Skip to content

Configuring Azure and Microsoft Entra ID

To display your Azure resources and the access tied to them, you must first create policies and permissions in your cloud environment that allow SailPoint CIEM to report on cloud access data.

Use an Azure account with administrative privileges to:

  1. Register SailPoint CIEM as a new application with Microsoft Entra ID (formerly Azure AD).

  2. Grant permissions to read your Microsoft Entra ID policies and resource inventories.

  3. Create a client secret to use when registering your source with SailPoint CIEM.

When you have completed your Microsoft Entra ID configuration, you will connect your cloud source data to SailPoint CIEM and Identity Security Cloud.

Registering SailPoint CIEM with Microsoft Entra ID

You must first register SailPoint CIEM as an application with Microsoft Entra ID.

  1. Sign in to the Azure Cloud portal and select Microsoft Entra ID.

  2. Copy the tenant ID and save it somewhere accessible, as you'll need this information to connect the Azure cloud source to SailPoint CIEM.

    Entra ID directory view with the tenant ID of the directory emphasized.

  3. Select App registrations in the left sidebar and select New registration.

    Application registration form to enter the name, supported account types, and redirect URI.

  4. Enter a name for the new application, such as "SailPoint CIEM".

  5. Under Supported account types, keep the default of allowing a single tenant to ensure that only accounts in the organizational directory can access this application.

  6. Select Register to register SailPoint CIEM with Microsoft Entra ID.

  7. Copy the Application (client) ID that's generated, as you'll need this information to connect the cloud source with SailPoint CIEM.

Granting Read Permissions to SailPoint CIEM

After you’ve registered SailPoint CIEM with Microsoft Entra ID, you must grant it the permissions required to read the security policies configured for the Azure source and the resources inventory.

Setting Up the Global Admin Role

You must create a global admin role that can manage access at the root management group level. All subscriptions will inherit the custom role from their management group.

To set up the global admin role:

  1. Select Properties in Microsoft Entra ID.
  2. Set the toggle for Access management for Azure resources to Yes.
  3. Select Save.

This will allow you to manage access to all Azure subscriptions and management groups in the tenant.

Enabling Read Access to Microsoft Azure

You must enable the Directory.Read.All setting so that SailPoint CIEM can read the Microsoft Azure inventory.

  1. Select App registrations in Microsoft Entra ID.
  2. Select the SailPoint CIEM app you registered earlier.
  3. Select API permissions in the left sidebar and choose Add a permission.
  4. Select Microsoft Graph.
  5. Select Application permissions and expand the Directory category.

  6. Select Directory.Read.All to allow SailPoint CIEM to read directory data on your Microsoft Azure source.

  7. Expand the Role Management category and select RoleManagement.Read.Directory to allow SailPoint CIEM to read all directory role-based access control settings for the source.

  8. If you use Privileged Access Management (PIM) for groups, search for "privileged" in the Select permissions search bar. Select the following API permissions so SailPoint CIEM can include potential Azure cloud resource access derived from eligible membership in PIM groups:

    • PrivilegedAccess.Read.AzureADGroup
    • PrivilegedAssignmentSchedule.Read.AzureADGroup
    • PrivilegedEligibilitySchedule.Read.AzureADGroup

    Note

    PIM group information is only applicable for SailPoint CIEM. Identity Security Cloud does not support PIM groups.

  9. Select Add permissions and Grant admin consent to specify what the SailPoint app can request and to confirm the app is approved to make requests.

Creating Strict Custom Roles

Next, you will create custom roles in Microsoft Entra ID with the minimum permissions required to allow SailPoint CIEM to read your Microsoft Entra ID data.

  1. Select Management groups in Microsoft Entra ID.
  2. Select the root management group to add the role to. The role will inherit the group’s subscriptions.
  3. In the sidebar, select Access control (IAM).
  4. Select Add and choose Add custom role from the dropdown menu.
  5. On the Basics tab, enter a custom role name, such as Resource Reader.

  6. Select the JSON tab.

    Window to enter a JSON to create a strict role.

  7. Select the Edit button. Enter the following JSON schema, replacing the managementGroups ID with your own.

    Display required permissions 
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
    {
    "properties": {
        "roleName": "Resource Reader",
        "description": "View strict list of resources, doesn't allow you to make any changes.",
        "assignableScopes": [
            "/providers/Microsoft.Management/managementGroups/aaaaaaa-9999-1234-5678-d1dd0000c000 (1)"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.ApiManagement/service/groups/users/read",
                    "Microsoft.ApiManagement/service/subscriptions/read",
                    "Microsoft.ApiManagement/service/users/groups/read",
                    "Microsoft.Authorization/*/read",
                    "Microsoft.Cache/redis/read",
                    "Microsoft.ClassicCompute/virtualMachines/read",
                    "Microsoft.ClassicNetwork/networkSecurityGroups/read",
                    "Microsoft.ClassicNetwork/virtualNetworks/read",
                    "Microsoft.Compute/disks/read",
                    "Microsoft.Compute/virtualMachines/read",
                    "Microsoft.DBforMariaDB/servers/databases/read",
                    "Microsoft.DBforMySQL/servers/databases/read",
                    "Microsoft.DBforPostgreSQL/servers/databases/read",
                    "Microsoft.DocumentDB/databaseAccounts/read",
                    "Microsoft.Insights/ActivityLogAlerts/Read",
                    "Microsoft.Insights/eventtypes/values/Read",
                    "Microsoft.Insights/LogProfiles/Read",
                    "Microsoft.KeyVault/vaults/keys/read",
                    "Microsoft.KeyVault/vaults/providers/Microsoft.Insights/diagnosticSettings/Read",
                    "Microsoft.KeyVault/vaults/read",
                    "Microsoft.KeyVault/vaults/secrets/read",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/listAssociatedResources/action",
                    "Microsoft.ManagedIdentity/userAssignedIdentities/read",
                    "Microsoft.Network/loadBalancers/read",
                    "Microsoft.Network/networkInterfaces/read",
                    "Microsoft.Network/networkSecurityGroups/read",
                    "Microsoft.Network/networkWatchers/queryFlowLogStatus/action",
                    "Microsoft.Network/networkWatchers/read",
                    "Microsoft.Network/routeTables/read",
                    "Microsoft.Network/virtualNetworks/read",
                    "Microsoft.Network/virtualNetworks/subnets/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Resources/subscriptions/resources/read",
                    "Microsoft.Resources/tenants/read",
                    "Microsoft.Security/autoProvisioningSettings/read",
                    "Microsoft.Security/pricings/read",
                    "Microsoft.Security/securityContacts/read",
                    "Microsoft.Sql/managedInstances/administrators/read",
                    "Microsoft.Sql/managedInstances/databases/read",
                    "Microsoft.Sql/servers/administrators/read",
                    "Microsoft.Sql/servers/databases/auditingSettings/read",
                    "Microsoft.Sql/servers/databases/read",
                    "Microsoft.Sql/servers/databases/securityAlertPolicies/read",
                    "Microsoft.Sql/servers/failoverGroups/read",
                    "Microsoft.Sql/servers/firewallRules/read",
                    "Microsoft.Sql/servers/keys/read",
                    "Microsoft.Sql/servers/read",
                    "Microsoft.Storage/storageAccounts/blobServices/containers/read",
                    "Microsoft.Storage/storageAccounts/read",
                    "Microsoft.Web/sites/Read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}
    1. Replace the managementGroups ID with your own

  8. Select Save to update the JSON schema and Review + create.

  9. Select Create to create the custom role.

    Privileged Access Management

    If you have an Microsoft Entra ID Privileged Identity Management Premium P2 license, SailPoint CIEM will display access users have to Azure resources from their PIM eligible assignments.

You will now assign this role to the app.

Assigning Roles to App Registration

You must now assign the role you created to the App Registration.

  1. Select Management groups in the Microsoft Entra ID portal.

  2. Select the root group name and select Access control (IAM) from the left sidebar.

  3. Select Add and choose Add role assignment from the dropdown menu.

  4. In the role section, search for and select the custom role you created earlier. Select Next.

    Add role assignment.

  5. In the Members tab, select the radio button next to User, group, or service principal.

  6. Select Select members. Search for and select the application you registered. Role assignment setting to assign access to the previously created app.

  7. Confirm your selection using the Select button.

  8. Select Review + Assign to assign the role to SailPoint CIEM.

Creating a Client Secret for SailPoint CIEM

To finish registering your Microsoft Entra ID accounts, you'll need to create a client secret for SailPoint CIEM.

  1. Select App registrations in Microsoft Entra ID and choose the application you named earlier.

  2. Select Certificates & secrets.

  3. Under Client secrets, select + New client secret and add a description and expiration date.

    Best Practice

    Set an expiration date of 6 months.

  4. Select Add.

Save the Value and Secret ID in a safe place. You will enter the client secret in the Client Secret field when you connect to Identity Security Cloud.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.