Group Management for Azure Cloud Objects
Important
You must have a Cloud Access Management or SailPoint Cloud Infrastructure Entitlement Management (CIEM) license to enable cloud governance features. Contact your SailPoint Customer Success Manager to request access.
To display cloud resource data through SailPoint CIEM, you must also configure the CIEM Azure source. Refer to Connecting Azure and CIEM to learn more.
The Azure Active Directory connector provides support for access management of the following Azure Management Objects:
-
Management Groups
-
Subscriptions
-
Resource Groups
-
Role Assignment (RBAC role assignments. This is a custom group object)
The newly supported group objects (Azure Management objects) and operations are:
Operations |
Group Objects |
---|---|
Aggregation |
Management Groups, Subscriptions, and Resource Groups |
Aggregation and Add / Remove Entitlement |
Role Assignment (RBAC role assignments. This is a custom group object.) |
The following attributes can be configured in the
Prerequisites
-
Active Directory connector supports the following grant types for OAuth2 authentication:
-
Client Credentials
-
Auth Code / Refresh Token
-
Certificate Credentials
Ensure that the appropriate permissions are granted as mentioned in the Administrator Permissions section below.
-
-
Existing clients must be modified for supporting
management.azure.com
as the scope.
Administrator Permissions
Based on the supported operations (Aggregation and Add/ Remove Entitlements), the following are the required permissions:
API Permissions
OAuth2.0 Authentication |
Type |
API |
Permission |
---|---|---|---|
Client Credentials
|
Delegated |
Azure Service Management |
user_impersonation |
Application |
Microsoft Graph |
Directory.ReadWriteAll |
|
Refresh Token / AuthCode |
Delegated |
Azure Service Management |
user_impersonation |
JWT Certificate Credentials |
Delegated |
Azure Service Management |
user_impersonation |
Refer to the following table to learn more about object management when CAM license is enabled (Cloud Governance) and otherwise (Identity Governance).
Object |
Identity Governance |
Cloud Governance |
---|---|---|
Account Management |
||
User |
Yes |
Yes |
B2B Guest User |
Yes |
Yes |
B2C User |
Yes |
Yes |
Federated User (Synchronized with On-Prem AD) |
Yes |
Yes |
Entitlement Management |
||
Groups |
Yes |
Yes |
License Plan (Service Plan) |
Yes |
Yes |
Administrator Roles |
Yes |
Yes |
Service Principal Names |
Yes |
Yes |
Management Groups |
No |
Yes |
Subscriptions |
No |
Yes |
Resource Groups |
No |
Yes |
Roles Assignment (RBAC) |
No |
Yes |