Looking for some clarification and real‑world experiences around SailPoint Identity Security Cloud (ISC) with Microsoft Entra ID.
Scenario:
A user is manually added (out‑of‑band) to 5 Entra ID groups directly from the Entra portal.
Those same groups are also bundled into an Access Profile, which is assigned through a Role in SailPoint.
The role has an assignment condition (for example: Department = ABC).
The user does not meet this criterion.
After some time, the user transitions to an Inactive lifecycle state, triggering role recalculation / lifecycle processing.
Discussion points / questions:
When the user becomes Inactive and no longer qualifies for the role, SailPoint will obviously remove the role assignment — but what happens to the manual Entra ID group memberships?
Does SailPoint treat these backend-added groups as out-of-band / unmanaged access and leave them as-is after aggregation?
Under what conditions have you seen ISC automatically revoke such access (for example: when access was previously provisioned by SailPoint, governed by lifecycle rules, or enforced via policies/workflows)?
What’s the recommended best practice to make sure manual group assignments don’t linger when users don’t meet role criteria or become inactive?
Curious to hear how others are handling this — especially around governance vs enforcement in ISC.
The answer can be found in the Deprovisioning with Access Profiles section of the admin docs. Basically, it depends on the relationship of those 5 “out of band”-added groups to the Access Profile [AP] and Role.
A) 5 Entitlements added out-of-band, all 5 are included in the AP in the Role:
ISC Revokes Role and nested AP, revoking all 5 groups.
B) 5 Entitlements added out-of-band, 4 or fewer in the AP included in the Role, and the “extra” groups are not also direct Entitlements added as part of the Role [Let i = # groups included in AP] :
ISC Revokes Role and nested AP, revoking the i groups. The “extra” 5-i are left alone, since they are not part of the Role.
C) 5 Entitlements added out-of-band, 4 or fewer (i) are in the AP in the role, and the “extra” (5-i) groups are included as direct Entitlements within the Role:
ISC Revokes Role, nested AP, and the (5-i) direct Entitlements, revoking all 5.
D) This isn’t what you asked, but for completeness: Let’s say all 5 were in an AP that was not part of a Role. The out-of-band addition means that the AP is detected as having been granted to the user. When the user becomes inactive, what happens depends on whether it was granted as part of an earlier lifecycle state [LCS]:
Never granted by an earlier LCS: no trigger to revoke
Granted earlier, still assigned when Inactive: no change, 5 groups remain
Granted earlier, not assigned when Inactive: ISC Revokes AP (not retryable)
You say the user does not meet the criterion for the Role (so is not assigned the Role) but you also say that when the user becomes inactive the role assignment is removed. How can it be removed if it was not assigned?