Follow this procedure to set up Microsoft Entra ID (formerly known as Microsoft Azure Active Directory) as a target system.
This system is available for standalone tenants running on SAP Cloud Identity infrastructure and SAP BTP, Neo environment. Bundle tenants running on SAP Cloud Identity Services infrastructure and Neo environment can use it only through SAP Identity Access Governance bundle option.
-
You've logged on to Microsoft Azure Portal, with credentials for a user with directory role Global administrator. For more information, see Microsoft Entra built-in roles.
-
In Azure Active Directory > App registrations, you've registered an application with a secret key and permissions for Microsoft Graph API. These permissions must be consented by an administrator. For more information, see Microsoft Graph permissions reference.
-
(Relevant to target systems) Your registered application is assigned the User Account Administrator role. This role allows you to deprovision users. For more information, see Add-MsolRoleMember.
If this role isn't assigned, you can only disable users. To do that, set the
accountEnabledproperty to false. For more information, see MS Graph: user resource type
Permissions
Assign the following permissions to your application, according to your scenario. Also, the permissions have to be of type Application.
- Users – User.ReadWrite.All, Directory.AccessAsUser.All
- Groups – Group.ReadWrite.All
For more information, see MS Graph: Users and MS Graph: Groups
When using it as a target system, you can write both users and groups, read from any source system you've added in the Identity Provisioning user interface. The Microsoft Entra ID target systems use Microsoft Graph API. For more information, see Microsoft Graph.
If you've successfully finished with the initial setup (described in the Prerequisites section), continue with the procedure.
-
Access the Identity Provisioning UI.
-
Sign in to the administration console of SAP Cloud Identity Services and navigate to Identity Provisioning > Target Systems.
-
Add Microsoft Entra ID as a target system. For more information, see Add New Systems.
-
Choose the Properties tab to configure the connection settings for your system.
If your tenant is running on SAP BTP, Neo environment, you can create a connectivity destination in your subaccount in the SAP BTP cockpit, and then select it from the Destination Name combo box in your Identity Provisioning User Interface.
If one and the same property exists both in the cockpit and in the Properties tab, the value set in the Properties tab is considered with higher priority.
We recommend that you use the Properties tab. Use a connectivity destination only if you need to reuse one and the same configuration for multiple provisioning systems.
Mandatory Properties
Property Name
Description & Value
TypeEnter: HTTP
URLEnter: https://graph.microsoft.com
ProxyTypeEnter: Internet
AuthenticationEnter: BasicAuthentication
UserEnter the application ID registered in your Microsoft Entra ID subscription (see the Prerequisites section).
Password(Credential) Enter the secret key associated to your app registration.
aad.domain.nameEnter one of the verified domain names from the corresponding Microsoft Entra ID tenant. On this domain, you perform the provisioning operations. For more information, see Managing custom domain names in your Microsoft Entra ID.
oauth.resource.nameEnter: https://graph.microsoft.com
OAuth2TokenServiceURLEnter: https://login.microsoftonline.com/<your_domain>/oauth2/token, where
<your_domain>is the domain name you have set in theaad.domain.nameproperty.(Optional)
ips.delete.threshold.groupsUse this property to control the number of groups to be deleted in a target system by defining a threshold. This will prevent you from accidentally deleting a huge number of groups, for example by adding a filter or condition.
For more information, see: List of Properties
(Optional)
ips.delete.threshold.usersUse this property to control the number of users to be deleted in a target system by defining a threshold. This will prevent you from accidentally deleting a huge number of users, for example by adding a filter or condition.
For more information, see: List of Properties
To learn what additional properties are relevant to this system, see List of Properties. You can use the main search, or filter properties by the Name or System Type columns.
-
(Optional) Configure the transformations.
Transformations are used to map the user attributes from the data model of the source system to the data model of the target system, and the other way around. The Identity Provisioning offers a default transformation for the Microsoft Entra ID target system, whose settings are displayed under the Transformations tab after saving its initial configuration.
You can change the default transformation mapping rules to reflect your current setup of entities in Microsoft Entra ID. For more information, see:
Default transformation:
{ "user": { "mappings": [ { "sourcePath": "$.onPremisesImmutableId", "optional": true, "targetPath": "$.onPremisesImmutableId" }, { "sourcePath": "$.active", "optional": true, "targetPath": "$.accountEnabled" }, { "sourcePath": "$.name.givenName", "optional": true, "targetPath": "$.mailNickname" }, { "sourcePath": "$.displayName", "optional": true, "targetPath": "$.displayName" }, { "sourcePath": "$.name.givenName", "optional": true, "targetPath": "$.givenName" }, { "sourcePath": "$.name.familyName", "optional": true, "targetPath": "$.surname" }, { "sourcePath": "$.addresses[0].locality", "optional": true, "targetPath": "$.city" }, { "sourcePath": "$.addresses[0].country", "optional": true, "targetPath": "$.country" }, { "sourcePath": "$.userName", "targetPath": "$.userPrincipalName", "scope": "createEntity", "functions": [ { "type": "concatString", "suffix": "@%aad.domain.name%" } ] }, { "sourcePath": "$.active", "targetPath": "$.accountEnabled", "scope": "createEntity" }, { "sourcePath": "$.name.givenName", "targetPath": "$.mailNickname", "scope": "createEntity" }, { "sourcePath": "$.displayName", "targetPath": "$.displayName", "scope": "createEntity" }, { "targetPath": "$.passwordProfile.password", "scope": "createEntity", "functions": [ { "type": "randomPassword", "passwordLength": 16, "minimumNumberOfLowercaseLetters": 1, "minimumNumberOfUppercaseLetters": 1, "minimumNumberOfDigits": 1, "minimumNumberOfSpecialSymbols": 0 } ] }, { "constant": false, "targetPath": "$.passwordProfile.forceChangePasswordNextSignIn", "scope": "createEntity" } ] }, "group": { "mappings": [ { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "sourcePath": "$.displayName", "optional": true, "targetPath": "$.displayName" }, { "sourcePath": "$.description", "optional": true, "targetPath": "$.description" }, { "sourcePath": "$.allowExternalSenders", "optional": true, "targetPath": "$.allowExternalSenders" }, { "sourcePath": "$.autoSubscribeNewMembers", "optional": true, "targetPath": "$.autoSubscribeNewMembers" }, { "sourcePath": "$.isSubscribedByMail", "optional": true, "targetPath": "$.isSubscribedByMail" }, { "sourcePath": "$.visibility", "optional": true, "targetPath": "$.visibility" }, { "sourcePath": "$.securityEnabled", "optional": true, "targetPath": "$.securityEnabled" }, { "sourcePath": "$.mailEnabled", "optional": true, "targetPath": "$.mailEnabled" }, { "sourcePath": "$.displayName", "targetPath": "$.displayName", "scope": "createEntity" }, { "sourcePath": "$.externalId", "targetPath": "$.mailNickname", "scope": "createEntity" }, { "constant": true, "targetPath": "$.mailEnabled", "scope": "createEntity" }, { "constant": false, "targetPath": "$.securityEnabled", "scope": "createEntity" }, { "constant": "Unified", "targetPath": "$.groupTypes[0]", "scope": "createEntity" } ] } } -
Now, add a source system from which to read users and groups. Choose from: Source Systems
- Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications.
- Now, start an identity provisioning job. For more information, see Monitor Provisioning Job Logs.