Zscaler ZDTE Exam Questions

In the ZDTE material under Advanced Access Control Services, Tenant Restrictions (often discussed with ''personal vs. corporate'' SaaS use) are described as a way to ensure users can only authenticate to sanctioned organization tenants for apps like Microsoft 365, Google Workspace, or other major SaaS platforms.

Zscaler does this by acting as an inline Zero Trust proxy and modifying the authentication flow, not by bluntly blocking all external SaaS access. The docs explain that, for supported SaaS applications, Zscaler injects specific identity or tenant identifiers (for example, the allowed tenant ID or corresponding claim) into the HTTP(S) requests during sign-in. These injected headers or parameters signal to the SaaS provider which tenant is permitted so that logins to personal or unsanctioned tenants can be transparently blocked or challenged while corporate tenant access is allowed.

Because this enforcement is done at the HTTP/S layer using header/parameter insertion tied to identity and policy, users retain seamless access to approved corporate tenants while attempts to use personal or shadow-IT tenants are controlled according to policy---exactly what Option C describes.

Zscaler's multi-tier cloud architecture is separated into distinct planes: the control plane, enforcement plane, and logging plane. The control plane is implemented by the Central Authority and is described in Zscaler architecture material as the ''brains'' of the platform, responsible for policy definition, administration, orchestration, and the admin UI. Crucially, this same layer also exposes the API interfaces that automation tools and scripts use. In architecture slides, the control plane is explicitly associated with ''Admin UI'' and ''API,'' showing that all administrative programmability terminates there.

The enforcement plane (Public/Private Service Edges) is focused on inspecting and enforcing policy on user traffic, while the logging plane is dedicated to storing and streaming Nanolog data to SIEM or analytics tools. Neither of these planes provides administrative configuration APIs. Study content for the ZDTE exam reinforces that the API infrastructure enables programmatic access to configure the Zero Trust Exchange and is part of the central management layer, not the traffic or logging tiers.

Therefore, when an administrator makes API calls, they are communicating with the Control Plane.

In Zscaler 3rd-Party App Governance documentation, the App Inventory is where administrators view and manage all discovered third-party apps, add-ons, and extensions. The ''Classifying Apps'' help article defines the available states: Unclassified, Sanctioned, Reviewing, and Unsanctioned. Crucially, it notes that Unclassified is the default state for any new application before an administrator evaluates it.

''Sanctioned'' is used once the organization has explicitly approved an app for use; ''Unsanctioned'' is used when an app is not allowed; and ''Reviewing'' indicates it is under investigation. Those labels are the result of governance decisions applied after discovery.

ZDTE study materials on SaaS and app governance mirror this behavior: newly discovered apps enter the inventory without an explicit decision, allowing security teams to triage risk, review permissions, and only then mark them as sanctioned or unsanctioned. Because the default state for a new entry is explicitly documented as Unclassified, the correct answer is D. Unclassified.

In Zscaler Private Access, a provisioning key is a unique text string generated for an App Connector (or Private Service Edge) group and is used during enrollment to bind that connector to the correct group and PKI trust chain. The Zscaler Digital Transformation training material emphasizes that the provisioning key acts as the ''identity anchor'' for connectors in that group: it's what the ZPA cloud uses to authenticate the connector at enrollment and associate it to the right configuration and policy context.

When that key is deleted, ZPA effectively invalidates the trust relationship for any connectors that were enrolled with it. In practice, these connectors are treated as revoked and must be removed and re-enrolled using a new provisioning key to restore a healthy, supportable state. The key is not archived for later reuse, and it does not automatically regenerate. Deletion is intentionally destructive so that, if a key is lost or suspected to be compromised, an administrator can immediately ensure that all connectors tied to that key are no longer trusted and must be re-provisioned, which aligns with zero trust and least-privilege principles.

===========

In ZPA, App Connectors are designed to be lightweight, horizontally scalable components. Their effective throughput and concurrent-connection capacity are often constrained more by network stack limitations (such as ephemeral port exhaustion and per-process file descriptor limits) than by raw CPU or memory. As a result, simply over-provisioning vCPUs and RAM to ''hit'' a target like 1 Gbps on a single connector usually does not provide linear performance gains.

Zscaler design guidance emphasizes deploying multiple App Connectors and allowing ZPA to intelligently load-balance traffic across them. This delivers resiliency and scales capacity while staying within realistic limits of TCP/UDP ports and OS-level descriptors. Over-scaling a single connector can lead to diminishing returns and may even create harder-to-diagnose issues when port ranges or file descriptors are saturated.

Storage is not the main factor in App Connector performance, and the platform does not recommend a ''just throw more resources at it'' approach. For these reasons, the correct answer is that port exhaustion and file descriptors, rather than memory or CPU, are typically the true limiting factors for App Connectors.

===========