Hi team,
Has anyone implemented usecase related to managing azure guest users via SailPoint IIQ using EntraID connector — whether through forms, plugins, or other custom approaches?
We are in 8.4 P2 and would appreciate it if you could share any insights, challenges, or lessons learned, especially around:
Thanks in advance!
Hi @KARTHI,
you are asking for everything about of azure management. Do you any specific problem or doubt?
Not really… but let me start with the primary question:
Do guest users need to be managed as identities within SailPoint?
We currently have over 200,000 guest accounts accessing various Teams sites and other resources.
What would be the most efficient or recommended way to handle them?
ok, this a good question.
200k accounts are a considerable number.
Following the philosophy of IAM, yes. Its better manage all of accounts of a company.
Like identites? depends. Depends if you can correlate those accounts with the account coming from an auth source or Azure could be your auth source for guest users. Otherwise you have a lot of uncurrorelted identies and its no good.
In every case, 200k accounts can impact on your enviroment. So, analyze if its necesary have those account in IIQ and if you have enogh resource on you servers to managed them.
You can take into consideration to manage guest users in a saperate enviroment.
It may be useful to have separate Azure applications, one for regular users and the other for guests. You should be able to do that with account filters.
Please keep us updated with what you learn.
Hello,
We had the same situation and we followed the below approach.
For Normal Entra ID accounts, userType eq ‘Member’
For Guest Entra ID accounts, userType eq ‘Guest’
Thank You,
Regards,
Rohit Wekhande.
Thanks @enistri_devo , @paul_hilchey @rohit_wekhande for your inputs.
Using a separate Azure AD application as the authoritative source for guest users sounds like a good approach. Could you please share how new guest users were onboarded? Was IIQ used for this, and did you create any custom Quicklink forms as part of the process?
Hello,
If you go through the SailPoint - MS Entra ID Connector documentations, you get a section in Provisioning Profile configurations.
This section explicitly talks which attributes to provision in order to create guest account through Invite approach. Note that Guest accounts are created in Azure AD through Invitations where registration invites are sent to end users - mailbox.
Refer the below section.
https://documentation.sailpoint.com/connectors/microsoft/entra_id/help/integrating_entra_id/create_account_policy.html
We used the OOTB provisioning policy approach only. Check it in IIQ and it should be possible to do it through provisioning policies only rather than going to Quick Link Approach.
Thank You,
Regards,
Rohit Wekhande
Thanks, @rohit_wekhande, for the link. Just to be clear—hope you’re using the default ‘Create Identity’ option to set up the guest user, and applying a birthright entitlement that triggers the provisioning policy to send the guest invite, correct?
Yes, thats correct!
We told the Entra ID owner to create a BirthRight entitlement, which we aggregated into ISC, then, we indeed create a role and assign a criteria which was indeed triggering the Create Account provisioning policy for respective Entra ID source which we created for Guest User creation.
Thanks @rohit_wekhande, for the clarification. I now have a clearer understanding of the joiner flow and would appreciate your insights on a corner case: if a guest user doesn’t accept the invitation—for example, after 30 days—what are the best practices for cleaning up such pending invitations, deleting the guest account in Azure AD, and managing the associated identities in IIQ (or ISC) ?
Hello,
I think, disabling or deleting the guest account Entra ID and maintaining the identity cube in IIQ could be good approach from auditing perspective because though the user will be hard deleted in Entra ID, you will still have the traces of its activity during provisioning and sending invite period.
Regards,
Rohit Wekhande
Is there a way to identify guest accounts with a pending invitation status and trigger the cleanup process from SailPoint, instead of managing it directly in Entra ID?
We’re also considering using the lastSignInDateTime attribute to clean up guest accounts that have been inactive for a while.
Are there any other leaver or cleanup scenarios I might be overlooking?
I also came across a high-level video demo Demo: Managing Azure AD External Identities with SailPoint IdentityIQ which could be helpful for anyone referring to this thread in the future.
Hello,
You can try to use following 2 approach’s through I have not used them.
Approach 1.
Approach 2
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
