CIEM / ISC not pulling all entitlement names

timbrighamOC · October 17, 2025, 5:11pm

I am attempting to onboard the Azure CIEM adapter, and a subset of my data isn’t present.

From the Entra adapter, I can see details on my Cosmos / DocumentDB entries showing up that represent the correct data.

For example, one of my users has the entitlement listed as follows, with the well known value for a Cosmos DB reader role.

This shows up on the data being fed from the account aggregation, not the entitlement aggregation.

The entitlement name shows as follows, the raw format.

/subscriptions/<sub ID>/resourceGroups/<instance>-cosmos-prod-rg/providers/Microsoft.DocumentDB/databaseAccounts/yyyyy-cosmos-prod:5bd9cd88-fe45-4216-938b-f97437e15450

The closest that I can get where it’s properly formatted with metadata is as follows.

Entitlement Name: DocumentDB Account Contributor [on] -cosmos-dev-rg

With the value as follows:

/subscriptions/<sub ID>/resourceGroups/<instance>-cosmos-dev-rg:5bd9cd88-fe45-4216-938b-f97437e15450

I checked back in Azure, that would be if the permissions were being set at the resource group level, not onto the instance in question. Makes sense based on the value shown.

I’m filtering out nothing from the CIEM source, and I’ve verified that I can call the API with the CIEM adapter to get the information, so as far as I can tell everything outside of SailPoint is correct.

GET https://management.azure.com/subscriptions/<sub id>/resourceGroups/<instance>-cosmos-dev-rg/providers/Microsoft.DocumentDB/databaseAccounts/<instance>-cosmos-dev/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01

It returns what I’m seeing on the user object as a an entitlement that isn’t enriched with the metadata.

{
    "value": [
        {
            "properties": {
                "roleDefinitionId": "/subscriptions/<sub ID>/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450",
....
                "scope": "/subscriptions/.../resourceGroups/<instance>-cosmos-dev-rg/providers/Microsoft.DocumentDB/databaseAccounts/edw-cosmos-dev",
                "condition": null,
                "conditionVersion": null,
...
            },

I’m not sure if the CIEM adapter itself is failing to pull the data for some reason - and it’s attempting to correlate these raw strings and there’s nothing there - or if there’s some kind of schema update I to make to the CIEM Azure or Entra adapters to get this working.

Where and how can I dump this data to determine where the issue is? I’ve tried doing a couple peek objects on the source in VS Code unsuccessfully.

system · December 16, 2025, 5:12pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to pull the entitlements ISC Discussion and Questions webservice-connector , identity-security-cloud	21	195	April 27, 2026
Query to list entitlements in a role ISC Discussion and Questions identity-security-cloud	7	146	October 29, 2025
Azure AD entitlements - Uses GUID instead of name ISC Discussion and Questions identity-security-cloud , entitlements	4	468	May 16, 2024
Filter Azure subscription or AWS Accounts ISC Discussion and Questions identity-security-cloud	0	42	February 27, 2025
Entitlements are not correctly associated with the identity on the access list ISC Discussion and Questions webservice-connector , aggregation , identity-security-cloud , entitlements	3	89	February 25, 2026

CIEM / ISC not pulling all entitlement names

Related topics