Service Principal Accounts Management

Important
If you want to enable additional cloud governance features for your Entra Cloud Objects (for example, Azure Cloud Object Management , such as, Management Groups, Subscriptions, Resource Groups and Role Assignment or Service Principal Accounts Management), you must have IdentityIQ Cloud Governance license. If you already have a Cloud Access Management (CAM) license, no additional license purchase is required. Contact your SailPoint Customer Success Manager to request access and for more information.

To access resources that are secured by an Microsoft Entra ID tenant, the entity that requires access must be represented by a security principal. This requirement is true for both users (user principal) and applications (service principal). The security principal defines the access policy and permissions for the user/application in the Microsoft Entra ID tenant.

With this feature, the connector supports managing such Service Principals for enterprise applications as Accounts.

Note
To gauge the probability of compromised service principals (workload identities) accounts in your environment. Refer to Risky Service Principal Alert Feature for more information.

Supported Operations

The following operations are supported for the Azure Service Principal:

Operations

Service Principal

Aggregation

Yes

Partitioning Aggregation

Yes

Get Account

Yes

Create

Yes

Update Basic and Non-Basic (Certificates and Secrets, Owners, etc.) Attributes

Yes

Delete

Yes

Enable and Disable Users

Yes

Add and Remove Entitlements

  • Add and Remove Roles

  • Add and Remove User's Group Membership

  • Add and Remove Application Role Memberships (appRoleAssignments)

  • Add and Remove PIM Role Memberships (azureActiveRoles and AzureADActiveRoles)

  • Add and Remove RBAC Role Memberships (azureRoleAssignments)

    Note
    For more details and the required prerequisites, refer to Azure Cloud Object Management .

  • Add and Remove Admin Consented Delegated Permissions (spn_adminConsentedPermissions)

  • Remove User Consented Delegated Permissions (spn_userConsentedPermissions)

Yes

Administrator Permissions

Purpose

Permissions

Aggregation of Service Principals

Application.Read.All

Create and Update Service Principals

Application.ReadWrite.All

Add and Remove Owners

Application.ReadWrite.OwnedBy

Add and Remove Application Roles for Service Principals

AppRoleAssignment.ReadWrite.All

Aggregation of Application Roles

Application.Read.All

Aggregation and Add/Remove Microsoft Entra ID Group and Roles for Service Principals

Refer to Required Permissions.

Aggregation and Add/Remove RBAC Roles for Service Principals

Refer to Group Attributes for Azure Cloud Objects.

Aggregation and Add/Remove PIM Azure Active and Microsoft Entra ID Roles for Service Principals

Refer to Azure Privileged Identity Management (PIM).

Aggregation of Admin/User Consented Permissions for Service Principals

DelegatedPermissionGrant.Read.All

Add/Remove Admin Consented Delegated Permissions for Service Principals

DelegatedPermissionGrant.ReadWrite.All

Remove User Consented Delegated Permissions for Service Principals

DelegatedPermissionGrant.ReadWrite.All

Supported Schema Attributes

To aggregate service principal related information for the user during account aggregation, ensure that the service principal attributes are present in the account schema. For more information, refer to Service Principal as Accounts Attributes.

Supported Provisioning Attributes

To provision service principal related information, ensure that the attributes in Create Policy for Service Principal are present in your provisioning policy.

Deleting Service Principal

For more information on deleting the service principal while retaining the corresponding application, refer to Additional Configuration Parameters.

Managing Admin Consented Permissions

For more information on enabling the flag to manage admin consented permissions for service principals, refer to Additional Configuration Parameters.

Note
This is for delegated permissions.