Entra ID Governance from Customer perspective

Introduction

In episode 254 of our SAP on Azure video podcast we talk about Entra ID Governance from a Customer perspective

We continue today with the topics around Entra ID and SAP. We have covered different aspects of the integration of Entra ID and SAP in different ways in the past, but we thought that today we could take a look from a customer perspective. I am glad to have Roj Koc with us today, who is working closely with customers in Denmark and northern Europe to share what he is seeing in the market.

Find all the links mentioned here: https://www.saponazurepodcast.de/episode254

Reach out to us for any feedback / questions:

• Goran Condric: https://www.linkedin.com/in/gorancondric/
• Holger Bruchelt: https://www.linkedin.com/in/holger-bruchelt/

#Microsoft #SAP #Azure #SAPonAzure #EntraID #IAG #SAPIDM

Summary created by AI

• Customer-Centric SAP and Microsoft Entra ID Integration:
• Holger and Roj discussed real-world challenges and solutions for integrating SAP systems with Microsoft Entra ID, focusing on identity governance, lifecycle management, and the transition from legacy SAP IDM to modern cloud-based IGA solutions, with Roj sharing insights from his work with customers in Denmark and Northern Europe.
  • Transition from SAP IDM to Entra ID: Roj explained that SAP IDM is reaching end of support in 2027, with possible extension to 2030, prompting customers to evaluate new platforms like Entra ID for identity and access governance. He emphasized the importance of understanding the reference architecture for migrating from SAP IDM to Entra ID, leveraging SAP Cloud Identity services for provisioning and authentication, and considering both cloud-native and hybrid scenarios.
  • Identity Governance and Lifecycle Management: Roj outlined the distinction between IAM (managing identity lifecycle) and IGA (adding governance and compliance), stressing that IGA is a continuous program rather than a one-time project. He highlighted the need for well-defined, documented processes and the involvement of strategic stakeholders such as HR, compliance, and security from the outset to ensure successful IGA implementation.
  • Role of HR Systems in Identity Provisioning: The discussion covered the central role of HR systems like SAP SuccessFactors and Workday as the source of truth for employee master data, which is then mapped to Entra ID attributes. Roj described how this data is used to build RBAC and ABAC policies, and the importance of data quality and confidentiality, recommending only essential attributes be imported to Entra ID.
  • Stakeholder Involvement and Process Definition: Roj emphasized that successful IGA projects require early and ongoing involvement of HR, compliance, and business owners, not just IT. He described a phased approach to onboarding HR systems, revisiting data quality, defining role ownership, and ensuring that business owners—not just technical managers—are responsible for access reviews and application campaigns.
  • Integration Architecture and Reference Patterns: Roj detailed the recommended integration architecture, where SAP Cloud Identity Service acts as the IDP for SAP users, with Entra ID providing governance and lifecycle management. He described the use of SAP Cloud Identity’s authentication and provisioning services, and the ability to forward authentication requests to Entra ID as a proxy IDP, enabling seamless SSO and provisioning to downstream SAP applications.
• Entra ID Governance Features and Demonstration:
• Roj provided a live demonstration of Entra ID Governance, showcasing features such as entitlement management, access packages, lifecycle workflows, and integration with SAP and HR systems, while Holger asked clarifying questions about configuration and automation capabilities.
  • Entitlement Management and Access Packages: Roj demonstrated how entitlement management in Entra ID Governance allows the creation of catalogs and access packages, which are equivalent to business roles in SAP. He showed how access packages can be configured to include multiple functional resources, such as SAP HANA Cloud and SAP B2B, and how policies can be set for internal and external users, including SOD (segregation of duties) policies to prevent conflicting role assignments.
  • Lifecycle Workflows and Automation: The demo included the setup of lifecycle workflows for onboarding, role changes, and offboarding, with tasks such as license assignment, group membership, SAP user account creation, and network access provisioning. Roj explained how workflows can be triggered based on HR data, scheduled, or run on demand, and how custom tasks can be implemented using Logic Apps to integrate with external systems like ServiceNow.
  • Attribute Mapping and Data Quality: Roj highlighted the importance of attribute mapping between HR systems, Entra ID, and SAP applications, using attributes like company code to build role hierarchies. He stressed that lifecycle workflows should only be built on high-quality data to avoid automation errors, and described how extension attributes from on-premises directories can be leveraged in cloud and hybrid scenarios.
  • Demo Execution and Error Handling: During the demo, Roj ran a lifecycle workflow for a user (Jack Smith), showing the execution of multiple provisioning tasks. He addressed a failed task due to a misconfigured access package, explained the cause, and demonstrated how to review workflow history and correct configuration issues. The demo also verified successful user provisioning and SSO access to SAP applications.
• Advanced Integration Scenarios and Future Developments:
• Roj discussed advanced integration scenarios, including the use of Entra ID Governance with SAP IAG, private access for secure network connectivity, and upcoming features like universal continuous access evaluation, while addressing current limitations and future roadmap items.
  • Integration with SAP IAG and Role Aggregation: Roj described ongoing development to integrate SAP IAG (Identity Access Governance) with Entra ID Governance, enabling aggregation of SAP business roles into Entra ID. He noted current limitations, such as the maximum number of app roles supported, and indicated that future enhancements are planned to better support large enterprise SAP environments.
  • Private Access and Zero Trust Network Security: The discussion covered the use of Entra Private Access to establish secure, dedicated tunnels to SAP endpoints, such as SAP GUI clients and ABAP servers, using the Global Secure Access Client. Roj explained how this approach supports zero trust network access and can leverage modern authentication methods like Kerberos and Windows Hello for Business.
  • Continuous Access Evaluation and Token Revocation: Roj introduced the concept of universal continuous access evaluation, which allows near real-time revocation of access tokens for SAP applications, enhancing security and compliance. He explained that this feature is in public preview and will enable organizations to respond quickly to identity changes or security incidents.

• Preparing for SAP Identity Management’s End-of-Maintenance in 2027
• SAP Identity Management to Microsoft Entra ID Migration Guidance Now Available
• Migrate identity management scenarios from SAP IDM to Microsoft Entra

• 0:00 Intro
• 1:10 Introducing Roj Koc
• 3:10 Security Engineers
• 4:15 Microsoft and SAP Partnership
• 6:25 Partnership scenario - SAP IDM migration to Microsoft Entra
• 8:20 Identity Governance - Common business challenges
• 13:35 Build your IGA roadmap by sets of stages - 1st stage of Identity foundation
• 21:35 Uniformly govern access to on-premises & cloud apps
• 27:40 Provisioning using SAP Cloud Connector
• 29:25 Demo - Looking at Entra ID Governance Dashboard
• 30:45 Demo - Access Packages
• 32:45 Demo - Policies
• 35:25 Demo - Governance
• 46:15 Demo - SAP Cloud Identity Service
• 49:10 Entra ID Governance - SAP integration topology