User-Assigned Managed Identities Management
Managed identities for Azure resources provide Azure services with an automatically managed identity in Microsoft Entra ID. These identities can be used to authenticate to any Azure service that supports Microsoft Entra ID authentication, without having credentials in the code. SailPoint supports managing only user-assigned managed identities as they have an independent lifecycle.
The following operations are supported for user-assigned managed identity objects:
-
Aggregation of user-assigned managed identities in account aggregation.
-
Aggregation of assigned Microsoft Entra ID groups as an entitlement during account aggregation, and add or remove Microsoft Entra ID groups to or from managed identities.
-
Aggregation of assigned PIM roles (only Azure Active Roles) as an entitlement during account aggregation, and add or remove PIM roles (only Azure Active Roles) to or from managed identities.
-
Aggregation of assigned Azure Role Assignments (RBAC) as an entitlement during account aggregation, and add or remove Azure Role Assignments (RBAC) to or from managed identities
Prerequisites
If you want to configure your source to aggregate managed identities, you need to modify the account schema to define any of the managed identity attributes as Account Name. For example, the displayName attribute of the managed identity can be tagged as Account Name.
Correlation for Managed Identities
The existing out-of-the-box correlation rule does not work directly for managed identities correlation, as it is defined using the Microsoft Entra ID user attributes. You must modify it using the attributes for managed identities. Otherwise, there are different ways to manage identities for these service accounts. For more information, refer to Best Practices: Managing Service Accounts in IdentityNow.
Administrator Permissions
|
Purpose |
Permissions |
|---|---|
|
Aggregation and Assignment of Managed Identities |
Role: Managed Identity Operator OR Permission: Microsoft.ManagedIdentity/userAssignedIdentities/*/read Scope: Tenant Root Group (to fetch from all subscriptions) |
|
Aggregation and Add/Remove Microsoft Entra ID Groups for Managed Identities |
Refer to Required Permissions. |
|
Aggregation and Add/Remove RBAC Roles for Managed Identities |
Refer to Group Management for Azure Cloud Objects. |
|
Aggregation and Add/Remove PIM Azure Active Roles for Managed Identities |
Supported Schema Attributes
To aggregate user-assigned managed identities during account aggregation, ensure that managed identity attributes are present in the account schema. For more information, refer to User-Assigned Managed Identity Attributes.
Configure User-Assigned Managed Identities in Source
Screenshot
- Go to Feature Management.
-
Select the Manage Cloud Resources checkbox if you want to manage Azure Role Assignments (RBAC) for user-assigned managed identities.
-
Select the Include User-Assigned Managed Identities checkbox to manage user-assigned identities.
-
In the Azure Privileged Identity Management Setting section, select the Enable Privileged Identity Management checkbox if you want to manage PIM roles (only Azure Active Roles) for user-assigned managed identities.
-
Select Save.