Group Management for Azure Cloud Objects
Important
If you want to enable additional cloud governance features (for example, visualization of effective access or managing the life cycle of Service Principals as "accounts") for your Azure Cloud Objects, you must have a
To display cloud resource data through SailPoint CIEM, you must also configure the CIEM Azure source. Refer to Connecting Azure and CIEM to learn more.
The Microsoft Entra ID connector provides support for access management of the following Azure Management Objects:
-
Management Groups
-
Subscriptions
-
Resource Groups
-
Role Assignment (RBAC role assignments. This is a custom group object)
The newly supported group objects (Azure Management objects) and operations are:
|
Operations |
Group Objects |
|---|---|
|
Aggregation |
Management Groups, Subscriptions, and Resource Groups |
|
Aggregation and Add / Remove Entitlement |
Role Assignment (RBAC role assignments. This is a custom group object.) |
The following attributes can be configured in the
managementGroup-api-version
API version to be used for management group API. Type: String
Default value: 2020-02-01
subscription-api-version
API version to be used for subscription API. Type: String
Default value: 2020-01-01
resourceGroup-api-version
API version to be used for resource group API. Type: String
Default value: 2020-06-01
role-assignment-api-version
API version to be used for Role Assignments API. Type: String
Default value: 2018-07-01
azure-management-resource-base
Azure management API resource base in case of Entra Gov or another private instance. Type: String
Default value: https://management.azure.com
fetch-azure-roleassignment-getobject
Specify if role assignments need to be fetched during Get Account call. Type: boolean
Default value: False
Prerequisites
-
The Microsoft Entra ID connector supports the following grant types for OAuth2 authentication:
-
Client Credentials
-
Auth Code / Refresh Token
-
Certificate Credentials
Ensure that the appropriate permissions are granted as mentioned in the Administrator Permissions section below.
-
-
Existing clients must be modified for supporting
management.azure.comas the scope.
Administrator Permissions
Based on the supported operations (Aggregation and Add/ Remove Entitlements), the following are the required permissions:
Object Aggregation
Permission: Microsoft.Management/managementGroups/read
Or
Role: Reader
Scope: Management Group
Role Assignment Aggregation
Permission: Microsoft.Authorization/roleAssignments/read
Or
Role: Reader
Scope: Management Group / Subscription
Role Definition Aggregation
Permission: Microsoft.Authorization/roleDefinitions/read
Or
Role: Reader
Scope: Management Group / Subscription
Add Role Assignment
Permission: Microsoft.Authorization/roleAssignments/write
Or
Role: User Access Administrator
Scope: Management Group / Subscription
Remove Role Assignment
Permission: Microsoft.Authorization/roleAssignments/delete
Or
Role: User Access Administrator
Scope: Management Group / Subscription
API Permissions
|
OAuth2.0 Authentication |
Type |
API |
Permission |
|---|---|---|---|
|
Client Credentials
|
Delegated |
Azure Service Management |
user_impersonation |
|
Application |
Microsoft Graph |
Directory.ReadWriteAll |
|
|
Refresh Token / AuthCode |
Delegated |
Azure Service Management |
user_impersonation |
|
JWT Certificate Credentials |
Delegated |
Azure Service Management |
user_impersonation |
Refer to the following table to learn more about object management when
|
Object |
Identity Governance |
Cloud Governance |
|---|---|---|
|
Account Management |
||
|
User |
Yes |
Yes |
|
B2B Guest User |
Yes |
Yes |
|
B2C User |
Yes |
Yes |
|
Federated User (Synchronized with On-Prem AD) |
Yes |
Yes |
|
Entitlement Management |
||
|
Groups |
Yes |
Yes |
|
License Plan (Service Plan) |
Yes |
Yes |
|
Administrator Roles |
Yes |
Yes |
|
Service Principal Names |
Yes |
Yes |
|
Management Groups |
No |
Yes |
|
Subscriptions |
No |
Yes |
|
Resource Groups |
No |
Yes |
|
Roles Assignment (RBAC) |
No |
Yes |