Required Permissions

Note
This list of permissions includes the most commonly used features from the connector, however there may be custom permissions and roles required for certain specific features. Ensure to read the details for each feature in the Supported Features section.

If you don’t want to provide granular permissions on each API, provide the following permissions on the entire directory to the client application created in Azure, which will enable the connector to perform read and write operations on users and groups (excluding deleting users and groups) :

Directory.Read.All (Read Directory Data)
Directory.ReadWrite.All (Read and Write Directory Data)

Important
To grant read-only access, assign the built-in Reader role to the service principal or the application you created at the tenant root group level.

Assigning the Built-in Reader Role to the Application

To grant the built-in reader role to the application, follow these steps in the Microsoft Entra ID portal:

Go to Management groups.
Select the Tenant Root Group and open its Access control (IAM) settings.
Select Add, then choose Add role assignment from the dropdown menu.
Select the Reader(built-in) role from the list.
Go to the Members tab and select Select members.
Search for the application you created earlier and select it.
Select the Review and assign to finalize the role assignment.

Assigning Necessary Permissions to the Client Application

To grant the necessary permissions to the client application, follow these steps:

In the Microsoft Entra console, go to API permissions and select Add a permission.
On the Request API permissions page, select Microsoft Graph API from the list of APIs.
For the permission type, select Application permissions.
Under Select permissions, choose the permissions listed in the table below, and then select Add permissions.
Go to the Grant consent section and select Grant admin consent for your directory.
When the confirmation dialog appears, select Yes.

Granular Level Application Permission

To perform Set Password and Delete user operations, an application created on Azure must have the User Administrator role.
To manage users with administrative roles, an application created on Azure must have the User Administrator or Global Administrator role and the Privileged Authentication Administrator role.
Use the Azure portal to assign the previously mentioned administrative roles. For more information, refer to Assign Microsoft Entra Roles to Users.

Additional API Permissions for CIEM

The following API permissions are necessary for SailPoint CIEM to include potential Azure cloud resource access derived from eligible membership in PIM groups:

PrivilegedAccess.Read.AzureADGroup
PrivilegedAssignmentSchedule.Read.AzureADGroup
PrivilegedEligibilitySchedule.Read.AzureADGroup

For more information, refer to Configuring Azure and Microsoft Entra ID.

The following table lists the required permission types and their purposes:


Permission	Type	Purpose
User.Invite.All	Application	Creating / Inviting B2B User
User.Read.All	Application	Account Aggregation, Account Delta, Get Object, Roles and Groups Membership Aggregation
User.ReadWrite.All	Application	Create User, Update User Properties (Non Entitlement), Add / Remove License Pack and Plan, Enable/ Disable User Account, Delete User
Organization.Read.All	Application	Aggregate License Pack and Plan Details of tenant
RoleManagement.ReadWrite.Directory	Application	Add / Remove Directory Roles
User.Read	Application	Pass-through Authentication
Group.Read.All	Application	Group Aggregation
Group.ReadWrite.All	Application	Create Group, Update Group, Delete Group
Application.Read.All	Application	Aggregation of Application Roles
AppRoleAssignment.ReadWrite.All	Application	Add / Remove users from Service Principal
DelegatedPermissionGrant.Read.All	Application	Aggregation of Admin/User Consented Permissions for Service Principals
RoleManagement.ReadWrite.Directory	Application	Role provisioning (if defined as Entitlement object)
RoleManagement.Read.Directory	Application	Role Aggregation (if defined as Entitlement object)
Applicable for SAML Bearer Assertion, Refresh Token / AuthCode* and JWT Certificate Credentials Grant Types*
Directory.AccessAsUser.All	Delegated	Change Password, Delete User
Applicable for Access Packages Management
EntitlementManagement.ReadWrite.All	Application	Add / Remove Access Packages
EntitlementManagement.Read.All	Application	Access Package Aggregation
Applicable for User Management
User.EnableDisableAccount.All	Application	Delete User
User-PasswordProfile.ReadWrite.All	Application	Set Password

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.


	You are here:

Required Permissions

Assigning the Built-in Reader Role to the Application

Assigning Necessary Permissions to the Client Application

Granular Level Application Permission

Additional API Permissions for CIEM

Documentation Feedback