Service Principal Account Management

Which IIQ version are you inquiring about?

8.4 p1

Hello Team,

We want to aggregate the Service Principals from Azure to SailPoint IIQ

We have the following concerns and require your guidance:

Object Type Configuration:

1. In the Azure application configuration in IIQ, we are unable to find any specific object type that corresponds to Service Principals. Could you confirm whether Service Principals are supported, and if so, which object type we need to configure to include them?

2. I could see in the document we can enable the features, could you please how can get the object type: Service Principal

Account Schema Update:

1. As per the documentation, we have added the recommended attributes to the account schema. Despite this, we are still only fetching user accounts and not Service Principals during aggregation. Could you help us identify any additional configurations required?
   Service Principal as Accounts Attributes

Additional Configuration Steps:

If applicable, could you provide detailed documentation or guidance on how to enable this functionality?

Hi @deepakn ,

In SailPoint IIQ version 8.4p1, Service Principals are natively supported as an object type. You should be able to see the Service Principal object type by default in your configuration. If this object type is not visible, you may need to add it manually.

If you want to add the service principals as object type, you add it from configuration.

image1162×448 34.8 KB

otherwise, you add the below schema directly to app xml using debug.

 <Schema aggregationType="group" created="" descriptionAttribute="displayName" displayAttribute="displayName" id="" identityAttribute="objectId" nativeObjectType="servicePrincipal" objectType="servicePrincipal">
      <AttributeDefinition name="displayName" type="string">
        <Description>ServicePrincipal name</Description>
      </AttributeDefinition>
      <AttributeDefinition name="servicePrincipalType" type="string">
        <Description>ServicePrincipal type</Description>
      </AttributeDefinition>
      <AttributeDefinition name="objectId" type="string">
        <Description>ServicePrincipal ID</Description>
      </AttributeDefinition>
      <AttributeDefinition multi="true" name="owners" type="string">
        <Description>ServicePrincipal Owners</Description>
      </AttributeDefinition>
      <AttributeDefinition multi="true" name="appRoles" type="string">
        <Description>ServicePrincipal Roles</Description>
      </AttributeDefinition>
    </Schema>

when you run the group aggregation, service principals also fetched into sailpoint. When setting up the group aggregation, make sure that the filter for object types includes Service Principals. If the filter is incorrectly configured to exclude Service Principals, they will not be fetched during aggregatio

image1543×466 19.3 KB

Hi @Arun-Kumar,

Thanks for helping with the details. I can now see the service principal object. However, when running the group aggregation, we are receiving an error. We have a customization rule in place for groups to fetch only the cloud-only group. I’m not sure if this is causing the error.

Exception during aggregation of Object Type Group on Application Azure_Test_APP. Reason: java.lang.RuntimeException: sailpoint.connector.ConnectorException: failed to lazily initialize a collection of role: sailpoint.object.Rule.referencedRules, could not initialize proxy - no Session

Could you please let me know, how can i approach this situation?

Hi @deepakn ,

The error is being caused by the customization rule in place.

Hi @Arun-Kumar, can you please let me know how we can overcome this error. I want to filter out cloud only group and get the service principal also.

Hi @deepakn ,

Please provide the customization rules that you are using in the group aggregation? Additionally, are you utilizing any group refresh rule?

@Arun-Kumar

if(null == object.getAttribute(dirSyncEnabled)). → Customization rule to fetch Cloud Only Groups.

Yes, we are using Group refresh rule also.

Hi @deepakn ,

Share the Group refresh rule as well.