ISC Microsoft SharePoint Online Connector “struggles” with Bulk Entitlement Removal

J_Hauser · October 17, 2025, 9:51am

If you are using the Microsoft SharePoint Online Connector and some version of the “Remove all access” feature, you might have run into this:

If an Identity has too many Entitlements on the SharePoint online source (>70 in our experience), or the account is ‘too big’ in another way, your Entitlement Removal might either only work part of the way - or fail outright.

We talked to the Support about this and they were able to confirm that (long story very short) this is because of the way the connector removes Entitlements on the source, and how that might clash with the Rate Limiting of the underlying Graph API (and max Provisioning Plan size).

If you experience the same issue, or similar, contribute to our related idea here, so that related issues can be identified and hopefully addressed as well:
Microsoft SharePoint Online: Prevent basic | SailPoint Ideas Portal

What is the correct behavior?

We would expect that the Connector takes these limitations into account when creating, packaging and sending bulk requests to the system.

Ideally, when we configure the “Remove All Access” functionality, we would expect that the standard OOTB connectors can handle this, unless otherwise described.

What product feature is this related to?

We run into this issue at the intersection of the Microsoft SharePoint Online VA connector (Integrating SailPoint and Microsoft SharePoint Online) and the new “Remove All Access on Termination” functionality (New Capability: Remove All Access on Termination).

What are the steps to reproduce the issue?

Implement the SharePoint Online connector and aggregate users that have >70 Entitlements on the SharePoint.
Configure a Lifecycle State that triggers the “Remove All Access” functionality.
Move an Identity with an Entitlement-heavy account to the new LCS.
Watch the first bulk of Entitlements be removed - and then receive an 529 TOO MANY REQUESTS error for the rest

Do you have any other information about your environment that may help?

We are on the Cluster Version CCG v1120, and the SharePoint connector is not customized in any way.

J_Hauser · November 3, 2025, 7:55am

Hi all,

It looks like part of this issue was fixed with the last release.

Connectivity - Microsoft SharePoint Online
CONETN-5172 : The SailPoint SharePoint Online Connector now handles 429 Rate Limit errors by retrying update operations.

Topic		Replies	Views
WebService Connector - Remove Entitlement ISC Discussion and Questions webservice-connector , identity-security-cloud , provisioning	2	377	April 21, 2024
Issue IdentityNow Bulk Access Profile and Role-Importer ISC Discussion and Questions	11	3082	July 19, 2023
Maxing Entitlements within an Access Profile ISC Discussion and Questions	2	1219	July 19, 2023
Web Services SaaS Connector ISC Discussion and Questions webservice-connector , identity-security-cloud , provisioning , access-requests	9	1370	November 28, 2023
Updates to Access Requests API Announcements identity-security-cloud	25	4717	April 20, 2022

ISC Microsoft SharePoint Online Connector “struggles” with Bulk Entitlement Removal

What is the correct behavior?

What product feature is this related to?

What are the steps to reproduce the issue?

Do you have any other information about your environment that may help?

Related topics