SAP IDM to Entra: Customize Access Governance Workflows

Introduction

In episode 246 of our SAP on Azure video podcast we talk about SAP Identity Management and Microsoft Entra ID. Since the announcement from SAP about SAP IDM, a lot of customers have already started their journey to move to Entra ID. We have had several customers talking about their experience and also hosted several hands-on sessions. Martin Raepple is key player in most of these discussions and today we want to show in more detail how the journey is evolving. To today he shows us how to integrate Microsoft Entra with SAP Cloud Identity Services and leverage Microsoft Entra’s advanced features to migrate and modernize existing SAP IDM workflows, using self-service UIs, integration with SAP data sources, and much more.

Find all the links mentioned here: https://www.saponazurepodcast.de/episode246

Reach out to us for any feedback / questions:

• Goran Condric: https://www.linkedin.com/in/gorancondric/
• Holger Bruchelt: https://www.linkedin.com/in/holger-bruchelt/

#Microsoft #SAP #Azure #SAPonAzure #SSO #IDM #EntraID #SAPIAS #Governance

Summary created by AI

• Holger and Martin introduced the SAP on Azure video podcast, discussing the transition from SAP IDM to Microsoft Entra ID and the integration of advanced features for modernizing SAP IDM workflows.
  • Podcast Introduction: Holger welcomed everyone to episode 246 of the SAP on Azure video podcast, mentioning the date and the focus on SAP and Microsoft integration. He highlighted the transition from SAP IDM to Microsoft Entra ID and the experiences shared by several customers who have started their journey.
  • Customer Experiences: Holger mentioned that several customers have shared their experiences and participated in hands-on sessions regarding the transition to Entra ID. Martin Repple was identified as a key player in these discussions, and the podcast aimed to provide detailed insights into the evolving journey.
  • Integration Details: Holger outlined the integration of Microsoft Entra ID with SAP Cloud Identity Services, leveraging advanced features to migrate and modernize existing SAP IDM workflows. This includes self-service UIS, integration with SAP data sources, and more.
• Martin’s Role and Collaboration with SAP:
• Martin explained his role at Microsoft, focusing on identity and access management collaboration with SAP, and highlighted the intensified collaboration since SAP announced the end of life for SAP Identity Management.
  • Martin’s Introduction: Martin introduced himself, mentioning his tenure at Microsoft for almost 5.5 years and his role in engineering, particularly focusing on customer SAP in various areas, with a significant emphasis on identity and access management collaboration.
  • Collaboration History: Martin detailed the history of collaboration with SAP, which intensified significantly after the announcement in February 2024 at the DSAG technology days that SAP Identity Management would go end of life. SAP chose Entra as the recommended path for migrating SAP IDM customers.
  • Ongoing Activities: Martin described the ongoing intense collaboration with DSAG to guide customers and partners on migration journeys, closely working with engineering teams from both Microsoft and SAP to handle the necessary development work.
• Migration Guide and Hands-On Sessions:
• Martin discussed the development of a migration guide and hands-on sessions to assist customers in migrating from SAP IDM to Entra, emphasizing the importance of scenario-driven guidance.
  • Migration Guide: Martin mentioned the creation of a comprehensive migration guide available at a short URL, providing scenario-driven guidance for various migration scenarios from SAP IDM to Entra.
  • Hands-On Sessions: Martin developed hands-on sessions and published blog posts focusing on specific scenarios to provide practical experience and detailed guidance for SAP IDM customers migrating to Entra.
  • Episode Reference: Martin referenced episode 203 of the podcast, which provided a general overview of the SAP IDM migration program to Entra, featuring contributions from colleagues Mark Wall and Chris from SAP.
• Reference Architecture for Integration:
• Martin presented a reference architecture for integrating SAP IDM with Entra, highlighting key components such as Entra ID governance, connectors to SuccessFactors, and integration with SAP Cloud Identity Services.
  • Reference Architecture Overview: Martin presented a reference architecture that outlines the integration or migration from SAP IDM to Entra, focusing on key components such as Microsoft Entra, Entra ID governance, and connectors to SuccessFactors.
  • Key Components: Martin highlighted the importance of various components within the reference architecture, including Entra ID governance, connectors to SuccessFactors, and integration with SAP Cloud Identity Services for provisioning and federation.
  • Integration Enhancements: Martin mentioned ongoing enhancements and further development on both sides to improve the integration between Entra and SAP Cloud Identity Services, particularly for provisioning and federation.
• Customization of Access Governance Workflows:
• Martin detailed the customization of access governance workflows using Azure Logic Apps and SAP BTP Integration Suite, focusing on dynamically determining approvers based on business context.
  • Workflow Customization: Martin explained the customization of access governance workflows using Azure Logic Apps and SAP BTP Integration Suite, emphasizing the dynamic determination of approvers based on business context such as cost centers or company codes.
  • Integration Suite Role: Martin described the role of SAP BTP Integration Suite in implementing integration flows and logic, utilizing the connectivity service to securely connect to backend systems and retrieve necessary business context data.
  • Logic App Functionality: Martin highlighted the functionality of Azure Logic Apps in breaking out of the approval process to implement custom logic for determining approvers, including requesting tokens from BTP and calling integration suite endpoints.
• Dynamic Approver Logic App:
• Martin explained the steps involved in the dynamic approver logic app, including requesting a token from BTP, calling the integration suite endpoint, and retrieving the approver’s object ID from Entra ID.
  • Token Request: Martin detailed the first step of the dynamic approver logic app, which involves requesting an access token from BTP using OAuth client ID and secret obtained from the integration suite service key.
  • Integration Suite Call: Martin described the process of calling the integration suite endpoint with the obtained token to trigger an Odata call and retrieve the approver’s e-mail address from the backend system.
  • Graph API Call: Martin explained the final step of the logic app, which involves calling the Microsoft Graph API to convert the approver’s e-mail address into the object ID required by Entra ID governance.
• Access Package Configuration:
• Martin demonstrated the configuration of an access package in Entra, including defining input fields for the requester and setting up the policy for determining the approver using the dynamic approver logic app.
  • Access Package Setup: Martin demonstrated the setup of an access package in Entra, showing how to define input fields for the requester, such as platform, programming language, and company code.
  • Policy Configuration: Martin explained the policy configuration within the access package, which includes defining the approval stages and specifying the dynamic approver logic app to determine the approver based on business context.
  • Group Assignment: Martin showed how the access package assigns specific groups to the user upon successful approval, such as the SAP BTP developer group, which is then included in the user’s access token.
• Integration Suite and Cloud Connector:
• Martin briefly described the setup of the integration suite and cloud connector, emphasizing the secure connection to the on-premise system and the use of Odata services.
  • Integration Suite Setup: Martin described the setup of the integration suite, mentioning the creation of a trial instance and the use of tutorials for guidance.
  • Cloud Connector Configuration: Martin explained the configuration of the cloud connector, which involves setting up on-premise connections and exposing necessary URL paths for invoking Odata services.
• Martin demonstrated how Tina Test accessed the My Access portal, requested the SAP Developer access package, and submitted the request with specific parameters like platform, programming language, and company code.
  • Portal Access: Martin showed how Tina Test accessed the My Access portal by copying the URL from the Entra Admin Center and opening it in an incognito window to ensure a fresh session.
  • Request Parameters: Martin detailed the parameters required for the access request, including platform, programming language, and company code. These parameters were configured in the policy of the access package.
  • Business Context: Martin explained the significance of the business context in determining the right approver. They used the company code to identify the appropriate approver for the access request.
• Custom Table Verification:
• Martin and Holger verified the custom table in the SAP system to ensure the correct approver, John Doe, was identified based on the parameters entered by Tina Test.
  • Custom Table Check: Martin and Holger logged into the SAP system and checked the custom table to verify the parameters entered by Tina Test. They confirmed that John Doe was the correct approver based on the company code DE 07.
  • Parameter Verification: Martin ran a query on the custom table to verify the parameters entered by Tina Test, including the platform type SAPBTP, programming language Java, and company code DE 07.
• Dynamic Approval Logic App:
• Martin and Holger checked the dynamic approval logic app to confirm that John Doe was determined as the approver and the request was successfully processed.
  • Logic App Verification: Martin and Holger checked the dynamic approval logic app to confirm that John Doe was determined as the approver. They verified the run history to ensure the request was successfully processed.
  • Response Verification: Martin showed the response from the service, which included the approver’s email and the internal ID of the user. This information was used to route the request to the right approver.
• Approval by John Doe:
• Martin logged into the My Access portal as John Doe, saw the pending request from Tina Test, and approved it.
  • John Doe Login: Martin logged into the My Access portal as John Doe and saw the pending request from Tina Test. He verified the details of the request and approved it.
  • Approval Confirmation: Martin confirmed that the request from Tina Test for the SAP Developer access package was approved by John Doe. This approval allowed Tina Test to proceed with the access.
• Membership Verification:
• Martin and Holger verified that Tina Test was added to the SAP BTP Developer group, allowing her to access the Business Application Studio.
  • Group Membership: Martin and Holger verified that Tina Test was added to the SAP BTP Developer group. This membership allowed her to access the Business Application Studio.
  • Access Confirmation: Martin confirmed that Tina Test’s membership in the SAP BTP Developer group was successfully updated, enabling her to log in to the Business Application Studio.
• Role Collection Mapping:
• Martin showed the role collection mapping in the BTP subaccount, confirming that the Business Application Studio Developer role collection was mapped to the SAP BTP Developer group.
  • Role Collection: Martin demonstrated the role collection mapping in the BTP subaccount, confirming that the Business Application Studio Developer role collection was mapped to the SAP BTP Developer group.
  • Mapping Verification: Martin verified the mapping of the Business Application Studio Developer role collection to the SAP BTP Developer group, ensuring that Tina Test had the necessary access.
• Token Configuration:
• Martin explained the token configuration in the application registration, which issues group memberships of the user in the token, allowing BTP to map the role collection to the user.
  • Token Setup: Martin explained the token configuration in the application registration, which issues group memberships of the user in the token. This configuration allows BTP to map the role collection to the user.
  • Configuration Details: Martin detailed the token configuration process, highlighting how it ensures that group memberships are included in the token, enabling automatic mapping of roles in BTP.
• Business Application Studio Access:
• Martin demonstrated that Tina Test could successfully log in to the Business Application Studio, confirming her access.
  • Login Process: Martin demonstrated the login process for Tina Test to access the Business Application Studio. He confirmed that Tina Test could successfully log in, verifying her access.
  • Access Confirmation: Martin confirmed that Tina Test’s access to the Business Application Studio was successful, as she could log in without encountering any unauthorized access issues.
• Teams Notification Setup:
• Martin showed the setup of the custom extension in the access package policy to send a Teams notification when a request is approved.
  • Notification Setup: Martin demonstrated the setup of the custom extension in the access package policy to send a Teams notification when a request is approved. This setup ensures timely notifications for approved requests.
  • Extension Configuration: Martin detailed the configuration of the custom extension, explaining how it sends adaptive cards with request information to a specific Teams channel accessible by the SOC team.
• Teams Notification Verification:
• Martin and Holger verified that the Teams notification was received in the SAP IAM Events channel, confirming the successful setup.
  • Notification Check: Martin and Holger verified that the Teams notification was received in the SAP IAM Events channel. They confirmed that the notification setup was successful and the SOC team was informed of the approved request.
  • Notification Details: Martin showed the details of the received Teams notification, confirming that it contained the correct information about the approved request from Tina Test.
• Customization and Workflow Features:
• Martin summarized the customization and workflow features in Entra ID governance, highlighting the use of Logic Apps for approval determination and other lifecycle events.
  • Customization Overview: Martin summarized the customization and workflow features in Entra ID governance, highlighting the use of Logic Apps for approval determination and other lifecycle events.
  • Logic Apps Usage: Martin emphasized the role of Logic Apps in customizing workflows and approval processes in Entra ID governance. He explained how Logic Apps can be used for various lifecycle events.

• Identity and Access Management with Microsoft Entra, Part II: Provisioning to BTP and S/4HANA
• Mastering the Migration: A technical Deep Dive into Moving from SAP Identity Management (IDM) to Microsoft Entra

• 0:00 Intro
• 1:30 Introducing Martin Raepple
• 4:10 SAP IDM and Microsoft Entra
• 6:00 SAP and Microsoft Reference Architecture
• 10:50 Episode 226 - User provioning in a hybrid envrionment
• 12:40 Access Governance Workflows and Self-Service UIs
• 18:50 Closer look at Logic App - Dynamic Approver
• 21:50 Scenario Focus Topics
• 24:45 Entra Admin Center - Access Package
• 29:15 Logic App - Dynamic Approver
• 32:30 SAP BTP Integration Suite
• 34:40 SAP Cloud Connector
• 36:30 Running the demo with Tina Test
• 38:00 Create new request
• 40:00 Custom Mapping-Table in SAP
• 43:30 Mapping in Logic Apps
• 48:15 Accessing SAP Business Application Studio
• 55:00 Notification in Teams