Description
The SailPoint Microsoft Entra (SaaS) and VA based Connector now provides a “Group Membership Filter” to filter out group memberships. You can filter out Active Directory sync groups to avoid the hybrid environment problem, as well as exclude dynamic group memberships. Also, connector now supports reading all the sign-in activity related information for the users.
We are pleased to share the new capability for entitlement membership filters and getting all the sign-in activity is now available in Identity Security Cloud, for both the VA based and SaaS connector. It will also be available in the upcoming IdentityIQ releases (8.5, and the next patches of 8.4 and 8.3).
We have introduced an additional filter setting, Group Membership Filters, which you can use to define the scope of group memberships included in account aggregation. These filters apply during account aggregation and are only applicable to memberships where objectType = group. They are only applicable to Security, Office 365, Mail-Enabled Security, and Distributed group memberships. For more information on filters, refer to the Microsoft documentation.
- To aggregate only group memberships for groups that do not belong to on-premises AD (or to include only cloud group memberships), use
onPremisesSyncEnabled ne true. - To exclude dynamic group memberships during account aggregation , use
NOT groupTypes/any(c:c eq 'DynamicMembership') - To aggregate only group memberships where the group display name starts with ‘A’, use
startswith(displayName,'A').
Notes:
- You can provide filters as mentioned in the examples below, and the connector ensures the formation of an appropriate advanced filter query. This field supports advanced filter queries such as endsWith, NOT, and NE.
- Please note that excluding membership information is not considered a best practice from a governance and security standpoint. However, SailPoint provides this capability to address challenges in hybrid environments. You should maintain full visibility into users and applications, including their groups, assigned permissions, and how these configurations impact access to resources. The Group Membership Filter should be used carefully and only when necessary to ensure that access is properly managed and that only the right individuals have access to sensitive information or resources.
In addition to the above capability, connector now fetches all the sign-in activity for the users.
Attributes related to Interactive Authentication method
signInActivity.lastSignInDateTime: To retrieve the last time a user logged into the directory with an interactive authentication method.signInActivity.lastSignInRequestId: To retrieve the request identifier of the last interactive sign-in performed by this user.
Attributes related to Non-interactive Authentication method
signInActivity.lastNonInteractiveSignInDateTime: To retrieve the last time a client signed in to the directory on behalf of a user.signInActivity.lastNonInteractiveSignInRequestId: To retrieve the request identifier of the last non-interactive sign-in performed by this user.
Other Supported Attributes
The following attributes are also supported along with the above listed attributes:
signInActivity.lastSuccessfulSignInDateTime:To retrieve the date and time of the user’s most recent successful sign-in activity.signInActivity.lastSuccessfulSignInRequestId: To retrieve the request ID of the last successful sign-in.
NOTE - If you are already using LastSigninDateTime and lastNonInteractiveSignInDateTime attribute, there won’t be any impact. We have generalized the representation so that any future signInActivity details can be utilized by using the format - signInActivity.attributeName.
Documentation
- Microsoft Entra ID (VA Based):
- Microsoft Entra ID (SaaS):
Release Details
- Identity Security Cloud - Now Available (both VA based and SaaS).
- IdentityIQ - Upcoming releases (8.5, 8.4p3 and 8.3p5)