Azure Cloud Object Management
Important
You must have a SailPoint Cloud Infrastructure Entitlement Management (CIEM) license to enable cloud governance features. Contact your SailPoint Customer Success Manager to request access.
To display cloud resource data through SailPoint CIEM, you must also configure the CIEM Azure source. Refer to Connecting Azure and CIEM to learn more.
The Microsoft Entra SaaS connector provides support for access management of the following Azure Management Objects:
-
Management Groups
-
Subscriptions
-
Resource Groups
-
Role Assignment (RBAC role assignments. This is a custom group object)
The newly supported group objects (Azure Management objects) and operations are:
|
Operations |
Group Objects |
|---|---|
|
Aggregation |
Management Groups, Subscriptions, and Resource Groups |
|
Aggregation and Add / Remove Entitlement |
Role Assignment (RBAC role assignments. This is a custom group object.) |
The following attributes can be configured in the source XML using the REST APIs in accordance with your requirements:
managementGroup-api-version
API version to be used for management group API. Type: String
Default value: 2020-02-01
subscription-api-version
API version to be used for subscription API. Type: String
Default value: 2020-01-01
resourceGroup-api-version
API version to be used for resource group API. Type: String
Default value: 2020-06-01
role-assignment-api-version
API version to be used for Role Assignments API. Type: String
Default value: 2018-07-01
azure-management-resource-base
Azure management API resource base in case of Entra Gov or another private instance. Type: String
Default value: https://management.azure.com
fetch-azure-roleassignment-getobject
Specify if role assignments need to be fetched during Get Account call. Type: boolean
Default value: False
Prerequisites
-
The Microsoft Entra SaaS connector supports the following grant types for OAuth2 authentication:
-
Client Credentials
-
Auth Code / Refresh Token
-
Certificate Credentials
Ensure that the appropriate permissions are granted as mentioned in the Administrator Permissions section below.
-
-
Existing clients must be modified for supporting
management.azure.comas the scope.
Administrator Permissions
Based on the supported operations (Aggregation and Add/ Remove Entitlements), the following are the required permissions:
Object Aggregation
Permission: Microsoft.Management/managementGroups/read
Or
Role: Reader
Scope: Management Group
Role Assignment Aggregation
Permission: Microsoft.Authorization/roleAssignments/read
Or
Role: Reader
Scope: Management Group / Subscription
Role Definition Aggregation
Permission: Microsoft.Authorization/roleDefinitions/read
Or
Role: Reader
Scope: Management Group / Subscription
Add Role Assignment
Permission: Microsoft.Authorization/roleAssignments/write
Or
Role: User Access Administrator
Scope: Management Group / Subscription
Remove Role Assignment
Permission: Microsoft.Authorization/roleAssignments/delete
Or
Role: User Access Administrator
Scope: Management Group / Subscription
API Permissions
|
OAuth2.0 Authentication |
Type |
API |
Permission |
|---|---|---|---|
|
Client Credentials
|
Delegated |
Azure Service Management |
user_impersonation |
|
Application |
Microsoft Graph |
Directory.ReadWriteAll |
|
|
Refresh Token / AuthCode |
Delegated |
Azure Service Management |
user_impersonation |
|
JWT Certificate Credentials |
Delegated |
Azure Service Management |
user_impersonation |
Refer to the following table to learn more about object management when CIEM license is enabled (Cloud Governance) and otherwise (Identity Governance).
|
Object |
Identity Governance |
Cloud Governance |
|---|---|---|
|
Account Management |
||
|
User |
Yes |
Yes |
|
Federated User (Synchronized with On-Prem AD) |
Yes |
Yes |
|
Entitlement Management |
||
|
Groups |
Yes |
Yes |
|
Administrator Roles |
Yes |
Yes |
|
Management Groups |
No |
Yes |
|
Subscriptions |
No |
Yes |
|
Resource Groups |
No |
Yes |
|
Roles Assignment (RBAC) |
No |
Yes |