Need specific group of users to use NPA features only and AZURE AD.

  • 18 September 2023
  • 1 reply

Badge +8

Hi team,


I have a query regarding the NPA the customer wants to segerate the group of user traffic should be steer in NPA. Like they only want the specific group of users. use NPA services I checked the same in steering configuration option i didnt get it please let us know if we can acheive this use cases kindly find the below questions from client end. Also please let me know what limitations we get in Azure AD license. Like what netskope suggest to purchase the license so we can configure SAML SSO.


1.In AD, do we need create a separate security group for SWG,CASB and add few user in the group and test for couple weeks.

2.In AD ,do we need a separate security group for NPA and add few users in the group who will access



1 reply

Badge +8

Netskope steering configurations were designed for this exact purpose.  If you only want to steer NPA traffic for a subset of users, create a new steering configuration and assign that to a new AD group, something like "NPA Users".  Make sure that new steering configuration is above the default tenant group and any other non-NPA steering group which those users might be a member of.  Steering configuration assignment happens from top down, so the user will be put in the config it matches first.  To me, it sounds like you want to both groups to have the same SWG experience.  I'd clone the configuration you're currently using for the new NPA config.  That way all users will have a similar SWG experience but only users in the "NPA users" group will have NPA.  We have a similar design, below is what we did. 

  • Steering Configs:
    • NPA Users - Assigned to "NPA Users" AD Group.
      • This group was a copy of the default tenant group.  So it has all of the same exceptions and steering options. 
      • Options Set
        • Steering all traffic - we also use CFW
        • Steer private apps
    • Default Tenant - Assigned to All users, steers only web traffic, no private apps.


As for the SSO question, I think that's something that you would want to ask your Idp.  Netskope Supports SAML SSO as you've stated, you want to make sure your users are licensed for that within their IDP platform.