Skip to content

Connecting Azure and SailPoint CIEM

Once you have configured your Microsoft Entra ID account, you can connect it to IdentityNow to display the total effective access users have to your cloud systems and resources.

You can connect CIEM using a single SaaS connector or by configuring both a virtual appliance (VA) and CIEM Azure connector.

When you have completed your SaaS or VA connection, you will aggregate your accounts and entitlements and mark the entitlements related to cloud access. This will allow you to view the cloud access granted through entitlements and include those entitlements in certification campaigns.

FedRamp Limitations

CIEM FedRamp customers can register a maximum of 650 Azure subscriptions.

Onboarding CIEM Using the Microsoft Entra SaaS Connector

If you are using Microsoft Entra SaaS, follow the connector guide to enable CIEM.

After a successful test connection, you can mark the entitlement types that grant cloud access.


If you previously configured both the Entra SaaS and CIEM Azure connectors, you do not need to take additional action to continue receiving your data.

Onboarding CIEM Using a VA Source

If you are onboarding CIEM using a VA-based connector, you must configure both the Microsoft Entra ID identity governance and CIEM Azure cloud governance connectors.

Microsoft Entra ID VA connector   Allows you to manage your Azure users and groups in IdentityNow on virtual appliances (VA).

If your organization has licensed a SailPoint cloud management solution, it will also gather data about the cloud access granted to users through their Azure management groups, subscriptions, resource groups, and role assignments.
CIEM Azure cloud governance connector                   Works with your Microsoft Entra ID identity governance connector to collect cloud resource data and display the total access an identity has to your cloud systems.

You may connect the VA and CIEM Azure cloud governance sources in any order.

Connecting the Microsoft Entra ID VA Source

  1. Follow the Connector guide to configure or edit the Microsoft Entra ID connector.

  2. In the Feature Management configuration, select the Manage Cloud Resources checkbox to enable it to gather cloud data.

For more information about the cloud objects managed through the identity governance connector, refer to Group Management for Azure Cloud Objects.

You must then configure the CIEM Azure cloud governance connector to display all access users have to your cloud resources.

Connecting Azure Cloud Governance

The CIEM Azure source pulls daily data about the cloud resources your Azure IaaS users can access.

To register CIEM Azure:

  1. Go to Admin > Connections > Sources > Create New.

  2. Find and select the CIEM Azure source type.

  3. Enter a source name.

  4. Enter a description for your source.

  5. In the Source Owner field, begin typing the name of an owner. Matches appear after you type two letters.

  6. (Optional) Select a governance group for source management.

  7. Select Connection Settings.

  8. Enter your client ID.

  9. Enter your tenant ID.
  10. Enter your client secret.
  11. (Optional) Enter up to 250 instance IDs, separated by commas. These are the Application IDs used to resolve Microsoft Entra ID accounts with federated IAM roles in AWS. Refer to the Microsoft Entra ID documentation for more information.
  12. Select Save.
  13. Select Review and Test.
  14. Review the configuration details and select Test Connection. A successful test is required for CIEM to gather data for this source.


    If the test connection fails, you can use the Search query name:“Test_connection Source Failed” for more information.

  15. (Optional) After a successful test connection, you can set the source scope.

When you have completed your configuration, you will mark the entitlement types that grant cloud access.

Setting Source Scope for VA-Based Connections

By default, CIEM reads and automatically discovers changes to your cloud infrastructure. If you are using a VA, you can choose to exclude scopes to prevent CIEM from including data for those accounts.

When you exclude scopes, CIEM will only read and include data from selected scopes. When Auto-Include Scopes is disabled, new and deleted subscriptions in your cloud system will be detected, but they will not be automatically included in your CIEM data until you select them individually or reenable Auto-Include Scopes.

To change the scope of your included source data when using a VA connector:

  1. In the CIEM Azure source, select Cloud Scopes under Aggregation and Provisioning.
  2. Use the checkboxes to change which subscriptions are included. Removing a scope disables Auto-Include Scopes.
  3. Select Save.


  • You can search for scopes as well as filter by selected and unselected scopes.
  • The Last Refreshed time is when changes to your source inventory were last detected by CIEM. This is separate from aggregation.