Clarification Needed: Microsoft Entra vs Azure AD vs Microsoft Entra SaaS Connectors in IDN

Hi everyone,

I’m working on a Microsoft Entra integration in SailPoint IdentityNow and came across something a bit confusing. I’d like to get clarity from the community on how to interpret the different source types/connectors that are currently available.

In my tenant, I can see the following options:

  • Azure Active Directory
  • Microsoft Entra
  • Microsoft Entra SaaS

From a Microsoft standpoint, I understand that Azure Active Directory was renamed to Microsoft Entra so logically they should refer to the same identity platform. However, in SailPoint IDN, these appear as separate connectors/source types, which suggests there are underlying differences.


My Questions

  1. What is the actual difference between these three connectors?

    • Azure Active Directory (legacy?)
    • Microsoft Entra (modern?)
    • Microsoft Entra SaaS (SaaS Connectivity?)
  2. Are these differences purely naming-related, or do they reflect different connector architectures?

  3. Source Type Clarification:

    • Is Microsoft Entra considered a traditional REST-based SaaS connector?
    • Is Microsoft Entra SaaS part of the newer SaaS Connectivity framework (cloud-native connectors)?
  4. Best Practice for New Implementations:

    • Which connector is currently recommended by SailPoint for new deployments?
    • Should Azure AD connector be avoided going forward?
  5. Migration Considerations:

    • If currently using Azure Active Directory connector, is there a recommended migration path to Entra connectors?

Context

I’m trying to standardize on the right connector for a new implementation and want to align with SailPoint’s current best practices and future roadmap rather than using a connector that might be considered legacy.


Looking for Input

If anyone has:

  • Hands-on experience with these connectors
  • Insights from SailPoint support or documentation
  • Recommendations or gotchas

…I’d really appreciate your guidance.

Thanks in advance!

Hello Amrit, I will try to keep this simple and explain it the way I understand it.

Azure Active Directory and Microsoft Entra (sometimes shown as “Microsoft Entra ID” in the UI) are the same VA-based connector. SailPoint renamed it to match Microsoft’s own rebrand from Azure AD to Entra ID, but in some parts of the UI the old name still shows up. Same connector, same architecture, just a name change mid-transition.

Microsoft Entra SaaS is a completely different connector built on SailPoint’s SaaS Connectivity framework. It talks directly cloud-to-cloud using Microsoft Graph APIs and doesn’t need a VA at all.

For a new implementation, Microsoft Entra SaaS is the one to go with. It’s simpler to set up (no VA infrastructure to maintain), and SailPoint has been actively investing in it, including AI agent discovery for Copilot Studio, managed identity support, and Azure cloud governance features. The April 2026 connectivity announcement covers what’s been added recently.

Before you commit though, compare the supported features between the two connectors. Specifically check your provisioning use cases, license and group handling, Exchange/mail-enabled group requirements, and any CIEM needs. The SaaS connector has been catching up quickly and covers most scenarios now, but if you need something very specific (like certain legacy Exchange DL operations), make sure it’s there in the SaaS connector docs before switching.

If you already have a working Azure AD (VA-based) source in production, don’t migrate it just because of the name change. There’s no in-place migration path. You’d need to create a new source on the SaaS connector, configure it, aggregate, and handle identity correlation so your existing identities pick up the new source’s accounts. Only worth it if the SaaS connector gives you something you actually need that the VA-based one doesn’t, or if you’re looking to get rid of VA dependency.

  • Azure Active Directory / Microsoft Entra ID = same connector, renamed
  • Microsoft Entra SaaS = newer SaaS connector, no VA required
  • New builds = go SaaS if feature parity matches your requirements
  • Existing stable source = keep it unless there’s a real reason to move

Thanks @punna0001 If SailPoint releases SaaS updates on Microsoft Entra ID connector.

https://community.sailpoint.com/t5/SaaS-Release-Notes/tkb-p/saas-release-notes

So, should I look for Azure Active Directory or Microsoft Entra source type if I have to validate the changes as both exits in my tenant?

https://community.sailpoint.com/t5/SaaS-Release-Notes/tkb-p/saas-release-notes

In the SaaS release notes on Compass, SailPoint lists updates under “Microsoft Entra” and each release note clearly mentions whether it applies to the VA-based connector, the SaaS connector, or both. For example, the recent Group Membership Filter enhancement says “Identity Security Cloud - Now Available (both VA based and SaaS).” So the release note itself tells you which connector it targets.

For your tenant, Azure Active Directory and Microsoft Entra are the same VA-based connector underneath. If you created your source as “Azure Active Directory,” you’re still getting the same connector updates that the release notes describe for the VA-based Entra ID connector. The label in your tenant doesn’t change what code runs. So you don’t need to validate against both separately, they’re the same connector engine regardless of which name shows up in the source type dropdown.

Thanks @punna0001

Curious to understand how the transition is handled, does this occur automatically, or should we plan for specific migration activities on our end?

Is anyone aware of this?

I would separate this into two parts.

For Azure Active Directory to Microsoft Entra ID, there is no migration activity needed from your side. That is Microsoft’s naming change, and SailPoint also notes that the connector may still show as Azure Active Directory in some UI places. The underlying connector code still gets updated through SailPoint’s regular release cycle, so you are not missing out on any enhancements just because the label in your tenant still says Azure Active Directory.

But moving from the Azure AD / Microsoft Entra ID connector to Microsoft Entra SaaS is different. ISC does not have a “swap connector type” option for an existing source, so this is not an automatic transition. It should be planned like a new source setup.

Before switching, I would compare the supported features and test things like:

  • account aggregation and correlation
  • group/license entitlement aggregation
  • provisioning operations
  • access profiles or roles referencing this source
  • certifications or workflows depending on the current source
  • any Exchange, PIM, CIEM, or cloud resource management use cases

You would also need to handle identity correlation so the accounts from the new SaaS source get linked to the right identities, and move over any access profiles, roles, or entitlements tied to the old source.

So in short, the rename itself does not need migration. But moving to Microsoft Entra SaaS should be planned and tested properly, preferably in sandbox first.