Group Management for Azure Cloud Objects

Important

You must have a Cloud Access Management or SailPoint Cloud Infrastructure Entitlement Management (CIEM) license to enable cloud governance features. Contact your SailPoint Customer Success Manager to request access.

To display cloud resource data through SailPoint CIEM, you must also configure the CIEM Azure source. Refer to Connecting Azure and CIEM to learn more.

The Azure Active Directory connector provides support for access management of the following Azure Management Objects:

  • Management Groups

  • Subscriptions

  • Resource Groups

  • Role Assignment (RBAC role assignments. This is a custom group object)

The newly supported group objects (Azure Management objects) and operations are:

Operations

Group Objects

Aggregation

Management Groups, Subscriptions, and Resource Groups

Aggregation and Add / Remove Entitlement

Role Assignment (RBAC role assignments. This is a custom group object.)

The following attributes can be configured in the Source XML as per your requirements:

API version to be used for management group API. Type: String

Default value: 2020-02-01

API version to be used for subscription API. Type: String

Default value: 2020-01-01

API version to be used for resource group API. Type: String

Default value: 2020-06-01

API version to be used for Role Assignments API. Type: String

Default value: 2018-07-01

Azure management API resource base in case of Azure Gov or another private instance. Type: String

Default value: https://management.azure.com

Specify if role assignments need to be fetched during Get Account call. Type: boolean

Default value: False

Prerequisites

  • Active Directory connector supports the following grant types for OAuth2 authentication:

    • Client Credentials

    • Auth Code / Refresh Token

    • Certificate Credentials

    Ensure that the appropriate permissions are granted as mentioned in the Administrator Permissions section below.

  • Existing clients must be modified for supporting management.azure.com as the scope.

Administrator Permissions

Based on the supported operations (Aggregation and Add/ Remove Entitlements), the following are the required permissions:

Permission: Microsoft.Management/managementGroups/read

Or

Role: Reader

Scope: Management Group

Permission: Microsoft.Authorization/roleAssignments/read

Or

Role: Reader

Scope: Management Group / Subscription

Permission: Microsoft.Authorization/roleDefinitions/read

Or

Role: Reader

Scope: Management Group / Subscription

Permission: Microsoft.Authorization/roleAssignments/write

Or

Role: User Access Administrator

Scope: Management Group / Subscription

Permission: Microsoft.Authorization/roleAssignments/delete

Or

Role: User Access Administrator

Scope: Management Group / Subscription

API Permissions

OAuth2.0 Authentication

Type

API

Permission

Client Credentials

 

Delegated

Azure Service Management

user_impersonation

Application

Microsoft Graph

Directory.ReadWriteAll

Refresh Token / AuthCode

Delegated

Azure Service Management

user_impersonation

JWT Certificate Credentials

Delegated

Azure Service Management

user_impersonation

Refer to the following table to learn more about object management when CAM license is enabled (Cloud Governance) and otherwise (Identity Governance).

Object

Identity Governance

Cloud Governance

Account Management

User

Yes

Yes

B2B Guest User

Yes

Yes

B2C User

Yes

Yes

Federated User (Synchronized with On-Prem AD)

Yes

Yes

Entitlement Management

Groups

Yes

Yes

License Plan (Service Plan)

Yes

Yes

Administrator Roles

Yes

Yes

Service Principal Names

Yes

Yes

Management Groups

No

Yes

Subscriptions

No

Yes

Resource Groups

No

Yes

Roles Assignment (RBAC)

No

Yes