Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Azure AD Connector - Enterprise Application Entitlements Filtering

jasonb
New Contributor III
New Contributor III

I am trying to use Saviynt to manage access to Enterprise Applications that have been registered with our Azure AD tenant.  

I've configured our connector Import Config to grab application data:

{
  "importEntTypes": {
    "AADGroup": {},
    "DirectoryRole": {},
    "DirectoryRoleMember": {},
    "Subscription": {},
    "MemberPermission": {},
    "GuestPermission": {},
    "SKU": {}
  },
  "excludeEntTypes": {
    "ApplicationInstance": {},
    "InterAppOauthPermissions": {},    
    "Application": {},
    "ServicePlans": {},
    "Team": {},
    "Channel": {}
  }
}
 
This successfully brought down the entitlement roles for my test enterprise application in Azure.  However, it linked the roles to the Security System endpoint rather than my TestApplication endpoint:
jasonb_0-1697143125900.png

How can I filter these entitlements so that they are assigned to the correct Endpoint?

Is there any documentation on how to do more advanced tasks like this via the Azure connector?

9 REPLIES 9

jasonb
New Contributor III
New Contributor III

Well, I partially answered my own question.

I set "CREATE_NEW_ENDPOINTS" on the OOB AzureAD Connector to "Yes".  This aligned my AppRole entitlements to a new Security System and Endpoint. It also aligned the users to the entitlements. Great.

Unfortunately, it also created about 400 new Security Systems and Endpoints associated with Azure.

rushikeshvartak
All-Star
All-Star

CREATE_NEW_ENDPOINTS should be NO in Azure connection


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

If CREATE_NEW_ENDPOINTS = NO in Azure Connection, how do I sync my Azure AD enterprise applications and role entitlements correctly?

Dhruv_S
Saviynt Employee
Saviynt Employee

Hi @jasonb 

If CREATE_NEW_ENDPOINTS = NO in Azure Connection, it will not create endpoints in EIC for each application hosted on Azure AD cloud as different endpoints.

Are you facing any issue post doing this config? Please also share the log snippet if you are facing any issue.

Regards,

Dhruv Sharma

Dhruv_S
Saviynt Employee
Saviynt Employee

Hi @jasonb 

Could you please confirm if you are still facing the above issue with the Entitlement import through Azure connector?

Regards,

Dhruv Sharma

jasonb
New Contributor III
New Contributor III

Hi Dhruv_Sharma - 

Yes, I'm still uncertain how to resolve this issue.

In our test environment I set our Azure Connection's CREATE_NEW_ENDPOINTS = YES.  This created endpoints and entitlements for all of our Azure Enterprise Applications - But also created about 500 junk enterprise application Endpoints.

From the response above, I should have left CREATE_NEW_ENDPOINTS = NO in Azure Connection.  But if I do that, how do I sync my Azure Enterprise Applications as Endpoints and get the corresponding Enterprise Application Roles?

Are you looking to pull certain enterprise applications only if yes its not supported 


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Hi @jasonb 

Entitlements are imported to the endpoint which you will select in the job. 

For other questions related to bringing Azure management groups and subscriptions, please refer to below post which has more details.

Re: Azure Connector - Saviynt Forums - 53933

Regards,

Dhruv Sharma


@rushikeshvartak wrote:

Are you looking to pull certain enterprise applications only if yes its not supported 


Yes, it was my hope to avoid pulling in the 500 random Microsoft services that get pulled in as Endpoints when you allow CREATE_NEW_ENDPOINTS = YES.