ZTNA administrator has a Microsoft Azure (/Entra) Identity provider configured whos secret key expired. The same Administrator updated the secret key in the ZTNA instance and it all appears to be working fine.

During the process of getting a new secret key from our Directory Services team, they informed the ZTNA admin that secret keys for App Registrations were no longer the preferred method. Their preferred method is to use certificates, with their guidance being to “request the cert from CA team and upload in both places app and Entra.”  An exception was given for a short term secret key for now, but the admin will need to upgrade again within 3 months.

Looking at ZTNA admin console, there are no options for certificates to be uploaded in relation to an Identity Provider. 

Is there is a current method within ZTNA to use certificates in place of secret keys for Identity Providers?  

ZTNA.

Microsoft Entra (/Azure) Identity provider.

No support for certificate based keys within Azure Identity provider setup.

Use SAML with SCIM instead of the default Azure provider to synchronise the users from Entra into ZTNA. There are no plans to support the cert based approach (that could change).

SCIM is the recommended option for several reasons:

• Instant Propagation: SCIM allows for immediate synchronization of group changes, whereas the "read API" only resolves user groups once per session.
• Granular Control: SCIM provides specific control over which groups are visible to the ZTNA service, unlike the "read API" which requires full read permissions for the entire Directory.
• Easier Maintenance: SCIM eliminates the need to manually update tokens every year.

Setting up a new Generic SAML IdP server using SCIM will do exactly as we need today, but the ZTNA user/group validation will be done in sync with SCIM rather than having ZTNA send a backchannel OAuth/OIDC request into Entra to retrieve the info.