Microsoft Entra ID Integration for SaaS Discovery
Set up an integration with Microsoft Entra ID to streamline the discovery of your SaaS applications.
Overview
Microsoft Entra ID is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in:
- External resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
- Internal resources, such as apps on your corporate network and intranet, and any cloud apps your organization developed.
Integration Details
Integration Categories | Authentication Mechanism | Supported Regions | API Endpoints Used |
---|---|---|---|
Single Sign-On Systems (SSO) | REST API - OAuth | Global China | For API authentication: /<tenantID>/oauth2/v2.0/token For SaaS discovery: /servicePrincipals |
Implementation Details
The process involves querying the Microsoft Graph API's servicePrincipal endpoint with specific filters applied:
servicePrincipalType eq 'Application'
(servicePrincipalType must be 'Application')accountEnabled eq true
(accountEnabled must be true)
SAP LeanIX excludes applications that lack defined oauth2PermissionScopes
. This approach, using servicePrincipals instead of the application endpoint, allows us to manage access to applications across different tenants, extending beyond those solely within our current tenant. For a detailed guide on discovering and managing service principals and applications, see Microsoft's documentation Application and Service Principal Objects.
SAP LeanIX integration supports two regions - Global and China, with API calls directed to different URLs depending on the region.
Authorization and permissions are managed using OAuth 2.0 client credentials grant flow, as outlined in OAuth 2.0 Client Credentials Grant Flow. The required scope for API access is specified by .default
within the https://graph.microsoft.com/
resource.
For information on managing permissions and consent for the applications, see Permissions and Consent Overview. Additionally, for details on handling national cloud deployments, including URIs specific to national clouds, see Authentication for National Clouds. This comprehensive approach ensures secure and scalable management of SaaS applications across different environments and regions.
If you want to cross-check the discovered services, you can do so by navigating to Enterprise applications | All applications. Then, apply filters Application type == All Applications and Application status == Enabled.
SaaS Discovery with Entra ID
With Entra ID integration, SAP LeanIX identifies services for SaaS discovery by reading servicePrincipal, which are visible under the Enterprise Registration blade in Azure Active Directory (AAD). For SaaS identification, SAP LeanIX relies on the Gallery Template used, specifically the ID of the underlying application (Application IDs). Additionally, SAP LeanIX collects the unique identifiers (External IDs) and names (External names) of the applications, although detection is not based on these collected attributes. External IDs and external names are used to detect multiple instances of SaaS. For more information, see Detecting Multiple Instances of SaaS.
Note
SAP LeanIX does not collect any login or user data, ensuring compliance with data privacy regulations.
Set up Microsoft Entra ID
Register a new application in Microsoft Entra ID
- Based on the region which you want to connect, sign in to the Global Azure portal or China Azure portal. Use the Azure administrator account that is also a member of the Global Administrator directory role in your Microsoft Entra ID tenant.
- On the left navigation pane, click Microsoft Entra ID.
-
On the Microsoft Entra ID page, click App registrations.
-
On the App registrations page, in the toolbar on the top, click New registration.
-
Register an application page opens, perform the following steps:
- Enter a name for the integration.
- Under Supported account types, select Accounts in this organizational directory only (Default Directory only - Single tenant).
- Click Register at the bottom of the screen.
Grant permissions to the application
-
Now that we have the application we need to grant permissions, in the left menu click API permissions.
-
Click the Add a permission button.
-
The new configuration panel Request API permissions will display on the right, select the Microsoft Graph API, pick Application permissions, and search for Application.Read.All.
-
Click on the Add permissions button at the bottom to assign permission to the SAP LeanIX application.
-
Click on the Grant admin consent for Default Directory button to enable configured permissions for the application
- Next, click Yes to grant consent for the requested permissions.
- The permission status indicator in the API permissions page will change to approved.
Gather configuration settings
-
Return to the application overview section (App Registrations > click on created app) from where you will need to grab the following identifiers: Application (client) ID and Directory (tenant) ID.
-
In the left menu, navigate to Certificates & secrets to generate a client secret, also called the application password.
-
Click on the New client secret button to create a new password.
-
Optionally, enter a description for the client secret.
-
Select the expiration length of the secret. Once the expiration date of the created client secret is reached, you will have to create a new one and reconfigure the integration in the SAP LeanIX application.
-
Click Add
-
-
Copy the Secret Value to your clipboard.
Store the secret value
Please make a note of the client secret value as soon as it is revealed. It will be masked when you navigate away from the Certificates & secrets panel.
This value needs to be added to SAP LeanIX under Client Secret.
Pass configuration values to the SAP LeanIX app
-
Proceed to SAP LeanIX and input the credentials you have generated on the Azure Admin Portal.
-
Click Finish and wait for the connection to be established.
Updated about 1 month ago