A guide for diocese administrators transitioning from legacy Zscaler admin portals (admin.zscalerone.net) to the unified Experience centre console.
In the coming weeks CEnet will reach out to each diocese to migrate all diocese zscaler administrators to the new ZSlogin / ZIdentity service. This introduces MFA to the administrator login flow. Diocese admins will still use the same Authenticator app they currently use and are used to.
Only accounts that are in IDP will be migrated.
Local accounts with credentials stored in the zscaler portal will not be migrated.
During the process a "break glass" account is created that CEnet will maintain.
In the event that diocese administrators find they do not have the access they expected, CEnet can grant extra permissions using this account.(This will require a support ticket to CEnet.)
Zscaler is replacing its multiple product-specific administration portals — including admin.zscalerone.net (ZIA), admin.private.zscaler.com (ZPA), and separate ZDX portals — with a single unified console called the Zscaler Experience centre, accessible at console.zscaler.com.
This is not simply a cosmetic rebrand. The Experience centre represents a fundamental architectural shift in how Zscaler delivers its administrative experience — consolidating siloed product portals into one integrated platform with a shared identity layer.
Previously, diocese administrators managing Zscaler services needed to work across multiple disconnected portals. A diocese administrator responsible for both internet security (ZIA) and private access (ZPA) would regularly switch between admin.zscalerone.net and admin.private.zscaler.com, each with separate login credentials, separate dashboards, and separate policy frameworks. ZDX (Digital Experience Monitoring) was yet another separate interface.
As well as enabling a more seciure MFA process for diocese administratos, the Experience centre unifies administrative workflows for ZIA, ZPA, ZDX, Zero Trust Branch, and more into a single hub — reducing context-switching and providing cross-product analytics that were impossible with siloed portals.
Zscaler has published a phased timeline for the migration.
Zscaler introduced the Experience centre as a unified console, initially covering ZIA, ZPA, ZDX, and Client Connector management. Available to all customers to explore.
Experience centre expanded to include Zero Trust Branch, Zero Trust Cloud, and IoT/OT segmentation capabilities — becoming the true unified SASE console.
CEnet will contact each diocese seperately in the coming weeks to organise the migration. Both old and new portals remain accessible during this period.
All legacy Zscaler administrative UIs (admin.zscalerone.net, admin.private.zscaler.com, etc.) will be officially deprecated and shut down.
The most significant change is the shift from a fragmented, product-per-portal model to a single unified console with a shared identity layer.
The table below summarises the key differences administrators will encounter when moving from the legacy portals to the Experience centre.
| Feature / Aspect | Legacy Portals (admin.zscalerone.net) | Experience centre (console.zscaler.com) |
|---|---|---|
| Access URL | admin.zscalerone.net, admin.private.zscaler.com, ZDX portal (separate) | console.zscaler.com (single URL for all products) |
| Login Method | Product-specific credentials per portal; separate logins required for ZIA, ZPA, and ZDX | Single sign-on via ZIdentity; integrates with your enterprise IdP (Okta, Entra ID, Ping); MFA enforced by default |
| Product Scope | One portal per product. Switching products requires navigating to a different URL | All products managed from one console: ZIA, ZPA, ZDX, Zero Trust Branch, Risk360, and more |
| Dashboard / Analytics | Product-isolated dashboards; no cross-product unified view | Unified analytics across internet/SaaS, private access, and digital experience; consolidated traffic, threats, and user views |
| Policy Management | Separate policy frameworks per product; internet and private access policies managed independently | Common policy framework across access controls, cybersecurity, data protection, and digital experience management |
| Admin Role Management | Roles and entitlements managed separately in each product portal | Centralised entitlement management via ZIdentity; SCIM-based auto-provisioning from your IdP; unified RBAC |
| Location Management | Managed separately per product; no single view of all locations | Unified Locations: manage branches, cloud connectors, IPSec/GRE tunnels from a single workflow |
| Future Feature Access | No new features from April 2026; fully deprecated September 2026 | All new Zscaler features and innovations exclusively released here from April 2026 onwards |
| MFA Requirement | Optional / product-specific | MFA enforced by default via ZIdentity |
One of the most significant changes administrators will notice is the new login experience powered by ZIdentity — Zscaler's centralised identity service (formerly known as ZSLogin).
How your organisation migrates to ZIdentity depends on your current identity provider configuration:
CEnet has already implemeted a staging environment for all diocese. In the coming weeks CEnet will reach out to your teams to orgnise the full migration. Only accounts currently in IdP will be provisioned. Local Admin accounts will cease to function.
Once migrated, MFA is on by default and diocese portal administrators will be prompted to enroll for MFA.
The Experience centre is not just a consolidated interface — it introduces capabilities that were not possible with the siloed legacy portals. These features are only available in the Experience centre.
A single consolidated view across internet/SaaS traffic, private access, and digital experience. See users, cyber threats, data protection events, and network health in one place without switching portals.
Interactive context based assistance within the console to guide administrators through complex configuration tasks, policy recommendations.
Manage all locations — branches, cloud edges, data centres, OT/IoT factories, SD-WAN sites — from a single workflow. No more toggling between interfaces for site-by-site administration.
Require additional authentication challenges before sensitive administrative operations, reducing the blast radius of a compromised admin session without impacting day-to-day workflows.
✅ - MFA will be enabled for Portal administrators.
Upon first login to the new console / experience centre, administrators will be requested to enrol in MFA using your preferred Authenticator app.
Your existing Zscaler configuration — policies, rules, users, locations, app segments — will carry over to the Experience Centre. You are not reconfiguring Zscaler from scratch. What changes is how you access and manage that configuration.
All existing ZIA policies, ZPA application segments, forwarding profiles, user/group configurations, and location settings migrate automatically. The Experience Centre is a new interface to the same underlying platform.
The navigation structure in the Experience Centre is reorganised around outcomes and use cases rather than individual products. Administrators who are accustomed to the ZIA or ZPA portal menu structure will find their settings in different menu locations. Here is a brief guide to the major navigation changes:
| Task | Legacy Portal Location | Experience Centre Location |
|---|---|---|
| URL Filtering Policies | ZIA Portal → Policy → URL & Cloud App Control | Internet & SaaS → Cyberthreat Protection → URL Filtering |
| Firewall Rules | ZIA Portal → Policy → Firewall Control | Internet & SaaS → Firewall |
| DLP Policies | ZIA Portal → Policy → DLP | Data Security → Web & Email DLP |
| App Segment Management | ZPA Portal → Applications | Private Access → Application Segments |
| Access Policies (ZPA) | ZPA Portal → Policy → Access Policy | Private Access → Policies → Access Policies |
| ZPA App Connectors | ZPA Portal → Infrastructure → App Connectors | Private Access → Infrastructure → App Connectors |
| Digital Experience Monitoring | Separate ZDX portal | Digital Experience → Dashboard / Apps / Devices |
| Locations | ZIA Portal → Administration → Locations | Infrastructure → Locations (unified view) |
| Admin Management | ZIA Portal → Administration → Administrators | Administration → ZIdentity → Admin Accounts |
| Activity Logs | ZIA Portal → Analytics → Web Insights | Analytics → Logs (unified across ZIA & ZPA) |
Any browser bookmarks or documentation referencing admin.zscalerone.net, admin.private.zscaler.com, or other legacy portal URLs will need to be updated to console.zscaler.com. Deep-link URLs to specific settings pages will also change. Plan to update any internal documentation that contain legacy portal URLs.
CEnet is handling the migration. Contact will be made with each diocese in the coming weeks.
CEnet has already created staging areas for the current diocse Zscaler admins - If you currently use local admins that are not part of IdP this can be discussed when your portal is prepared for migration.
As mentioned, local (portal defined) admins will not come across in the migration, only IDP based credentials will be migrated.
Navigate to console.zscaler.com and explore the new interface. The Experience centre is available now and your existing configuration is visible within it.
Your first point of contact.
Call the CEnet service desk or log a ticket.
Comprehensive technical documentation at help.zscaler.com, including dedicated sections for the Experience centre, ZIdentity migration guides, and the new unified admin documentation.
Free and paid training courses on the Experience centre and ZIdentity administration, including hands-on labs in a live Zscaler environment.
Zscaler's dedicated migration landing page at provides step-by-step migration instructions and resources specifically for the ZIdentity transition.
New Admin Console:https://console.zscaler.com
Help Portal: https://help.zscaler.com
ZIdentity Docs: https://help.zscaler.com/zidentity
Migration Guide: https://info.zscaler.com/begin-your-zidentity-migration