Integrating SailPoint with Microsoft Entra SSO

Revised Date: 28 April 2026

Microsoft Entra Single Sign-On (MS Entra SSO) is a part of Microsoft Entra ID (formerly Azure Active Directory). It allows users to access multiple applications with one set of credentials, improving security and user experience.

The SailPoint MS Entra SSO discovery connector provides comprehensive application discovery within Microsoft Entra ID. It facilitates the aggregation of application details, application users, and user activity.

It's important to note that these discovery connectors are specifically for identifying and collecting information about applications, users, and their activities, and are managed separately from Identity Governance and Administration (IGA) sources. They are not intended for governance purposes.

Supported Features

The SailPoint MS Entra SSO connector supports the following features:

Prerequisites

Before proceeding with the integration, ensure the following prerequisites are met:

  • A registered client application in the Azure portal

    This application should be registered as a Web application or Web API to utilize the Microsoft Graph API. This registered application will call the Graph API on behalf of connector. During configuration, you will need the Client ID and Client Secret generated for this application. For more information, refer Steps to register an application on Azure portal.

  • Completed Cloud management prerequisites and requirements. For more information, refer to Azure Cloud Object Management.

  • Base URL or domain of the application that is integrated with MS Entra SSO for authentication. For more information, refer to Microsoft Graph Dev Center | APIs and app development.

    Note
    If you are using Base URL as https://login.microsoftonline.com, refer to Configuring Azure Government Endpoints for more information.

To register an application on Azure portal, perform the following:

  1. Select either of these Azure management portals to do the configuration:

    Microsoft Azure

    Or

    Microsoft Entra admin center

  2. Select Microsoft Entra in the left pane.

  3. Select App registrations.

  4. Select New registration.

  5. On the Register an application page, in the Name field, enter the name of the application that you want to set up. For example, SailPointAzureADManagement.

  6. In the Supported account types, set up accounts based on users that are able to use that application or the API.

  7. (Optional) Set up the URL in Redirect URL, to have the successful response after authentication. You can use the following format: http://domainName/GraphWebapp

    Note
    The URL provided is for placeholder purposes only. It is not utilized by the MS Entra SSO discovery connector and does not affect system behavior.

  8. Select Register. An application is created. On the Application page the Application (client) ID, and other details are displayed. Note down this Application ID.

  9. On the left-hand panel, select Certificates & secrets. On the Certificates & secrets page, in the Client secrets section, select New Client Secret.

  10. On the Add a client secret page, enter the Description to generate a secret, choose the validity duration in the Expires list. Select Add. Save the secret value you just created.

To grant permissions to the client application in the Microsoft Entra console:

  1. Select API permissions in the Microsoft Entra console.

  2. Select Add a permission.

  3. On the Request API permissions page, you will see a list of supported APIs. Select Microsoft Graph API.

  4. Select Application permissions under What type of permissions does your application require?

  5. Under Select permissions, choose permissions mentioned in the following permission table. Select Add permissions.

  6. In Grant consent, select Grant admin consent for your configuration and directory. On the pop-up dialog box, select Yes.

Required Permissions

The following table lists the required granular-level application permissions:

Permission

Type

Purpose

User.Read.All

Application

Test Connection

Application.Read.All

Application

Aggregation of applications

Note
Use Azure portal to assign administrative roles. For more information, refer to Assign Microsoft Entra Roles to Users.