SAP with Microsoft Security - Demos

Introduction

In episode 264 of our SAP on Azure video podcast we continue to talk about Security.

Two weeks back we started with a first introduction on the topic of SAP with Microsoft Security. Martin walked us through the different areas where we have offerings and where we are also working closely together with SAP.

It was a great overview, but also quite theoretically. So that’s why today we want to spend more time on demos and actually show you how the security integration can look like acorss the board.

Find all the links mentioned here: https://www.saponazurepodcast.de/episode264

Reach out to us for any feedback / questions:

• Goran Condric: https://www.linkedin.com/in/gorancondric/
• Holger Bruchelt: https://www.linkedin.com/in/holger-bruchelt/

#Microsoft #SAP #Azure #SAPonAzure #Security

Summary created by AI

• SAP User Lifecycle and Identity Governance Integration:
• Martin demonstrated to Holger and Goran how SAP user lifecycle management is integrated with Microsoft Entra ID Governance, showing automated onboarding, role assignment, and compliance workflows for new hires like Alex Rivera, with flexibility for customer-specific processes.
  • Automated User Onboarding: Martin explained the process of onboarding a new SAP user, starting in SuccessFactors where HR enters details for a new employee, triggering a workflow in Microsoft Entra ID Governance that automatically provisions accounts and assigns roles across SAP and connected systems.
  • Customizable Compliance Workflows: The team discussed how customers can tailor onboarding workflows to their specific compliance requirements, adding or modifying steps as needed to meet industry or regulatory standards, and use these automated processes to demonstrate compliance during audits.
  • Role Assignment and Access Provisioning: Martin described how the workflow assigns the financial controller role to the new user, impacting their access and permissions in SAP, and highlighted the growing task list managed by identity governance teams for further actions.
• Entitlement Management and Verified ID for SAP Access:
• Martin walked Holger and Goran through SAP entitlement management, showing how employees like Alex Rivera can request access to SAP apps using self-service workflows, including advanced identity verification with face checks and verified credentials.
  • Self-Service Access Requests: Martin demonstrated how employees can request access to SAP applications such as Analytics Cloud through a self-service portal, reducing administrative overhead and enabling just-in-time access for business needs.
  • Verified ID and Face Check Integration: The team discussed the use of Microsoft Verified ID with face scanning for identity verification, noting that this is the most sophisticated option but can be adjusted based on company or country acceptance, and is reusable for other digital authentication scenarios.
  • Access Reviews and Compliance: Martin referenced SAP’s internal operations, showing how regular access reviews result in the deletion of thousands of unused accounts, maintaining compliance and reducing risk by ensuring only necessary access persists.
• Multi-Factor Authentication and Secure SAP Access:
• Martin and Holger described how multi-factor authentication (MFA) is enforced for SAP logins, including for sensitive roles, and how the onboarding process ensures secure access from day one for users like Alex Rivera.
  • MFA Enforcement for SAP GUI: Martin explained that after onboarding, users log into SAP with MFA, adding an extra layer of security for sensitive accounts such as financial controllers, with location checks and approval prompts.
  • End-to-End Onboarding Flow: Holger recapped the onboarding flow: user creation in SuccessFactors, automated provisioning and role assignment, authenticator setup, and direct SAP GUI access with MFA, ensuring a secure and streamlined experience.
• Phishing Attack Simulation and Incident Detection:
• Martin simulated a phishing attack targeting new hire Alex Rivera, showing how credential compromise is detected by SAP security teams using Microsoft Sentinel, and how incident response actions are triggered.
  • Phishing Scenario and Credential Compromise: Martin described a scenario where Alex Rivera receives a phishing email prompting payroll information updates, leading to credential theft after clicking a malicious link, a common social engineering tactic.
  • Incident Detection in SAP and Sentinel: The SAP security team, using Sentinel, detected unusual activity in the SAP system, specifically the execution of transaction SM49 by Alex Rivera, which is often used by attackers to run OS commands from SAP.
  • Incident Response Actions: The team discussed available response actions, including blocking the compromised user in SAP, SAP Cloud Identity Service, or Azure AD, and logging the action for audit purposes, with containment recommendations provided by Copilot.
  • End-to-End Attack Traceability: Holger and Martin highlighted how the correlation engine in Sentinel provides a full timeline of the attack, from phishing email to suspicious URL clicks, risky sign-ins, and SAP system compromise, enabling comprehensive incident analysis.
• Vulnerability Management and Threat Analytics for SAP:
• Martin and Holger reviewed how Microsoft Defender and Sentinel identify and correlate SAP vulnerabilities, such as CVE-2025-31324, with actual system activity, and discussed recommended remediation steps and real-world impacts.
  • Detection of SAP NetWeaver Vulnerabilities: Martin showed how Defender for Endpoint detects exploitation of critical SAP NetWeaver vulnerabilities, providing analyst reports and patch recommendations, and correlating these with observed system activity.
  • Attack Execution Evidence: The team examined evidence of attackers using SAP transaction SM49 and external commands (e.g., wget) to download malware, and discussed how Azure VMs are now configured without internet access by default to mitigate such risks.
  • Remediation and Patch Guidance: Martin explained the importance of applying SAP’s released patches and following recommended actions, noting that post-compromise investigation is necessary if exploitation has already occurred.
• Real-World SAP Security Incidents and Business Impact:
• Martin and Holger discussed a publicized SAP NetWeaver vulnerability exploited in a cyberattack on Jaguar Land Rover, illustrating the severe business consequences and the importance of proactive security measures.
  • Jaguar Land Rover Cyberattack Case: Martin referenced a news article detailing how a SAP NetWeaver flaw was exploited to halt production at Jaguar Land Rover, resulting in significant financial losses and government intervention.
  • Threat Intelligence Sharing: The team noted that while public disclosure of such incidents is rare, security groups share intelligence via channels like Telegram and darknet forums, helping vendors and analysts learn from real-world attacks.
• Data Lineage and Blast Radius Analysis in SAP Environments:
• Martin demonstrated to Holger how data lineage tools and unified catalogs in Microsoft Purview and Power BI help assess the blast radius of SAP compromises, mapping affected systems and datasets for incident response.
  • Mapping System Relationships: Martin showed how Purview’s map view and Power BI lineage diagrams reveal connections between SAP systems, datasets, and business processes, aiding in understanding the scope of a compromise.
• Conditional Access Policy Enhancements for SAP Applications:
• Martin and Holger reviewed how conditional access policies in Microsoft Entra are updated to require phishing-resistant MFA and compliant devices for SAP finance apps, strengthening security posture after incident analysis.
  • Policy Configuration for Risk Mitigation: The team configured conditional access policies to enforce stricter authentication requirements for SAP finance applications, including device compliance and phishing-resistant MFA, to prevent similar attacks.
• Security ROI and Adoption Insights:
• Martin and Holger discussed Forrester’s findings on the economic impact of Microsoft Security solutions, highlighting a 72% reduced likelihood of breach and the importance of ease-of-adoption for security features.
  • Return on Investment and Breach Reduction: The team cited Forrester’s study showing significant ROI and breach reduction for organizations adopting Microsoft Security, emphasizing the value of integrated, easy-to-configure security features.

• 0:00 Intro
• 1:20 Introducing Martin
• 4:30 Secure and defend SAP apps and data on Microsoft Cloud
• 7:00 Attackers think in graphs
• 8:15 Graph-powered security enables enterprise-wide visibilty
• 8:55 Demo - Start in SAP SuccessFactors
• 11:30 Demo Entitle Management
• 13:25 SAP using Entra Integration
• 14:40 Demo - Employee request; Verify ID to log on to SAP GUI
• 18:50 Demo - Detecting SAP Incidents
• 31:45 attacked customer examples
• 35:50 Additional insights with Purview
• 36:50 Demo - Conditional Access
• 38:25 Reduced likelihood of a breach