Manage Azure Service Principals as Accounts

Important
To enable this feature in your IdentityNow tenant, contact your SailPoint Customer Success Manager.

  1. Go to Feature Management.

  2. Select Manage Azure Service Principals as Accounts to aggregate Azure Service Principals along with Users during the account aggregation process. By default, when this is enabled, entitlements are not fetched. You must select the entitlements you want to fetch from the available list. When this is turned off, you see a black X. If it is turned on, you see a blue .

  3. In the Service Principal Account Filter field, enter filter statements to ensure only the correct Azure Service Principals are included in the aggregation process. The default filter is servicePrincipalType eq 'Application'

    Note
    Advanced queries are not supported.

    Example filters:

    • For a filter to match the Enterprise Application default view on the Azure portal use the following:

      tags/Any(x: x eq 'WindowsAzureActiveDirectoryIntegratedApp')

    • For a filter to exclude Microsoft's built-in service principals use the following:

      appOwnerOrganizationId ne f8cdef31-a31e-4b4a-93e4-5f571e91255a&$top=100

  4. Select the Manage Azure PIM Role Memberships checkbox to manage Azure PIM Active Role memberships for Service Principal.

  5. Select the Manage Azure AD PIM Role Memberships checkbox to manage Azure Active Directory PIM Active Role memberships for Service Principal.

  6. Select the Manage Role Memberships checkbox to manage Directory Role memberships for Service Principal.

  7. Select the Manage Application Role Memberships checkbox to manage Azure Application Role memberships for Service Principal.

  8. Select the Manage Group Memberships checkbox to manage Azure Active Directory Group memberships for Service Principal.

  9. Select the Manage Azure Role Assignment Memberships checkbox to manage Azure Cloud Group memberships for Service Principals.

  10. Select the Manage Admin Consented Permission Memberships checkbox to manage Azure admin consented permissions for Service Principals.

    Note
    This is for delegated permissions.

  11. Select Save.