I am working on a client requirement and need guidance on the best way to configure this. Below are the details:
Current Process:
Currently, the process for assigning a role to a user involves:
Creating the AD admin account in on-prem AD.
Syncing the user account from on-prem AD to Azure AD.
After synchronization, an Azure admin account is created.
However, this approach does not align with Microsoft’s best practices, which recommend creating privileged accounts directly in Azure AD instead of syncing from on-prem AD.
Requirement Summary:
We need to change this process only for Azure Admin accounts, while keeping normal accounts as they are.
Create Azure Admin Accounts Directly in Azure AD
The Azure Admin account should be created directly in Azure AD, without syncing from on-prem AD.
Account Naming Convention
The Azure Admin account should follow this format: XXXADMA
Example: xyzADMA@abc.onmicrosoft.com
Correlation with Normal User Account
The Azure Admin account should be linked to the corresponding normal user account.
Question:
How can we achieve this configuration in SailPoint IdentityIQ while ensuring proper correlation between normal and admin accounts?
Any insights or best practices would be greatly appreciated.
I am using the MS Entra ID connector and can see the out-of-the-box provisioning policy. When assigning a role to a user, I am presented with a provisioning form(Shown Below).
Yes, you will need to update the OOTB provisioning policy to populate the data from user identity. You can use script or rule where identity object is already present and return the data for each attribute.
One question here Can we check the Entra ID connector version? If yes from where check that version? Oure IIQ version is 8.3. As per my understating the Entra ID comes with this version.
Can we configure the update provisioning policy as per the business need?.
