Manage access to your SAP applications

SAP likely runs critical functions, such as HR and ERP, for your business. At the same time, your business relies on Microsoft for various Azure services, Microsoft 365, and Microsoft Entra ID Governance for managing access to applications. This article describes how you can use Identity Governance to manage identities across your SAP applications.

Bring identities from HR into Microsoft Entra ID

SuccessFactors

Customers who use SAP SuccessFactors can easily bring identities into Microsoft Entra ID or on-premises Active Directory by using native connectors. The connectors support the following scenarios:

• Hiring new employees: When a new employee is added to SuccessFactors, a user account is automatically created in Microsoft Entra ID and optionally Microsoft 365 and other software as a service (SaaS) applications that Microsoft Entra ID supports. This process includes write-back of the email address to SuccessFactors.
• Employee attribute and profile updates: When an employee record is updated in SuccessFactors (such as name, title, or manager), the employee's user account is automatically updated in Microsoft Entra ID and optionally Microsoft 365 and other SaaS applications that Microsoft Entra ID supports.
• Employee terminations: When an employee is terminated in SuccessFactors, the employee's user account is automatically disabled in Microsoft Entra ID and optionally Microsoft 365 and other SaaS applications that Microsoft Entra ID supports.
• Employee rehires: When an employee is rehired in SuccessFactors, the employee's old account can be automatically reactivated or re-provisioned (depending on your preference) to Microsoft Entra ID and optionally Microsoft 365 and other SaaS applications that Microsoft Entra ID supports.

SAP HCM

Customers who still use SAP Human Capital Management (HCM) can also bring identities into Microsoft Entra ID. By using SAP Integration Suite, you can synchronize lists of workers between SAP HCM and SAP SuccessFactors. From there, you can bring identities directly into Microsoft Entra ID or provision them into Active Directory Domain Services by using the native provisioning integrations mentioned earlier.

Provide access to SAP applications

In addition to the native provisioning integrations that allow you to manage access to your SAP applications, Microsoft Entra ID supports a rich set of integrations with those applications.

Enable SSO

After you set up provisioning for your SAP applications, you can enable SSO for them. Microsoft Entra ID can serve as the identity provider and serve as the authentication authority for your SAP applications. Learn how to configure Microsoft Entra ID as the corporate identity provider for your SAP applications.

Provision identities into modern SAP applications

After your users are in Microsoft Entra ID, you can provision accounts into the various SaaS and on-premises SAP applications that they need access to. You have three ways to accomplish this:

• Use the enterprise application in Microsoft Entra ID to configure both single sign-on (SSO) and provisioning to SAP applications such as SAP Analytics Cloud. With this option, you can apply a consistent set of governance processes across all your applications.
• Use the SAP Identity Authentication Service (IAS) enterprise application in Microsoft Entra ID to provision identities into SAP IAS. After you bring all the identities into SAP IAS, you can use SAP IPS to provision the accounts from there into your applications when required.
• Use the SAP IPS integration to directly export identities from Microsoft Entra ID into your applications. When you're using SAP IPS to pull users into your applications, all provisioning configuration is managed in SAP directly. You can still use the enterprise application in Microsoft Entra ID to manage SSO and use Microsoft Entra ID as the corporate identity provider.

Provision identities into on-premises SAP systems that SAP IPS doesn't support

Customers who have yet to transition from applications such as SAP R/3 and SAP ERP Central Component (SAP ECC) to SAP S/4HANA can still rely on the Microsoft Entra provisioning service to provision user accounts. Within SAP R/3 and SAP ECC, you expose the necessary Business Application Programming Interfaces (BAPIs) for creating, updating, and deleting users. Within Microsoft Entra ID, you have two options:

• Use the lightweight Microsoft Entra provisioning agent and web services connector to provision users into apps such as SAP ECC.
• In scenarios where you need to do more complex group and role management, use Microsoft Identity Manager to manage access to your legacy SAP applications.

Trigger custom workflows

When a new employee is hired in your organization, you might need to trigger a workflow within your SAP server. By using the Microsoft Entra ID Governance lifecycle workflows in conjunction with the SAP connector in Azure Logic Apps, you can trigger custom actions in SAP upon hiring a new employee.

Check for separation of duties

With separation-of-duties checks in Microsoft Entra ID entitlement management, customers can ensure that users don't take on excessive access rights:

• Admins and access managers can prevent users from requesting additional access packages if they're already assigned to other access packages or are a member of other groups that are incompatible with the requested access.
• Enterprises with critical regulatory requirements for SAP apps have a single consistent view of access controls. They can then enforce separation-of-duties checks across their financial and other business-critical applications, along with Microsoft Entra integrated applications.
• With integration with Pathlock and other partner products, customers can take advantage of fine-grained separation-of-duties checks with access packages in Microsoft Entra ID. Over time, this ability will help customers address Sarbanes-Oxley and other compliance requirements.

Next steps

• Bring identities from SAP SuccessFactors into Microsoft Entra ID
• Provision accounts in SAP IAS