


  • was assuming that myself but wanted to check from the start-up guide lol......  It refers to using Synced users in ZTNE but at same time says to create a new ZTNE AAD Tenant but then surely should suggest using existing??  Anyway it would work using additional AAD Tenants but only setup as multitenant lol.

    Wasnt sure it this was purposely intended for Tenant Isolation purposes anyway thanks


  • Central can use the Azure AD Sync to get the AD information.

    ZTNA needs some further checks: You need the callback URL for example. 

    So simply create a new app registration in Azure and configure this one.