Overview
Microsoft Entra ID (formerly Azure AD) and SailPoint are frequently deployed together, but Entra's growing governance capabilities create integration complexity. Entra now offers access reviews, entitlement management (access packages), and lifecycle workflows—features that overlap with SailPoint's core value proposition. The architecture decision isn't "which is better" but "which does what" for your enterprise.
The boundary question: Entra ID Governance is included in premium licenses many organizations already own. Should you use it, or stick with SailPoint for everything? The answer depends on scope, audit requirements, and operational maturity.
The recommended model:
- Entra owns: Authentication, Conditional Access, SSO federation, Azure/M365-native governance
- SailPoint owns: Enterprise-wide governance, cross-platform certification, complex approval workflows, audit evidence
- Hybrid scenarios: Entra access packages for Azure-native resources; SailPoint for enterprise and cross-cloud
This blueprint documents how to integrate without creating duplicate governance processes or audit confusion.
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| Enterprise IGA platform | SailPoint only / Entra ID Governance only / Hybrid | Hybrid: SailPoint for enterprise; Entra for Azure-native | Pure Entra limits cross-cloud governance |
| Access packages | Disabled / Entra for Azure / Entra for all | Entra access packages for Azure-native resources only | Access packages and SailPoint roles can conflict |
| Access reviews | SailPoint / Entra / Both | SailPoint for enterprise; Entra acceptable for Azure-only resources | Avoid duplicate reviews on same resources |
| Lifecycle workflows | Entra / SailPoint | SailPoint for enterprise lifecycle; Entra for Azure-specific automation | Entra LCW is Azure-scoped |
| Group governance | Entra / SailPoint | SailPoint governs groups; Entra consumes for assignment | Groups are the integration point |
| Provisioning to Entra | SailPoint → Entra / HR → Entra directly | SailPoint provisions Entra accounts and groups | Maintains governance chain |
| Provisioning to M365 apps | Entra-native / SailPoint | Entra license assignment via SailPoint group membership | License groups managed by SailPoint |
Architecture & Reference Patterns
Pattern 1: SailPoint as Enterprise Governance Hub
Pattern 2: Hybrid with Bounded Entra ID Governance
Integration Boundary Matrix
| Function | SailPoint | Entra ID | Notes |
|---|---|---|---|
| Identity creation | ✓ Primary | Receives from SailPoint | SailPoint provisions Entra accounts |
| Enterprise access requests | ✓ | - | All requests through SailPoint |
| Azure-specific requests | ✓ (preferred) or Entra | Access packages (bounded) | Avoid duplication |
| Enterprise certifications | ✓ | - | SailPoint certifies all enterprise access |
| Azure-only certifications | ✓ (preferred) or Entra | Access reviews (bounded) | Single certification system preferred |
| Group governance | ✓ | Consumes groups | SailPoint manages; Entra assigns |
| Conditional Access | - | ✓ | Entra owns authentication policy |
| PIM for Azure RBAC | - | ✓ | Entra PIM for Azure admin roles |
| License assignment | ✓ (via groups) | Consumes groups | License groups managed by SailPoint |
| Lifecycle workflows | ✓ | Limited Azure use | SailPoint for enterprise lifecycle |
Access Package Governance Pattern (When Used)
Implementation Approach
Phase 0: Discovery (2-3 weeks)
Inputs: Current Entra config, current SailPoint config, governance requirements Activities:
- Inventory current Entra ID Governance usage (access packages, reviews, PIM)
- Document SailPoint governance scope
- Identify overlap (resources governed by both)
- Assess licensing (what Entra capabilities are available)
- Map audit requirements by compliance framework
Outputs: Current-state map, overlap analysis, licensing assessment
Phase 1: Boundary Design (2-3 weeks)
Inputs: Discovery outputs, business requirements Activities:
- Define governance ownership per resource type
- Define access package scope (if used)
- Define certification ownership
- Design group governance model
- Document exceptions and rationale
Outputs: Integration boundary document, responsibility matrix
Phase 2: Integration Build (4-6 weeks)
Inputs: Boundary design, API access Activities:
- Configure SailPoint → Entra ID connector (SCIM/Graph)
- Configure group synchronization
- Configure license group management
- Disable/limit Entra governance features that conflict
- Configure PIM integration (if SailPoint governs PIM assignments)
- Configure audit forwarding to SIEM
Outputs: Integrated platforms, clear governance boundaries
Phase 3: Validation & Rollout (3-4 weeks)
Inputs: Integrated platforms, test users Activities:
- Test end-to-end lifecycle (hire, role change, termination)
- Test access request and approval flow
- Test certification campaigns
- Validate audit evidence trail
- Pilot with limited population
Outputs: Validated integration, pilot results
Phase 4: Operate (Ongoing)
Activities:
- Monitor provisioning and governance health
- Review boundary exceptions quarterly
- Update integration as Microsoft capabilities evolve
- Consolidate duplicate governance where found
Deliverables
- Integration boundary matrix — who governs what, with rationale
- Provisioning architecture — SailPoint → Entra data flow
- Group governance model — how groups are managed and consumed
- Access package policy — when/how Entra access packages are used (if at all)
- Certification strategy — which system certifies which resources
- Audit correlation guide — how to trace access across systems
Risks & Failure Modes
| Risk | Likelihood | Impact | Early Signals | Mitigation |
|---|---|---|---|---|
| Duplicate governance | H | H | Same resources reviewed in both systems | Clear boundary; disable conflicting features |
| Access package sprawl | M | M | Many access packages; unclear ownership | Limit scope; require justification |
| Microsoft feature creep | M | M | New Entra features enabled without coordination | Change management; boundary review |
| Audit confusion | M | M | Auditors don't know which system is authoritative | Single audit narrative; SIEM correlation |
| Group sync failures | M | H | Access not granted/removed | Monitoring; retry logic; alerting |
| Licensing mismatch | L | M | Entra governance features unavailable | License assessment in discovery |
KPIs / Outcomes
- Provisioning success rate: % of SailPoint → Entra provisioning successful (target: greater than 99%)
- Governance boundary compliance: % of resources following defined governance ownership (target: 100%)
- Certification completion: % of certifications completed on time (target: greater than 95%)
- Duplicate governance incidents: Count of resources reviewed by both systems (target: 0)
- Audit evidence completeness: % of access traceable in designated governance system (target: 100%)
Workshop Questions
Security / IAM
- What Entra ID Governance features are currently in use (access packages, access reviews, PIM)?
- What's the appetite for Entra governance vs. SailPoint-only for Azure resources?
- What audit requirements exist that might drive the governance boundary?
IT / Microsoft Team
- What Entra ID license level is deployed (P1, P2, Governance)?
- How are Conditional Access policies managed?
- What's the current PIM configuration for Azure RBAC?
Governance / Compliance
- Do auditors expect a single governance system or can they accept hybrid?
- What certification evidence format is required?
- How are M365 licenses assigned and reviewed today?
Requirements Gathering Checklist
- What Entra ID license level is deployed (P1, P2, Governance)?
- What Entra ID Governance features are currently used (access packages, reviews, PIM, lifecycle workflows)?
- What's the governance boundary—SailPoint for all vs. hybrid?
- How are Entra ID groups managed today (SailPoint, Entra, manual)?
- How are M365 licenses assigned (license groups, direct assignment)?
- What's the PIM strategy for Azure RBAC roles?
- What audit evidence is required and which system provides it?
- What access package scope is acceptable (Azure-only, broader)?
- How will certifications be coordinated to avoid duplication?
- What's the provisioning flow—SailPoint → Entra or HR → Entra?
- How will the integration be monitored for failures?
- What's the change management process when Microsoft adds new governance features?
