Configure Umbrella for Migration to Secure Access and Security Cloud Control

Available Languages

Download Options

  • PDF     (1.6 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.7 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.2 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:March 10, 2026
Document ID:225388

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes how to migrate from Umbrella to Secure Access using Security Cloud Control (SCC).

Background information

Umbrella customers are encouraged to migrate from Umbrella to Secure Access and required to use Security Cloud Control to manage all their cloud security products as part of these changes. This allows you to have a single pane of glass to manage their cloud security products which includes Cisco Secure Access.

Multi-org and MSSP are not currently supported (at the time of the creation of this article).

Prerequisites

  • Current DNS or SIG Subscription
  • Full Admin Access to Umbrella
  • Access to Security Cloud Control

Preparation Stages

1. Prepare for Migration

  1. Ensure that you have a DNS or SIG subsctiption on Umbrella:
  • Navigate to Admin > Licensing to verify
  • Upgrade to Secure Access must be displayed at the top of the page:

Prepare for Migration

ii. Make note of the org ID, in this example 8350166.

iii. Select the Request Invitation option on the licensing page.

Important: The Request Invitation button serves as an invitation to join the Umbrella tenant for SCC. It does not generate a claim code. A claim code will be provided to you once your order for Secure Access has been completed. This is part of the migration process to Secure Access.

Note: Migration is a paid service available only to customers who have purchased a Cisco Secure Access subscription. The invitation can be requested only after purchasing the Secure Access subscription.

Note: If the Upgrade to Secure Access is not present then ensure that the Umbrella package is DNS or SIG (multi-org or ad-ons are not currently supported at the time of the writing of this article).

iv. Assuming that you have placed your order for Secure Access, wait 3-4 business days and you must receive an email with your subscription claim code (after initiating the request invitation from your Umbrella Tenant). Please see example email here:

Email

2. Log in to SCC using your existing Cisco login credentials

i. Navigate to Security Cloud Control portal and login with your Cisco login credentials.

Note: The same Cisco login credentials used to access your Umbrella dashboard.

ii. Select Create new organization (if you do not have an existing one).

iii. Enter the new organization name in the New Organization name field.

iv. Select the appropriate region from the Region deployment drop-down menu.

Note: This must be the grographical region where your tenant would be deployed to.

Example here:

Select Organization

v. Then select Continue to complete the org creation.

3. Link Umbrella org to SCC and claim subscription

i. Select Claim subscription button to claim it with the codes provided from step 1 above.

ii. Your Umbrella org ID must be seen in the Subscriptions page as well with the invitation to attach it to SCC.

Note: The Umbrella org ID must be the same as on your Umbella Dashboard. This is important for the migration and to ensure that both SCC and Umbrella have been linked.

Subscriptions

- Select Attach product to attach your Umbrella org to SCC.

- When attached, you must see the Cisco Secure Access as a product in the same page as shown on the example here:

Link Umbrella org to SCC

iii. Enter the claim code and select Next:

Enter Claim Code

iv. Select Attach existing instance from the Create new instance or attach existing drop-down menu:

Attach Existing Instance

v. Review the settings:

  • Ensure that the (Existing instance) is part of the product name
  • The region must be set to the existing region of the attached Secure Access instance
  • Select Claim move to move to the next page

Select Claim Move

  • Confirm the subscription claim:

Confirm Subscription Claim

  • After successful claim and provisioning you must get a Subscriptions page similar to the one here, showing all your activated products:

alt-tag-for-image

4. Apply the license to Secure Access Instance

i. Select Action required option:

alt-tag-for-image

ii. Select Appy license:

alt-tag-for-image

Verify Secure Access Link to SCC

Use this section to verify that your Secure Access tenant has been linked to SCC.

1. Product activation status in Subscriptions

Verify that the Cisco Secure Access <License Type> product Instance has been activated:

alt-tag-for-image

2. Secure Access in Product list

Secure Access must now be listed under Products as well:

alt-tag-for-image

Migrate from Umbrella to Secure Access

  1. Log back into Umbrella with the same account as above.
  2. Navigate to the new menu item Upgrade Manager:

alt-tag-for-image

3. In the Upgrade Manager page, select Start under Enable Cisco Security Cloud Sign on

alt-tag-for-image

4. Select ENABLE SAML under SAML Dashboard User Configuration to link your SCC as SAML provider for dashboard login:

alt-tag-for-image

5. Test SAML configuration with the TEST CONFIGURATION option:

alt-tag-for-image

6. The login page of SCC must appear in a different pop-up window (ensure that pop-up blocker is disabled):

When prompted, login with your SCC credentials.

alt-tag-for-image

alt-tag-for-image

When the login has been verified, you must get the message here, confirming it. At which point the SAML part is almost complete:

alt-tag-for-image

You must then be returned to the SAML Dashboard User Configuration portion again:

  • Green tick shows that the SAML settings have been correctly configured
  • Select NEXT to continue

alt-tag-for-image

Save and notify users of the changes:

alt-tag-for-image

SAML configuration completed:

alt-tag-for-image

7. Upgrade to Secure Access by selecting Upgrade in the Start Upgrade section:

alt-tag-for-image

  • Allow the upgrade to continue:

alt-tag-for-image

  • When completed, you must get a page like on the image here:

alt-tag-for-image

8. Redirect traffic to Secure Access

alt-tag-for-image

  • Confirmation of the redirection being completed. In the example only the network identity was migraded from Umbrella to Secure Access:

alt-tag-for-image

9. Complete the upgrade and migration to Secure Access

Caution: This completely removes your Umbrella org and is not reversible so be sure all items have been completely migrated before carrying out this step.

alt-tag-for-image

  • When you select Close Umbrella on the image here, you are going to lose access to your umbrella org as it gets deleted:

alt-tag-for-image

Verify Migration

  1. Log into Secure Access with your login credentials
  2. Navigate to Secure > Access Policy to display the migrated rules, as on the example here. The org ID must be the same as in section Prepare for Migration above.

alt-tag-for-image

Related Information

Revision History

Revision Publish Date Comments
2.0
10-Mar-2026
Updated requirement for CSA subscription tobe able to migrate.
1.0
25-Nov-2025
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Joshua Alero
    Technical Account Manager - Cloud Security

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products