Configuration Parameters

Authentication method supported by the managed system. Default is OAuth 2.0.

Grant type to be used for the authentication.

SAML Bearer Assertion.

JWT Certificate Credentials.

Client ID of the application created on the Microsoft Entra ID for using Graph REST API.

Client secret of the Microsoft Entra ID application.

Name of the Microsoft Entra ID domain to be managed. For example, contoso.onmicrosoft.com.

When enabled, the connector leverages the Microsoft Entra ID real-time enforcement of Conditional Access location and risk policies along with instant enforcement of token revocation events for an Enterprise Application (Service Principal).

Endpoint URL of authorization server.

Username for authorization.

Password of the user for authorization.

Request body for SAML assertion.

Enter valid refresh token.

The unique alpha-numeric value of certificate used to sign the JWT assertion.

Private Key text used for encrypting the JWT assertion.

Password for decrypting private key.

Enables Aggregation and Provisioning of Exchange mailbox attributes.

FQDN/IP of the system where IQService is installed.

The TCP/IP port on which IQService is listening for requests.

If you enable Use TLS, configure the corresponding IQService TLS port.

Note
To enable exchange online mailbox management, you must configure the IQService Host and IQService Port parameters.

User registered with IQService for Client Authentication.

Password of registered user for Client Authentication.

Indicates whether this is a TLS communication between IdentityIQ and IQService.

If you enable Use TLS for IQService, IQService User, and IQService Password attributes are mandatory

Enables aggregation and provisioning of Office 365 groups. This exposes the Enable Microsoft Teams Governance checkbox.

This is only available if Manage Microsoft Office 365 Groups is selected. Select this option to checkbox to enable aggregation and provisioning of channels.

This field is only available when Enable Microsoft Teams Governance is selected. Enter any filter statements to define the scope for channels. For example if you want to add standard channels and private channels the filter would be, membershipType eq 'standard' or membershipType eq 'private'

Enables IdentityIQ notifications within Microsoft Teams. Note that this option must be checked in order for the next fields to appear.

Note
For more information, refer to the IdentityIQ Microsoft Teams Notifications.

The private URL of the Microsoft Teams bot, including the port and endpoint, in the format http://server:port/appidwithnodashes/api/notify, where appidwithnodashes is your own application's Microsoft App ID. This ID was also used when you set up the Messaging endpoint in the Azure bot.

In the IdentityIQ Microsoft Teams Notifications guide, note that the step in Creating an Azure Bot for IdentityIQ's Microsoft Teams Notifications that include this Messaging endpoint references the public server; in this field in IdentityIQ, be sure to use server and port details for the private server.

The Microsoft Entra ID tenant ID that is used for your Microsoft Teams application.

The client secret you generated when creating the Microsoft Teams application. In the IdentityIQ Microsoft Teams Notifications guide, refer to Creating a Microsoft Teams Application for IdentityIQ in Azure for details.

Enables Privileged Identity Management to manage the lifecycle of role assignments.

Indicates whether application is used to manage B2C tenant.

Enable if the application manages access packages. For more information, refer to Access Package Management.

Enable to manage access packages hidden from end users on the My Access portal. For more information, refer to Access Package Management.

Number of records per page. Default: 500.

Filter that defines the scoping condition for Accounts to be applied during account aggregation to limit set of data. The Microsoft Entra ID connector supports advanced query filters like endsWith, NOT, and NE during aggregation. For example,

(startswith(displayName,'A')and
accountEnabled eq true)"/>

Select Advanced User Filter to include advanced filter queries such as endsWith, NOT, and NE during aggregation processes.

Filter that defines the scoping condition for Groups to be applied during account-group aggregation to limit set of data.

The following is an example for the groupFilters configuration attribute:

<entry key="groupFilters" value="(startswith(displayName,'A') or
startswith(displayName,'B'))"/>

Note
For more information on filters, refer to the Supported query options section of the Azure AD Graph API Concepts document.

Note
The Azure API does not support advanced query filters (NOT, ENDSWITH, and NE) with the expanded manager attribute in the URL. Remove the manager attribute from the account schema and remove the owners attribute from the groups schema while using the advanced filters.

Select Advanced Group Filter to include advanced filter queries such as endsWith, NOT, and NE during aggregation processes.

Filter that defines the scope of the group memberships included in account aggregation. These filters apply during the account aggregation and are only applicable to memberships belonging to objectType = group. These are only applicable to the Security, Office 365, Mail Enabled Security, and Distributed type of group memberships. For more information on filters, refer to the Microsoft documentation.

Note
You can provide filters as mentioned in the examples below, and the connector ensures the formation of an appropriate advanced filter query. This field supports advanced filter queries such as endsWith, NOT, and NE.

For example,

• To aggregate only group memberships with group display name starting with 'A', use startswith(displayName,'A').

• To aggregate only group memberships with groups not belonging to on-premises AD (or to only include cloud group memberships), use onPremisesSyncEnabled ne true.

• To exclude dynamic group memberships during account aggregation , use NOT groupTypes/any(c:c eq 'DynamicMembership')

Important
SailPoint recommends excluding membership information is not a best practice from a governance and security standpoint. You should have full visibility into users and devices, including their groups, assigned permissions, and how these configurations impact access to resources. The group membership filter should be used carefully and only when necessary, ensuring that access is managed and only the right individuals have access to sensitive information or resources.

When entitlement schema "roles" is present in the connector, set the Directory Roles Filter to ensure only specified roles are aggregated during an entitlement aggregation. For example, isBuiltIn eq true. For more information on filtering conditions and values, refer to the Microsoft documentation.

You can also set this attribute using the application Debug page:

<entry key ="directoryRolesFilter" value ="isBuiltIn eq true" />

UserPrincipalName of User having Exchange Administrator role.

Password of user having Exchange Administrator Role.

Select the Mail Contact Governance checkbox to manage mail contacts as accounts. For more information, refer to Azure Mail Contact Management.

In the Mail Contact Filter field, enter any filter statements used to define the scope of mail contacts for aggregation. For example, startswith(displayName,'MailContact1')