I’m working on a Microsoft Entra integration in SailPoint IdentityNow and came across something a bit confusing. I’d like to get clarity from the community on how to interpret the different source types/connectors that are currently available.
In my tenant, I can see the following options:
Azure Active Directory
Microsoft Entra
Microsoft Entra SaaS
From a Microsoft standpoint, I understand that Azure Active Directory was renamed to Microsoft Entra so logically they should refer to the same identity platform. However, in SailPoint IDN, these appear as separate connectors/source types, which suggests there are underlying differences.
What is the actual difference between these three connectors?
Azure Active Directory (legacy?)
Microsoft Entra (modern?)
Microsoft Entra SaaS (SaaS Connectivity?)
Are these differences purely naming-related, or do they reflect different connector architectures?
Source Type Clarification:
Is Microsoft Entra considered a traditional REST-based SaaS connector?
Is Microsoft Entra SaaS part of the newer SaaS Connectivity framework (cloud-native connectors)?
Best Practice for New Implementations:
Which connector is currently recommended by SailPoint for new deployments?
Should Azure AD connector be avoided going forward?
Migration Considerations:
If currently using Azure Active Directory connector, is there a recommended migration path to Entra connectors?
Context
I’m trying to standardize on the right connector for a new implementation and want to align with SailPoint’s current best practices and future roadmap rather than using a connector that might be considered legacy.
Hello Amrit, I will try to keep this simple and explain it the way I understand it.
Azure Active Directory and Microsoft Entra (sometimes shown as “Microsoft Entra ID” in the UI) are the same VA-based connector. SailPoint renamed it to match Microsoft’s own rebrand from Azure AD to Entra ID, but in some parts of the UI the old name still shows up. Same connector, same architecture, just a name change mid-transition.
Microsoft Entra SaaS is a completely different connector built on SailPoint’s SaaS Connectivity framework. It talks directly cloud-to-cloud using Microsoft Graph APIs and doesn’t need a VA at all.
For a new implementation, Microsoft Entra SaaS is the one to go with. It’s simpler to set up (no VA infrastructure to maintain), and SailPoint has been actively investing in it, including AI agent discovery for Copilot Studio, managed identity support, and Azure cloud governance features. The April 2026 connectivity announcement covers what’s been added recently.
Before you commit though, compare the supported features between the two connectors. Specifically check your provisioning use cases, license and group handling, Exchange/mail-enabled group requirements, and any CIEM needs. The SaaS connector has been catching up quickly and covers most scenarios now, but if you need something very specific (like certain legacy Exchange DL operations), make sure it’s there in the SaaS connector docs before switching.
If you already have a working Azure AD (VA-based) source in production, don’t migrate it just because of the name change. There’s no in-place migration path. You’d need to create a new source on the SaaS connector, configure it, aggregate, and handle identity correlation so your existing identities pick up the new source’s accounts. Only worth it if the SaaS connector gives you something you actually need that the VA-based one doesn’t, or if you’re looking to get rid of VA dependency.
Azure Active Directory / Microsoft Entra ID = same connector, renamed
Microsoft Entra SaaS = newer SaaS connector, no VA required
New builds = go SaaS if feature parity matches your requirements
Existing stable source = keep it unless there’s a real reason to move
In the SaaS release notes on Compass, SailPoint lists updates under “Microsoft Entra” and each release note clearly mentions whether it applies to the VA-based connector, the SaaS connector, or both. For example, the recent Group Membership Filter enhancement says “Identity Security Cloud - Now Available (both VA based and SaaS).” So the release note itself tells you which connector it targets.
For your tenant, Azure Active Directory and Microsoft Entra are the same VA-based connector underneath. If you created your source as “Azure Active Directory,” you’re still getting the same connector updates that the release notes describe for the VA-based Entra ID connector. The label in your tenant doesn’t change what code runs. So you don’t need to validate against both separately, they’re the same connector engine regardless of which name shows up in the source type dropdown.
For Azure Active Directory to Microsoft Entra ID, there is no migration activity needed from your side. That is Microsoft’s naming change, and SailPoint also notes that the connector may still show as Azure Active Directory in some UI places. The underlying connector code still gets updated through SailPoint’s regular release cycle, so you are not missing out on any enhancements just because the label in your tenant still says Azure Active Directory.
But moving from the Azure AD / Microsoft Entra ID connector to Microsoft Entra SaaS is different. ISC does not have a “swap connector type” option for an existing source, so this is not an automatic transition. It should be planned like a new source setup.
Before switching, I would compare the supported features and test things like:
account aggregation and correlation
group/license entitlement aggregation
provisioning operations
access profiles or roles referencing this source
certifications or workflows depending on the current source
any Exchange, PIM, CIEM, or cloud resource management use cases
You would also need to handle identity correlation so the accounts from the new SaaS source get linked to the right identities, and move over any access profiles, roles, or entitlements tied to the old source.
So in short, the rename itself does not need migration. But moving to Microsoft Entra SaaS should be planned and tested properly, preferably in sandbox first.