Hi all,
I’m running into a design/architecture issue around Azure AD group memberships and how they surface in SailPoint IdentityNow, and I’m looking for best‑practice guidance.
Current Situation
-
Users receive membership to several SPE_E5* groups.
-
These SPE_E5 groups are nested under a single parent group:
PPC-License-M365E5-Full. -
This parent group is assigned to all users in Sailpoint as a birthright rule.
-
In SailPoint IDN, the nested SPE_E5 groups appear as individual entitlements per user, but:
-
They are not part of any Access Profile.
-
Only the parent group PPC-License-M365E5-Full is part of an Access Profile and is provided as birthright.
-
Constraints
Azure application management has confirmed:
-
The Azure birthright rule cannot be changed.
-
The logic cannot be moved to SailPoint provisioning.
Impact on Certification Campaigns
For the manager certification campaign:
-
I can filter out these SPE_E5 entitlements using a prefix filter.
-
However, the clean SailPoint design ideally follows the structure:
Role → Access Profile → Entitlement,
and this situation breaks that alignment.
Question
How would you handle this scenario?
Specifically:
-
Would you maintain filtering as the long‑term solution?
-
Would you model the nested groups differently?
-
Or would you adjust the Access Profile design, even though Azure controls the actual assignment?
Any best‑practice recommendations are welcome.
Kind regards,
L. Jansen