User-Assigned Managed Identities Management
Managed identities for Azure resources provide Azure services with an automatically managed identity in Microsoft Entra ID. These identities can be used to authenticate to any Azure service that supports Microsoft Entra ID authentication, without having credentials in the code. SailPoint supports managing only user-assigned managed identities as they have an independent lifecycle.
The following operations are supported for user-assigned managed identity objects:
-
Aggregation of user-assigned managed identities in account aggregation.
-
Aggregation of assigned Microsoft Entra ID groups as an entitlement during account aggregation, and add or remove Microsoft Entra ID groups to or from managed identities.
-
Aggregation of assigned PIM roles (only Azure Active Roles) as an entitlement during account aggregation, and add or remove PIM roles (only Azure Active Roles) to or from managed identities.
-
Aggregation of assigned Azure Role Assignments (RBAC) as an entitlement during account aggregation, and add or remove Azure Role Assignments (RBAC) to or from managed identities.
Note
If you want to enable additional cloud governance features for your Entra Cloud Objects (for example, Azure Cloud Object Management , such as, Management Groups, Subscriptions, Resource Groups and Role Assignment or Service Principal Accounts Management), you must have
Administrator Permissions
|
Purpose |
Permissions |
|---|---|
|
Aggregation and Assignment of Managed Identities |
Role: Managed Identity Operator OR Permission: Microsoft.ManagedIdentity/userAssignedIdentities/*/read Scope: Tenant Root Group (to fetch from all subscriptions) |
|
Aggregation and Add/Remove Microsoft Entra ID Groups for Managed Identities |
Refer to Required Permissions. |
|
Aggregation and Add/Remove RBAC Roles for Managed Identities |
Refer to Group Management for Azure Cloud Objects. |
|
Aggregation and Add/Remove PIM Azure Active Roles for Managed Identities |
Supported Schema Attributes
To aggregate user-assigned managed identities during account aggregation, ensure that managed identity attributes are present in the account schema. For more information, refer to User-Assigned Managed Identity Attributes.
Configure User-Assigned Managed Identities in Application
-
In the application Debug page, add the following flag and set it to true:
enableManagedIdentityManagementFor example:
Copy<entry key="enableManagedIdentityManagement">
<value>
<Boolean>true</Boolean>
</value>
</entry> -
If you want to manage Azure Role Assignments (RBAC) for user-assigned managed identities, refer to Group Management for Azure Cloud Objects.
-
If you want to manage PIM roles (only Azure Active Roles) for user-assigned managed identities, then go to Configuration > Settings > Additional Configuration and select the Enable Privileged Identity Management checkbox.