Query Regarding Automatic Deprovisioning of Azure Entitlements in SailPoint Content:

Hello Team,

I am reaching out to seek clarification regarding an issue we’re facing with Azure entitlement deprovisioning in SailPoint.

Issue Summary:

We have Azure configured as a connected application in SailPoint, and our expectation is that Azure entitlements should be automatically deprovisioned when they are rejected through access reviews or certifications. However, we’ve observed the following:

• Azure entitlements that were rejected over the past two weeks have not been automatically removed from user accounts.
• This raises a concern about whether the deprovisioning process is functioning as expected or if any additional configurations are required.

Points for Clarification:

1. Does SailPoint automatically trigger deprovisioning of Azure entitlements upon rejection in access reviews, or is there any manual intervention required?
2. Are there any specific configurations, provisioning policies, or connector settings we need to verify to ensure automatic deprovisioning works as expected?

Thanks in advance for your support!

Hi @deepakn

In my opinion, it should support. Validate once in connector documentation - Supported Features

As a another note, cross check is that entitlement part of any assigned roles ? Also, check logs once.

You meant to say, it should support by default without any rule or configuration right?

Yes, cross check once in the url I attached earlier.

Can you please let me know does it required before provisioning plan and after provisioning plan for the access revoke in certification to remove any entitlements that were marked by the access reviewer as needing to be revoked.

Hi @deepakn If your entitlement removal is under supported operations (As per the link) then you wouldn’t need before provisioning rule.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.