Azure Subscription Groups as Entitlements in SailPoint ISC

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hi everyone,

I would like to ask for guidance on aggregating Subscription Groups in Microsoft Azure as entitlements in SailPoint Identity Security Cloud (ISC).

My goal is to govern Azure Subscription Groups within ISC, so that:

  • They are aggregated as entitlements

  • Identities in my SailPoint tenant can request access to them

  • Access can be provisioned automatically

  • Grants can be managed and certified

Is it possible to manage Azure Subscription Groups this way in ISC?

If anyone has experience implementing this, I would really appreciate your guidance or recommended approach.

Thank you in advance!

image
image1912×612 44.4 KB

2

You should be able to read subscriptions as entitlements.

Create its entitlement type with the name subscription, add the schema attributes: Subscriptions

All of them are strings, one is multivalued.

Then add one account attribute marked as multivalued entitlement, with the name subscription.

3

Hi @lukas_ceremeta While this is true, it needs pointing out that this is not in the standard Entra Connector and requires the Cloud Governance module:

Note
The schema for the following mentioned Group objects is not available with the included Azure Active Directory connector. You must purchase a CAM license in order to enable the Cloud Governance features of Azure Active Directory connector.

From Group Attributes for Azure Cloud Objects