Skip to content

Connecting Azure and CIEM

Once you have configured your Microsoft Entra ID account, you can connect it to CIEM using a SaaS connector or VA-based connector:

Choose your next step based on your configuration

When you have completed the steps for your connection type, aggregate and mark the entitlement types that grant cloud access. You can then view the effective access those entitlements grant on aggregated Azure cloud resources and include cloud entitlements in certification campaigns.

FedRamp Limitations

SailPoint CIEM FedRamp customers can register a maximum of 650 Azure subscriptions.

Using the Microsoft Entra ID SaaS Connector

If you are using Microsoft Entra SaaS, follow the connector guide to enable SailPoint CIEM.

After a successful test connection, you can optionally set the source scope before aggregating accounts and marking the entitlement types that grant cloud access.

Note

If you previously configured both the Microsoft Entra ID SaaS and SailPoint CIEM Azure connectors, you do not need to take additional action to continue receiving your data.

Setting Source Scope for SaaS-Based Connections

By default, SailPoint CIEM reads and automatically discovers changes to your cloud infrastructure. You can choose to exclude scopes to prevent SailPoint CIEM from including data for those accounts.

When you exclude scopes, SailPoint CIEM will only read and include data from selected scopes. When Auto-Include Scopes is disabled, new and deleted subscriptions in your cloud system will be detected, but SailPoint CIEM will not automatically include data from new scopes until you select the subscriptions individually or reenable Auto-Include Scopes.

To change the scope of your included source data when using a SaaS-based connector:

  1. In the Microsoft Entra ID SaaS source, select Cloud Scopes under Aggregation and Provisioning.

  2. Use the checkboxes to change which subscriptions are included. Removing a scope disables Auto-Include Scopes.

    List of cloud scopes. 3 are deselected and Auto-Include Scopes is disabled.

  3. Select Save.

Notes

  • You can search for scopes as well as filter by selected and unselected scopes.
  • The Last Refreshed time is when changes to your source inventory were last detected by SailPoint CIEM. This is separate from aggregation.

You will next aggregate accounts and mark the entitlement types that grant cloud access.

Using the Microsoft Entra ID VA-Based Connector

If you are onboarding SailPoint CIEM using a VA-based connector instead of SaaS, you must configure both the Microsoft Entra ID (formerly Azure Active Directory) identity governance connector and the SailPoint CIEM Azure connector.
Microsoft Entra ID (formerly Azure Active Directory) VA-based connector   Allows you to manage your Azure users and groups in Identity Security Cloud on virtual appliances.

If your organization has licensed a SailPoint cloud management solution, it will also gather data about the cloud access granted to users through their Azure management groups, subscriptions, resource groups, and role assignments.
SailPoint CIEM Azure connector                   Works with your Microsoft Entra ID identity governance connector to collect cloud resource data and display the effective access an identity has on aggregated cloud resources from your Azure systems.

You may connect the VA-based and SailPoint CIEM Azure sources in any order.

Connecting the Microsoft Entra ID VA-Based Connector

  1. Follow the SailPoint Connector guide to configure or edit the Microsoft Entra ID (formerly Azure Active Directory) connector.

  2. In the Feature Management configuration, select the Manage Cloud Resources checkbox to enable it to gather cloud data.

For more information about the cloud objects managed through the identity governance connector, refer to Group Management for Azure Cloud Objects.

You must then configure the CIEM Azure connector to display all access users have to your cloud resources.

Connecting SailPoint CIEM Azure

The SailPoint CIEM Azure source pulls daily data about the cloud resources your Azure IaaS users can access.

To register SailPoint CIEM Azure:

  1. Go to Admin > Connections > Sources > Create New.

  2. Find the CIEM Azure source type and select Configure.

  3. Enter a source name.

  4. Enter a description for your source.

  5. In the Source Owner field, begin typing the name of an owner. Matches appear after you type two letters.

  6. (Optional) Select a governance group for source management.

  7. Select Connection Settings.

  8. Enter your client ID.

  9. Enter your tenant ID.
  10. Enter your client secret.
  11. (Optional) Enter up to 250 instance IDs, separated by commas. These are the Application IDs used to resolve Microsoft Entra ID accounts with federated IAM roles in AWS. Refer to the Microsoft Entra ID documentation for more information and guidance on finding your application IDs.
  12. If you are using GCC or GCC High, select the tenant type.
  13. Select Save.
  14. Select Review and Test.

  15. Review the configuration details and select Test Connection. A successful test is required for SailPoint CIEM to gather data for this source.

    Note

    If the test connection fails, you can use the Search query name:“Test_connection Source Failed” for more information.

  16. (Optional) After a successful test connection, you can set the source scope.

When you have completed your configuration, follow the directions to aggregate your data and then mark the entitlement types that grant cloud access.

Setting Source Scope for VA-Based Connections

By default, SailPoint CIEM reads and automatically discovers changes to your cloud infrastructure. If you are using a VA, you can choose to exclude scopes to prevent SailPoint CIEM from including data for those accounts.

When you exclude scopes, SailPoint CIEM will only read and include data from selected scopes. When Auto-Include Scopes is disabled, new and deleted subscriptions in your cloud system will be detected, but they will not be automatically included in your SailPoint CIEM data until you select them individually or reenable Auto-Include Scopes.

To change the scope of your included source data when using a VA-based connector:

  1. In the CIEM Azure source, select Cloud Scopes under Aggregation and Provisioning.

  2. Use the checkboxes to change which subscriptions are included. Removing a scope disables Auto-Include Scopes.

    List of cloud scopes. 3 are deselected and Auto-Include Scopes is disabled.

  3. Select Save.

Notes

  • You can search for scopes as well as filter by selected and unselected scopes.
  • The Last Refreshed time is when changes to your source inventory were last detected by SailPoint CIEM. This is separate from aggregation.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.