Skip to content

Connecting Azure and CIEM

Once you have configured your Microsoft Entra ID account, you can connect it to display the total effective access users have to your cloud systems and resources.

You can connect SailPoint CIEM using the single Microsoft Entra SaaS connector or by configuring both a virtual appliance-based connector and the CIEM Azure connector.

When you have completed your SaaS or virtual appliance (VA) connection, you will aggregate your accounts and entitlements and mark the entitlements related to cloud access. This will allow you to view the cloud access granted through entitlements and include those entitlements in certification campaigns.

FedRamp Limitations

SailPoint CIEM FedRamp customers can register a maximum of 650 Azure subscriptions.

Onboarding SailPoint CIEM Using the Microsoft Entra SaaS Connector

If you are using Microsoft Entra SaaS, follow the connector guide to enable SailPoint CIEM.

After a successful test connection, you can aggregate and then mark the entitlement types that grant cloud access.

Note

If you previously configured both the Entra SaaS and SailPoint CIEM Azure connectors, you do not need to take additional action to continue receiving your data.

Onboarding SailPoint CIEM Using a VA-Based Source

If you are onboarding SailPoint CIEM using a VA-based connector, you must configure both the Microsoft Entra ID identity governance and SailPoint CIEM Azure connectors.
Microsoft Entra ID VA-based connector   Allows you to manage your Azure users and groups in Identity Security Cloud on virtual appliances (VA).

If your organization has licensed a SailPoint cloud management solution, it will also gather data about the cloud access granted to users through their Azure management groups, subscriptions, resource groups, and role assignments.
SailPoint CIEM Azure connector                   Works with your Microsoft Entra ID identity governance connector to collect cloud resource data and display the total access an identity has to your cloud systems.

You may connect the VA-based and SailPoint CIEM Azure sources in any order.

Connecting the Microsoft Entra ID VA-Based Source

  1. Follow the Connector guide to configure or edit the Microsoft Entra ID connector.

  2. In the Feature Management configuration, select the Manage Cloud Resources checkbox to enable it to gather cloud data.

For more information about the cloud objects managed through the identity governance connector, refer to Group Management for Azure Cloud Objects.

You must then configure the CIEM Azure connector to display all access users have to your cloud resources.

Connecting SailPoint CIEM Azure

The SailPoint CIEM Azure source pulls daily data about the cloud resources your Azure IaaS users can access.

To register SailPoint CIEM Azure:

  1. Go to Admin > Connections > Sources > Create New.

  2. Find the CIEM Azure source type and select Configure.

  3. Enter a source name.

  4. Enter a description for your source.

  5. In the Source Owner field, begin typing the name of an owner. Matches appear after you type two letters.

  6. (Optional) Select a governance group for source management.

  7. Select Connection Settings.

  8. Enter your client ID.

  9. Enter your tenant ID.
  10. Enter your client secret.
  11. (Optional) Enter up to 250 instance IDs, separated by commas. These are the Application IDs used to resolve Microsoft Entra ID accounts with federated IAM roles in AWS. Refer to the Microsoft Entra ID documentation for more information.
  12. Select Save.
  13. Select Review and Test.

  14. Review the configuration details and select Test Connection. A successful test is required for SailPoint CIEM to gather data for this source.

    Note

    If the test connection fails, you can use the Search query name:“Test_connection Source Failed” for more information.

  15. (Optional) After a successful test connection, you can set the source scope.

When you have completed your configuration, follow the directions to aggregate your data and then mark the entitlement types that grant cloud access.

Setting Source Scope for VA-Based Connections

By default, SailPoint CIEM reads and automatically discovers changes to your cloud infrastructure. If you are using a VA, you can choose to exclude scopes to prevent SailPoint CIEM from including data for those accounts.

When you exclude scopes, SailPoint CIEM will only read and include data from selected scopes. When Auto-Include Scopes is disabled, new and deleted subscriptions in your cloud system will be detected, but they will not be automatically included in your SailPoint CIEM data until you select them individually or reenable Auto-Include Scopes.

To change the scope of your included source data when using a VA-based connector:

  1. In the CIEM Azure source, select Cloud Scopes under Aggregation and Provisioning.
  2. Use the checkboxes to change which subscriptions are included. Removing a scope disables Auto-Include Scopes.
  3. Select Save.

Notes

  • You can search for scopes as well as filter by selected and unselected scopes.
  • The Last Refreshed time is when changes to your source inventory were last detected by SailPoint CIEM. This is separate from aggregation.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.