Understand Umbrella Support for Importing User and Group Identities from Azure AD and Okta

Available Languages

Download Options

  • PDF     (6.2 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (85.2 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (71.8 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:October 2, 2025
Document ID:225125

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes Umbrella now supporting provisioning user and group identities from Azure Active Directory and Okta, based on the SCIM standard.

    Supported Use Cases

    Umbrella SWG:

    • Import user and group identities from Azure AD/Okta in conjunction with setting up SAML authentication against Azure AD/Okta for end users that are connecting to SWG via an IPsec tunnel, PAC files or proxy chaining.
    • Import user and group identities from Azure AD to enable user identification for the AnyConnect SWG module on devices that are authenticating against on-prem AD or Azure AD.
    • Import user and group identities from Okta to enable user identification for the AnyConnect SWG module on devices that are authenticating against on-prem AD.

    Umbrella DNS:

    • Import user and group identities from Azure AD to enable user identification for AnyConnect DNS module/Roaming Client on devices that are authenticating against on-prem AD or Azure AD.
    • Import user and group identities from Okta to enable user identification for AnyConnect DNS module/Roaming Client on devices that are authenticating against on-prem AD.

    Constraints

    • Azure AD/Okta cannot provide user identity integration for Umbrella Virtual Appliances (VAs). This is because Azure AD/Okta does not have visibility of the private IP – user mappings, which are required by the VAs. VA deployments continue to require deployment of an on-premise Umbrella AD connector to facilitate AD integration.
    • Concurrent deployment of the same user/group identities from on-premise AD and Azure AD/Okta is not supported. If you have previously deployed an on-premise AD connector to provision users and groups, and are now looking to provision the same user and group identities from Azure AD/Okta, you mandatorily need to stop the AD connector before turning on the Azure AD/Okta provisioning.
    • There is no limit to the number of users that can be provisioned from Azure AD/Okta. For groups, a maximum of 200 groups can be provisioned from Azure AD/Okta to an Umbrella org. Azure AD supports dynamic groups, so you can create an ‘All Users’ group, and provision this group along with up to 199 other groups on which they want to define Umbrella policy. Okta similarly has a built-in Everyone group, so you can provision this group along with up to 199 other groups on which they want to define policy.
    • AnyConnect SWG does not support a SAML authentication against Azure AD. It relies on the same passive authentication mechanism that is used with the on-premise AD.

    Provisioning Identities

    To provision identities from either of these Identity providers, you can use the instructions documented at the links below:

    Revision History

    Revision Publish Date Comments
    1.0
    02-Oct-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products