The Domain Joined posture element in ZPA evaluates whether a device belongs to a specific Active

Directory domain. ZPA performs this evaluation using the device’s local posture signals, either

through the Zscaler Client Connector posture engine or through the browser-based posture

evaluation framework used in ZPA Browser Access. When a user connects via Browser Access, ZPA

can still determine domain membership by inspecting the allowed browser posture attributes

provided by the endpoint, enabling device-based Zero Trust controls without requiring a full Client

Connector installation.

Linux endpoints do not support domain-joined posture verification, making option A incorrect.

Domain join validation is performed at the device level, not through the Identity Provider, because

IdPs validate users, not device domain status, eliminating option D. ZPA’s posture configuration

allows you to define multiple domains within a single posture profile, so creating a second posture

profile is unnecessary, making option C incorrect.

Therefore, the correct statement is that ZPA Browser Access can determine whether the device is

joined to the specified domain, which aligns with the expected behavior of the domain-joined

posture element.