Group Management for Azure Cloud Objects

Important

If you want to enable additional cloud governance features (for example, visualization of effective access or managing the life cycle of Service Principals as "accounts") for your Azure Cloud Objects, you must have a CIEM license. If you already have a CAM license, no additional license purchase is required. Contact your SailPoint Customer Success Manager to request access and for more information.

To display cloud resource data through SailPoint CIEM, you must also configure the CIEM Azure source. Refer to Connecting Azure and CIEM to learn more.

The Microsoft Entra ID connector provides support for access management of the following Azure Management Objects:

  • Management Groups

  • Subscriptions

  • Resource Groups

  • Role Assignment (RBAC role assignments. This is a custom group object)

The newly supported group objects (Azure Management objects) and operations are:

Operations

Group Objects

Aggregation

Management Groups, Subscriptions, and Resource Groups

Aggregation and Add / Remove Entitlement

Role Assignment (RBAC role assignments. This is a custom group object.)

The following attributes can be configured in the source XML using the Identity Security Cloud REST APIs in accordance with your requirements:

Prerequisites

  • The Microsoft Entra ID connector supports the following grant types for OAuth2 authentication:

    • Client Credentials

    • Auth Code / Refresh Token

    • Certificate Credentials

    Ensure that the appropriate permissions are granted as mentioned in the Administrator Permissions section below.

  • Existing clients must be modified for supporting management.azure.com as the scope.

Administrator Permissions

Based on the supported operations (Aggregation and Add/ Remove Entitlements), the following are the required permissions:

API Permissions

OAuth2.0 Authentication

Type

API

Permission

Client Credentials

 

Delegated

Azure Service Management

user_impersonation

Application

Microsoft Graph

Directory.ReadWriteAll

Refresh Token / AuthCode

Delegated

Azure Service Management

user_impersonation

JWT Certificate Credentials

Delegated

Azure Service Management

user_impersonation

Refer to the following table to learn more about object management when CIEM license is enabled (Cloud Governance) and otherwise (Identity Governance).

Object

Identity Governance

Cloud Governance

Account Management

User

Yes

Yes

B2B Guest User

Yes

Yes

B2C User

Yes

Yes

Federated User (Synchronized with On-Prem AD)

Yes

Yes

Entitlement Management

Groups

Yes

Yes

License Plan (Service Plan)

Yes

Yes

Administrator Roles

Yes

Yes

Service Principal Names

Yes

Yes

Management Groups

No

Yes

Subscriptions

No

Yes

Resource Groups

No

Yes

Roles Assignment (RBAC)

No

Yes