Required Permissions

Important

If you want to enable additional cloud governance features for your Entra Cloud Objects (for example, Azure Cloud Object Management , such as, Management Groups, Subscriptions, Resource Groups and Role Assignment or Service Principal Accounts Management), you must have IdentityIQ Cloud Governance license. If you already have a Cloud Access Management (CAM) license, no additional license purchase is required. Contact your SailPoint Customer Success Manager to request access and for more information.

Note
This list of permissions includes the most commonly used features from the connector, however there may be custom permissions and roles required for certain specific features. Ensure to read the details for each feature in the Supported Features section.

The following permissions must be granted to the client application created in Azure:

  • Read Directory Data

  • Read and Write Directory Data

To grant permissions to the client application:

  1. Select API permissions in the Microsoft Entra ID console.

  2. Select Add a permission.

  3. On the Request API permissions page, you will see a list of supported APIs. Select Microsoft Graph API.

  4. Select Application permissions under What type of permissions does your application require?

  5. Under Select permissions, choose permissions mentioned in the following permission table. Select Add permissions.

  6. In Grant consent, select Grant admin consent for your configuration and directory. On the pop-up dialog box, select Yes.

Granular Level Application Permission

 

Permission

Type

Purpose

User.Invite.All

Application

Creating / Inviting B2B User

User.Read.All

Application

Account Aggregation, Account Delta, Get Object, Roles and Groups Membership Aggregation

User.ReadWrite.All

Application

Create User, Update User Properties (Non Entitlement), Add / Remove License Pack and Plan, Enable/ Disable User Account, Delete User

Organization.Read.All

Application

Aggregate License Pack and Plan Details of tenant

RoleManagement.ReadWrite.Directory

Application

Add / Remove Directory Roles

User.Read

Application

Pass-through Authentication

Group.Read.All

Application

Group Aggregation

Group.ReadWrite.All

Application

Create Group, Update Group, Delete Group

Application.Read.All

Application

Service Principal Aggregation

AppRoleAssignment.ReadWrite.All

Application

Add / Remove users from Service Principal

RoleManagement.ReadWrite.Directory

Application

Role provisioning (if defined as Entitlement object)

RoleManagement.Read.Directory

Application

Role Aggregation (if defined as Entitlement object)

Applicable for SAML Bearer Assertion, Refresh Token / AuthCode and JWT Certificate Credentials Grant Types

Directory.AccessAsUser.All

Delegated

Change Password, Delete User

Applicable for Access Packages Management

EntitlementManagement.ReadWrite.All

Application

Add / Remove Access Packages

EntitlementManagement.Read.All

Application

Access Package Aggregation

Applicable for Multi-Factor Authentication Management

UserAuthenticationMethod.Read.All

Application

MFA Related User Information Aggregation

UserAuthenticationMethod.ReadWrite.All

Application

Add / Update / Remove MFA Related User Information

To perform Set Password and Delete user operations, an application created on Azure must have the User Administrator role.

To manage users with administrative roles, an application created on Azure must have the User Administrator or Global Administrator role and the Privileged Authentication Administrator role.

Use the Azure portal to assign the previously mentioned administrative roles. For more information, refer to Assign Microsoft Entra Roles to Users.