Hello
In my Identity IQ 8.4 we are connected with Entra Id .
When we agregate the users only the active roles (global reader, security admin, etc.) appear if a user have other Eligible assignments we dont have the info .
Can you help »?
1 Like
The connector requires explicit configuration to aggregate eligible PIM role assignments. By default, only active role assignments are returned.
Two changes are required:
Grant the required Graph API permission
The App Registration used by the connector needs one of these Application permissions:
RoleManagement.Read.Directory(minimum required)RoleManagement.ReadWrite.Directory
Enable PIM in the connector
In the source configuration:
-
Navigate to Feature Management
-
Select Enable Privileged Identity Managemen
-
Configure the Microsoft Entra PIM Active and Eligible Roles Filter if needed (e.g.,
isBuiltIn eq true) -
Save the configuration
-
After making these changes, run a full aggregation. The connector will return both active and eligible role assignments as separate entitlement types (
azureADActiveRolesandazureADEligibleRoles).Note: SailPoint recommends disabling aggregation partitioning when PIM is enabled for performance reasons.
References:
SailPoint Documentation: Manage Azure Privileged Identity ManagementMicrosoft Graph API: List roleEligibilityScheduleInstances - Microsoft Graph v1.0 | Microsoft Learn
HEllo
I already can retrieve the roles from EtraId that I wanted.
Does this connector have the capability to bring me the roles that Azure RBAC has, for example, a contributor in a specific subscription?