User-Assigned Managed Identities Management

Managed identities for Azure resources provide Azure services with an automatically managed identity in Microsoft Entra ID. These identities can be used to authenticate to any Azure service that supports Microsoft Entra ID authentication, without having credentials in the code. SailPoint supports managing only user-assigned managed identities as they have an independent lifecycle.

The following operations are supported for user-assigned managed identity objects:

  • Aggregation of user-assigned managed identities in account aggregation.

  • Aggregation of assigned Microsoft Entra ID groups as an entitlement during account aggregation, and add or remove Microsoft Entra ID groups to or from managed identities.

  • Aggregation of assigned PIM roles (only Azure Active Roles) as an entitlement during account aggregation, and add or remove PIM roles (only Azure Active Roles) to or from managed identities.

  • Aggregation of assigned Azure Role Assignments (RBAC) as an entitlement during account aggregation, and add or remove Azure Role Assignments (RBAC) to or from managed identities (This feature requires a SailPoint Cloud Infrastructure Entitlement Management (SailPoint CIEM) license).

    Note
    If you want to enable additional cloud governance features for your Entra Cloud Objects (for example, visualization of effective access, Azure Cloud Object Management , such as, Management Groups, Subscriptions, Resource Groups and Role Assignment or Service Principal Accounts Management), you must have SailPoint CIEM license. Contact your SailPoint Customer Success Manager to request access and for more information.

Prerequisites

If you want to configure your source to aggregate managed identities, you need to modify the account schema to define any of the managed identity attributes as Account Name. For example, the displayName attribute of the managed identity can be tagged as Account Name.

Correlation for Managed Identities

The existing out-of-the-box correlation rule does not work directly for managed identities correlation, as it is defined using the Microsoft Entra ID user attributes. You must modify it using the attributes for managed identities. Otherwise, there are different ways to manage identities for these service accounts. For more information, refer to Best Practices: Managing Service Accounts.

Administrator Permissions

Purpose

Permissions

Aggregation and Assignment of Managed Identities

Role: Managed Identity Operator

OR

Permission: Microsoft.ManagedIdentity/userAssignedIdentities/*/read

Scope: Tenant Root Group (to fetch from all subscriptions)

Aggregation and Add/Remove Microsoft Entra ID Groups for Managed Identities

Refer to Required Permissions.

Aggregation and Add/Remove RBAC Roles for Managed Identities

Refer to Group Management for Azure Cloud Objects.

Aggregation and Add/Remove PIM Azure Active Roles for Managed Identities

Refer to Azure Privileged Identity Management (PIM).

Supported Schema Attributes

To aggregate user-assigned managed identities during account aggregation, ensure that managed identity attributes are present in the account schema. For more information, refer to User-Assigned Managed Identity Attributes.

Configure User-Assigned Managed Identities in Source

  1. Go to Feature Management.
  2. Select the Manage Cloud Resources checkbox if you want to manage Azure Role Assignments (RBAC) for user-assigned managed identities.

  3. Select the Include User-Assigned Managed Identities checkbox to manage user-assigned identities.

  4. In the Azure Privileged Identity Management Setting section, select the Enable Privileged Identity Management checkbox if you want to manage PIM roles (only Azure Active Roles) for user-assigned managed identities.

  5. Select Save.