In the Azure AD Connector, when you “Provision and Revoke access request for a ServicePrincipal”, what are you actually doing in Azure? What Graph Endpoint does this call?
Hi @rachel_henne ,
Welcome to Sailpoint Developer Community!!
I am not sure which specific Graph API is executed internally by Sailpoint but as per Graph API guide:
Provisioning Access for a Service Principal:
- You would typically need to assign roles or permissions to a Service Principal to provide access to specific resources. Here’s a general sequence of steps:
- Authenticate and acquire an access token for your application.
- Use the Microsoft Graph API endpoints to assign roles or permissions to the Service Principal.
Example API endpoint to assign an application role to a Service Principal:
POST /v1.0/servicePrincipals/{servicePrincipalId}/appRoleAssignments
Revoking Access for a Service Principal:
- To revoke access, you would remove the assigned roles or permissions from the Service Principal:
- Authenticate and acquire an access token for your application.
- Use the appropriate API endpoints to remove the role assignments.
Example API endpoint to remove an application role assignment from a Service Principal:
DELETE /v1.0/servicePrincipals/{servicePrincipalId}/appRoleAssignments/{appRoleAssignmentId}
Please refer this Grant an appRoleAssignment to a service principal - Microsoft Graph v1.0 | Microsoft Learn
Hello there–I appreciate you taking the time, but my question is not how to assign roles to a service principal with the Graph API, my question is what does the Sailpoint IIQ Azure connector do? In IIQ, the service principal is a Group object. So what is the connector doing when you add a User to a Service Principal in the IIQ UI?
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.