Skip to content

Connecting CIEM Azure to IdentityNow

Once you have configured your Azure AD account, you can connect it to IdentityNow to display the total effective access users have to your cloud systems and resources. To display this data, you must use the Azure AD identity and CIEM Azure cloud governance connectors.

Azure AD identity governance connector   Allows you to manage your Azure users and groups in IdentityNow.

If your organization has licensed a SailPoint cloud management solution, it will also gather data about the cloud access granted to users through their Azure management groups, subscriptions, resource groups, and role assignments.
CIEM Azure cloud governance connector                   Works with your Azure AD identity governance connector to collect cloud resource data and display the total access an identity has to your cloud systems.

Refer to the Microsoft Azure Active Directory Connector documentation for more information about the access management each connector provides.

FedRamp Limitations

CIEM FedRamp customers can register a maximum of 650 Azure subscriptions.

You may connect your Azure AD identity governance and CIEM Azure cloud governance sources in any order.

After you've connected and aggregated your accounts and entitlements, you will mark the entitlements related to cloud access. This will allow you to view the cloud access granted through entitlements and include those entitlements in certification campaigns.

Connecting Azure AD Identity Governance

Follow the directions to connect your Azure AD identity governance source, or edit an existing one. Select the Manage Cloud Resources checkbox in the Feature Management configuration to enable it to gather cloud data.

You must then use the CIEM Azure cloud governance connector to display all access users have to your cloud resources.

Connecting Azure Cloud Governance

The CIEM Azure source pulls daily data about the cloud resources your Azure IaaS users can access.

To register CIEM Azure:

  1. Go to Admin > Connections > Create New.

  2. Find and select the CIEM Azure source type.

  3. Enter a source name.

  4. Enter a description for your source.

  5. In the Source Owner field, begin typing the name of an owner. Matches appear after you type two letters.

  6. (Optional) Select a governance group for source management.

  7. Select Connection Settings.

  8. Enter your client ID.

  9. Enter your tenant ID.
  10. Enter your client secret.
  11. (Optional) Enter your instance ID. This is used to resolve Azure AD accounts with federated access to AWS.
  12. Select Save.
  13. Select Review and Test.
  14. Review the configuration details and select Test Connection. A successful test is required for CIEM to gather data for this source.


    If the test connection fails, you can use the Search query name:“Test_connection Source Failed” for more information.

After a successful test connection, you can set the source scope or move on to marking the entitlement types that grant cloud access.

Setting Source Scope

By default, CIEM reads and automatically discovers changes to your cloud infrastructure, which are displayed in the Cloud Scopes section of your CIEM source configuration. You can choose to exclude scopes to prevent CIEM from including data for those accounts.

To change the scope of your included source data:

  1. In the CIEM Azure source, select Cloud Scopes under Aggregation and Provisioning.
  2. Use the checkboxes to change which subscriptions are included. Removing a scope disables Auto-Include Scopes.
  3. Select Save.

CIEM will now only read and include data from your selected scopes. When Auto-Include Scopes is disabled, new and deleted subscriptions in your cloud system will be detected, but they will not be automatically included in your CIEM data until you select them individually or reenable Auto-Include Scopes.


  • You can search for scopes as well as filter by selected and unselected scopes.
  • The Last Refreshed time is when changes to your source inventory were last detected by CIEM. This is separate from aggregation.

Marking Azure AD Cloud-Enabled Entitlement Types

When entitlements are pulled from your Azure cloud environment, you must mark the Group, Azure Role Assignment, and Azure Eligible Role entitlement types as Cloud Enabled in the Azure AD source configuration. This will allow certification campaign reviewers to view the access users have to your Azure cloud infrastructure.

  1. Go to Admin > Connections > Sources.
  2. Select the Azure AD identity governance connector you enabled to manage cloud resources.
  3. Select the Import Data tab and choose Entitlement Types.
  4. Edit the following entitlement types that grant cloud access and select the Cloud Enabled checkbox:
    • Group
    • azureRoleAssignment
    • azureEligibleRole
  5. Select Update.

You can now view an identity's cloud access granted through entitlements. You can include cloud-based entitlement types to certification campaigns to allow certifiers to view the effective access to your Azure resources.

Viewing Effective Access to Azure Resources

After marking your entitlement types, you can include cloud-enabled entitlements in certification campaigns to allow your certifiers to view cloud access details like the last level of access and type of action taken on the resource.

Certifiers can also view the access paths between scoped objects like groups, policies, and projects granting the user access to the selected resource. They can view the direct access granted by the entitlement or all access paths to the resource. The entitlement access path is highlighted.

If a user has multiple of the same type of access at the same scope, such as multiple role assignments that lead to the same management group, your certifiers can select the node to display the access leading to the resource.

Refer your certifiers to Viewing Cloud Access Details in the User Help for guidance on viewing cloud access details.