Is it possible to assign a default license and allow upgrade via request, removing the previous one?

Hi everyone,

I’m working on an integration between SailPoint IdentityNow and Microsoft Entra ID, where Microsoft 365 licenses are assigned via Entra ID groups (e.g., for F3 and E3 licensing).

We currently have:

  • A default RBAC role in IdentityNow that assigns the F3 license to all new employees by placing them into the corresponding Entra ID group.

Now, we want to support the following use case:

After a user is created and receives the default F3 license, we want to allow them to request an upgrade to E3 via SailPoint.

When this upgrade is approved, the expectation is that the F3 license group is removed and only the E3 group remains.

:red_question_mark: My main questions are:

  • Is this kind of overwrite logic possible within SailPoint?
  • Can we automatically remove the default license group and assign only the upgraded one?
  • How do we avoid the system reapplying the default RBAC license (F3) after the upgrade has been completed?

Would love to hear if anyone has handled a similar licensing model or has best practices for this kind of scenario.

Thanks in advance!