Tutorial: Configure SAP Analytics Cloud for automatic user provisioning

This tutorial describes the steps you need to perform in both SAP Analytics Cloud and Microsoft Entra ID to configure automatic user provisioning. When configured, Microsoft Entra ID automatically provisions and deprovisions users and groups to SAP Analytics Cloud using the Microsoft Entra provisioning service. For important details on what this service does, how it works, and frequently asked questions, see Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID.

Note

We are working with SAP to deploy a new gallery application that provides a single point to configure your SAP Analytics Cloud application.

Capabilities supported

  • Create users in SAP Analytics Cloud
  • Remove users in SAP Analytics Cloud when they do not require access anymore
  • Keep user attributes synchronized between Microsoft Entra ID and SAP Analytics Cloud
  • Single sign-on to SAP Analytics Cloud (recommended)

Prerequisites

The scenario outlined in this tutorial assumes that you already have the following prerequisites:

  • A Microsoft Entra tenant
  • A user account in Microsoft Entra ID with permission to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
  • A SAP Analytics Cloud tenant
  • A user account on SAP Identity Provisioning admin console with Admin permissions. Make sure you have access to the proxy systems in the Identity Provisioning admin console. If you don't see the Proxy Systems tile, create an incident for component BC-IAM-IPS to request access to this tile.
  • An OAuth client with authorization grant Client Credentials in SAP Analytics Cloud. To learn how, see: Managing OAuth Clients and Trusted Identity Providers

Note

This integration is also available to use from Microsoft Entra US Government Cloud environment. You can follow the steps below and configure it in the same way as you do from public cloud.

Step 1: Plan your provisioning deployment

  1. Learn about how the provisioning service works.
  2. Determine who is in scope for provisioning.
  3. Determine what data to map between Microsoft Entra ID and SAP Analytics Cloud.

Step 2: Configure SAP Analytics Cloud to support SSO with Microsoft Entra ID

Follow the set of instructions available for our SAP Cloud analytics SSO tutorial

Step 3: Create Microsoft Entra groups for your SAP business roles

Create Microsoft Entra groups for your SAP business roles

Step 4: Map the created groups to your SAP business roles

Go to SAP Help Portal to map the created groups to your business roles. If you get stuck, you can get further guidance from SAP Blogs

Step 5: Assign Users as members of the Microsoft Entra groups

Assign users as members of the Microsoft Entra groups and give them app role assignments

  • Start small. Test with a small set of users and groups before rolling out to everyone.

Check the users have the right access in SAP downstream targets and when they sign in, they have the right roles.