Entra ID - Enterprise App Management

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hi Experts,

Can someone help clarify if Enterprise Applications in Entra ID can be managed through SailPoint, specifically in terms of adding or removing users from these applications? I’ve come across information related to Service Principal account management, but it’s not very helpful for my use case. I’m particularly interested in reading Enterprise Applications as entitlements for users who are directly assigned to these apps.

Thanks You!

2

SailPoint IdentityNow integrates with Entra ID (formerly Azure AD) to manage user access to Enterprise Applications, treating them as entitlements for governance, reporting, and access reviews. Users can be assigned directly or through Entra ID groups, with automated provisioning and deprovisioning based on policies. If an app supports SCIM or API-based provisioning, SailPoint can manage user access directly; otherwise, access is controlled via groups. Access requests and approvals are automated where possible, ensuring compliance. Some apps may need manual intervention or custom connectors, but overall, SailPoint simplifies identity governance and security for Enterprise Applications.

3

Hi Chaithanya,

Thanks for your response!
But unfortunately, this does not answer my specific requirement. What I am looking to understand is, whether the Entra ID SaaS connector can add and remove users directly from Enterprise app, treating enterprise apps as entitlements and not via roles.
Lets say, I have an Enterprise App ‘ABC’ in Entra ID and there are some users (User1,User2) who are directly assigned to this app at Entra side. Is it possible to read ‘ABC’ as an entitlement object for these users? Is it possible to add/ remove the ABC app for these users via sailpoint.

4

yes,if App ‘ABC’ supports direct user assignment, then IdentityNow can read it as an entitlement and add/remove users from it.

5

But, is this possible via the Entra ID connector? If so, please share more details on this configuration as I was not able to find it.

6
7

@Chaithanya, I had already went through this documentation, but was not quite well able to figure it out, due to which I posted this in the forum.

The steps which I had performed:

  1. Added servicePrincipal as group object.
  2. Associated it with account schema attribute “servicePrincipals”.
    But it ended with error “unsupported object type :servicePrincipal” for entitlement aggregation. And was not able to read Enterprise Apps as entitlements.

Currently I am able to read all other objects from Entra (including the once which needs CIEM).