SuccessFactors integration & Role provisioning

Introduction

In episode 263 of our SAP on Azure video podcast we talk about Entra ID and SAP Cloud Identity Services. In the past we already had a few sessions with Martin Raepple where we talked about the integration of Entra ID with the SAP Cloud Identity Service. Today we will look at the SuccessFactors integraiton and role provisioning and we are happy to have Martin back with us. Product management at its best!

Find all the links mentioned here: https://www.saponazurepodcast.de/episode263

Reach out to us for any feedback / questions:

• Goran Condric: https://www.linkedin.com/in/gorancondric/
• Holger Bruchelt: https://www.linkedin.com/in/holger-bruchelt/

#Microsoft #SAP #Azure #SAPonAzure #Identity #EntraID #BTP

Summary created by AI

• SAP Identity Management Migration to Microsoft Entra:
• Martin Raepple and Holger discussed the ongoing joint SAP and Microsoft initiative to guide customers affected by the SAP Identity Management (IDM) end-of-life towards migration to Microsoft Entra, highlighting the evolution of the integration, customer feedback-driven feature development, and the collaborative approach between both vendors and their customers.
  • Migration Context and Roadmap: Martin Raepple explained that SAP IDM will reach end-of-life by 2027, and SAP recommends affected customers migrate to Microsoft Entra. The joint engineering program between SAP and Microsoft provides guidance, reference architectures, and product improvements to support this migration, with a focus on customer needs and feedback.
  • Customer Collaboration and Feedback: Holger and Martin emphasized the importance of customer feedback in shaping the product roadmap, noting that features are added based on real-world requirements gathered from joint conferences and direct customer interactions, ensuring the migration path is practical and aligned with user needs.
  • Previous Integration Scenarios: The team recapped earlier podcast episodes covering the big picture of SAP IDM to Entra migration, hybrid user provisioning scenarios (including on-premise SAP systems), and the use of Entra ID governance for managing identity lifecycle and access workflows, including context-based approval determination using Logic Apps and SAP Integration Suite.
  • Reference Architecture and Documentation: Martin highlighted the availability of joint reference architectures and documentation for customers, which detail the integration points, migration steps, and best practices for transitioning from SAP IDM to Microsoft Entra, ensuring a structured and well-supported migration process.
• End-to-End SuccessFactors Integration and Role Provisioning Demo:
• Martin Raepple demonstrated the new end-to-end integration scenario where user onboarding in SAP SuccessFactors triggers automated provisioning through Microsoft Entra and SAP Cloud Identity Services, culminating in role assignment in the SAP backend, with Holger providing commentary and validation throughout the process.
  • Scenario Overview and Objectives: The demo extended previous scenarios by automating the entire user lifecycle: onboarding a new employee in SuccessFactors, provisioning the user in Entra, assigning access packages, and ultimately granting the user a role in the SAP backend system, eliminating manual steps and improving scalability.
  • User Onboarding in SuccessFactors: Martin, acting as the HR admin, onboarded a new employee (John Doe 3) in SAP SuccessFactors, specifying unique identifiers to avoid conflicts, and explained that this mirrors typical customer processes where HR systems are the source of truth for user events.
  • Provisioning from SuccessFactors to Entra: Using the pre-built SuccessFactors connector in Entra, Martin triggered on-demand provisioning, which pulled the new employee data from SuccessFactors and created the corresponding user account in Entra with default attribute mappings, demonstrating the out-of-the-box functionality.
  • Access Package Assignment and Group Membership: After resetting the new user’s password, Martin showed how the user could request access to an access package via the MyAccess Portal, which automatically assigned the user to a group in Entra, reflecting the new feature that supports group provisioning alongside user provisioning.
  • Provisioning to Cloud Identity Services and SAP Backend: Martin demonstrated the updated Cloud Identity Services connector, which now provisions both users and groups (with OAuth2 authentication), and triggered on-demand provisioning to create the user, group, and group membership in Cloud Identity Services, followed by provisioning to the SAP backend, resulting in the user being assigned to the appropriate role.
  • Technical Enhancements and Security Improvements: The demo highlighted recent connector updates, including the switch from basic authentication to OAuth2 client credentials for improved security, and the ability to filter which users are provisioned to the backend, supporting more granular and secure provisioning flows.
  • Validation and End Result: The process was validated at each step, with checks in Entra, Cloud Identity Services, and the SAP backend to confirm that the user and group were created and the role assignment was completed, demonstrating the effectiveness and reliability of the end-to-end integration.
• Upcoming Events and Product Roadmap Announcements:
• Holger and Martin announced several upcoming events, including SAP TechEd, a Microsoft pre-day event, the SAP Security Forum, and the private preview of SAP IAG integration with Entra, inviting attendees to hands-on sessions and providing information on how to participate in the private preview.
  • SAP TechEd and Pre-Day Event: Martin and Holger shared details about SAP TechEd 2025 in Berlin, where they will host a hands-on session on identity lifecycle management with SAP BTP and Microsoft Entra, as well as a Microsoft-hosted pre-day hackathon focused on building MCP-based Copilot Agents.
  • SAP Security Forum and IAG Integration Preview: They also announced the SAP Security Forum in Walldorf, where they will present on IDM to Entra migration, and introduced the private preview of SAP IAG integration with Entra, which enables management of access packages with IAG roles and delegation of access requests, providing a sign-up link for interested customers.

• Private Preview - Microsoft Entra Connector for SAP Cloud IAG - Sign-up

• 0:00 Intro
• 1:00 Introduing Martin Raepple
• 5:05 Episode 203 - SAP IDM and Entra ID
• 6:20 Episode 226 - User Provisioning in a hybrid environment
• 9:05 Episode 246 - Customize Access Governance Workflows
• 11:40 Extending the scenario from 226
• 13:00 SuccessFactors integration + Role provisioning
• 19:25 Demo - Start in PFCG and SFSF
• 23:35 Demo - Entra ID
• 33:50 Demo - Entra ID - Provisioning groups
• 38:00 Demo - SAP Cloud Identity Services
• 43:05 Demo - SAP Backend system
• 47:10 Upcoming events