Integrating SAP HCM with Microsoft Entra ID Governance

Introduction

In episode 253 of our SAP on Azure video podcast we talk about SAP HCM with Microsoft Entra ID Governance.

In previous episodes we have talked about the extensibility concept of Entra ID, Entra ID Governance and other SAP integration. In a lot of customer scenarios, these integrations are relevant in the context of HCM. So today – after more than 3 years – I am happy to welcome Chetan Desai with us again. He recently published new guidance on integrating SAP HCM with Microsoft Entra ID Governance, using flexible provisioning options like CSV, SAP BAPI, or SAP IDocs

Find all the links mentioned here: https://www.saponazurepodcast.de/episode253

Reach out to us for any feedback / questions:

• Goran Condric: https://www.linkedin.com/in/gorancondric/
• Holger Bruchelt: https://www.linkedin.com/in/holger-bruchelt/

#Microsoft #SAP #Azure #SAPonAzure #HCM #EntraID

Summary created by AI

• Overview of SAP HCM and Microsoft Entra ID Integration Options:
• Chetan Desai, Holger, and Goran discussed the context and recent developments in integrating SAP HCM with Microsoft Entra ID, highlighting the deprecation of SAP’s identity solution and the resulting customer interest in new integration approaches.
  • Customer Demand and Context: Holger and Chetan explained that SAP’s deprecation of its identity solution has led to increased customer interest in integrating SAP HCM and SuccessFactors with Microsoft Entra ID, especially for organizations still running on-premises HCM or transitioning to SuccessFactors.
  • Integration Guidance Publication: Chetan described the recent publication of guidance for integrating SAP HCM with Entra ID, which was developed in response to customer and partner requests for flexible, modern integration options.
  • Integration Scenarios Overview: The team outlined three main integration scenarios: CSV file-based periodic sync, SAP BAPI-based scheduled sync, and SAP IDocs-based near real-time sync, each catering to different customer architectures and requirements.
• CSV File-Based Inbound Provisioning Process:
• Chetan provided a detailed walkthrough of the CSV file-based inbound provisioning method, demonstrating how SAP HCM data can be exported, transformed, and provisioned into Microsoft Entra ID using Logic Apps or PowerShell, with Holger confirming the process and asking clarifying questions.
  • • CSV Export from SAP HCM: Chetan explained that SAP HCM can periodically export employee data into a CSV file using an SAP-provided integration add-on, with the file containing all relevant HR attributes and being placed on an SFTP or Azure file share.
  • API-Driven Provisioning Endpoint: The CSV data is processed by middleware (such as Logic Apps or PowerShell), which converts the data into SCIM format and sends it to a dedicated API endpoint in Microsoft Entra ID for bulk upload and provisioning.
  • Attribute Mapping and Security: Chetan demonstrated how attribute mapping is configured in the provisioning service, and emphasized the use of managed identities and least-privilege permissions for secure API access.
  • Logic Apps Implementation and Batching: A sample Logic App template was shown, illustrating how the CSV is read, converted to JSON, batched (up to 50 records per request), and sent to the Entra endpoint, with run history and status available for monitoring.
  • Automatic Updates and Manager Resolution: The provisioning service automatically detects changes in the CSV and updates only the modified records in Entra ID, including resolving manager relationships based on provided IDs.
• SAP BAPI-Based Inbound Provisioning Approach:
• Chetan described the SAP BAPI-based inbound provisioning method, where Logic Apps use SAP connectors to invoke BAPI or RFC function modules, retrieve HR data, and provision it into Entra ID, with Holger contributing feedback on connector selection and deployment considerations.
  • BAPI/RFC Data Retrieval: Logic Apps can use the SAP built-in connector to invoke standard or custom BAPI/RFC function modules in SAP HCM, such as BAPI_USER_GETLIST or BAPI_EMPLOYEE_GETDATA, to fetch employee data for provisioning.
  • Delta Import and Custom RFCs: Chetan highlighted the ability to define custom RFCs for delta imports, allowing the Logic App to query only changes since the last run by storing and using timestamp watermarks.
  • Connector Types and Networking: The discussion covered the differences between the SAP built-in and managed connectors in Logic Apps, with recommendations for using the built-in connector for on-premises SAP deployments to avoid additional gateways and simplify networking.
  • Error Handling and Retry Logic: Best practices were shared for handling asynchronous processing, including waiting for provisioning to complete, querying logs for status, and retrying failed operations as needed.
• SAP IDocs-Based Near Real-Time Provisioning:
• Chetan outlined the SAP IDocs-based integration for near real-time provisioning, where SAP HCM sends IDoc messages to Logic Apps, which then process and provision the data into Entra ID, with Holger noting the event-driven nature of this approach.
  • IDoc Trigger and Processing: SAP HCM is configured to send IDoc messages to a Logic App workflow via the SAP Gateway service, triggering immediate processing of HR data changes.
  • SCIM Conversion and Provisioning: The Logic App converts the IDoc data to SCIM format and sends it to the Entra provisioning API endpoint, following the same pattern as other methods for mapping and updating user records.
  • SAP and Logic Apps Configuration Steps: Chetan listed the required SAP-side configurations, including setting up RFC destinations, ABAP connections, ports, logical systems, distribution models, and partner profiles to enable the IDoc-based integration.
  • Event-Driven vs. Scheduled Sync: Holger clarified that, unlike scheduled BAPI or CSV syncs, the IDoc-based approach is event-driven, with SAP initiating the process as soon as a relevant change occurs.
• Writeback from Entra ID to SAP HCM:
• Chetan and Holger discussed the writeback scenario, where data such as email addresses generated in Entra ID is written back to SAP HCM using Logic Apps and the joiner lifecycle workflow, completing the end-to-end integration loop.
  • Joiner Lifecycle Workflow: Microsoft Entra ID’s joiner lifecycle workflow can be configured to trigger on employee hire dates, performing onboarding tasks and invoking custom Logic Apps extensions for writeback.
  • Logic Apps Writeback Implementation: A Logic App uses the SAP connector to invoke BAPI_USER_CHANGE in SAP HCM, updating user master data such as email addresses and usernames based on information generated in Entra ID.
  • Workflow Configuration and Customization: The workflow can be customized with pre-defined or additional tasks, and custom task extensions can be integrated to fit organizational onboarding and writeback requirements.
  • Full Circle Integration: Holger summarized the end-to-end process: SAP HCM triggers user creation, Entra ID completes onboarding and generates additional attributes, and Logic Apps write these back to SAP HCM, ensuring data consistency across systems.
• Customer Flexibility and Middleware Options:
• Chetan emphasized that customers can choose their preferred middleware (Logic Apps, PowerShell, SAP BTP, or others) for integration, and that Microsoft provides templates and documentation to support various platforms and customizations.
  • Middleware Platform Choices: Customers are not restricted to a specific middleware and can use Logic Apps, PowerShell, SAP BTP, or any other automation tool to process and provision HR data, as long as it can call the Entra API endpoint.
  • Template and Documentation Availability: Microsoft provides sample Logic App templates and PowerShell scripts, along with detailed documentation, to help customers quickly implement and customize their integration workflows.

• Provision users from SAP human capital management (HCM) to Microsoft Entra ID
• Configure API-driven inbound provisioning app
• API-driven inbound provisioning with Azure Logic Apps

• 0:00 Intro
• 1:15 Introducing Chetan Desai
• 3:15 API Driven Inbound Provisioning
• 4:45 SAP HCM Provisioning Scenarios
• 5:10 Flow chart - How to sync data from SAP HCM to Entra ID
• 9:10 CSV file-based inbound provisioning
• 13:10 Demo - HCM to Entra ID
• 20:10 Quickstart with Logic Apps
• 29:40 SAP BAPI-based inbound provisioning
• 35:20 SAP IDocs-based inbound provisioning
• 38:10 Configure Writeback to SAP HCM
• 40:20 Lifecylce workflow in Entra ID