![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 4%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,063 questions
Thank you for your post and I apologize for the delayed response! From your issue, I'll do my best to point you in the right direction and will summarize your issue below for my understanding.
Summary:
- SailPoint Identity IQ (on-prem) is currently used for Identity Governance - on/offboarding, transferring, etc.
- You have your own 3rd party SSO/MFA solution and aren't looking for Azure AD SSO integration with SailPoint.
- When it comes to Azure AD synchronization, you plan to keep Privileged accounts and groups within your local on-prem Active Directory, which is why integration between SailPoint and your on-prem AD is required.
- Currently, you only have Azure AD for Microsoft Apps, and your local AD for on-prem apps.
Issue:
Since you have SailPoint as your Identity Governance solution, you're now in the process of integrating SailPoint with Azure AD and have the questions below.
What's the best recommendation for SailPoint to be implemented in the hybrid architecture (Local AD + Azure AD? Should we configure provisioning/deprovisioning of accounts/groups on local AD and let it sync with Azure AD OR should we integrate with Azure AD as well and provision/deprovision users/groups independently from both AD and Azure AD?
- I'm not familiar with SailPoint but I found some integration docs, and referencing the SailPoint IIQ integration with Azure AD article - it looks like the architecture points to configuring the provisioning of accounts/groups within your local AD and syncing those to SailPoint Azure Active Directory via the SailPoint Azure Active Directory connector.
- The SailPoint Azure Active Directory connector should automatically aggregate user accounts, group permissions, and Microsoft Access Panel tiles, and maps each of these to the SailPoint Identity Cube. For more info - Identity Governance for Microsoft Azure Active Directory Customers.
Is there a need to integrate SailPoint with M365 applications (Teams, Exchange online, SharePoint, etc.) as well or should Azure AD integration be sufficient?
- From the SailPoint documentation, there's a list of M365 Applications that're supported and it looks like they might need to be configured separately when configuring the SailPoint Azure AD connector.
- For example, you'll need to ensure the "Manage Microsoft/Office 365 Groups" checkbox is checked when configuring Microsoft Teams, since it's aggregated as Microsoft 365 Groups. For more info - SailPoint Microsoft Teams.
What're the use-cases I can achieve by having Azure AD integration with SailPoint that I cannot achieve with just local AD integration (esp. for write operations)?
- One benefit you can achieve by integrating SailPoint with Azure AD, is that the integration adds support for self-service access requests and approvals. Additionally, the integration propagates access changes based on employee lifecycle events like join, move, or leave across all applications (cloud or on-premises) to ensure that access is granted according to business policy. For more info - Azure AD and SailPoint.
Links:
- Identity Governance for Microsoft Azure Active Directory Customers
- SailPoint Product Documentation
- Integrating SailPoint with Azure Active Directory Identity IQ
- Integrating SailPoint with Azure Active Directory IdentityNow
- Azure AD and SailPoint: Advanced identity governance across your on-premises and cloud resources
I hope the information I provided is useful, and since the documentation for integration seems to be primarily on the SailPoint side, I'd also recommend reaching out to the SailPoint Support team via their Support Portal or Compass - SailPoint Community, so their experts can look into your issue as well.
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
I also noticed that your recent experience was not helpful, and to better improve our processes and learn from our customers, I'm eager to know what could have been done better. Please also feel free to take a re-survey on the relevant answer and help us further improve by leaving feedback verbatim as needed.
