Entra ID + SailPoint Integration Blueprint

Overview

Microsoft Entra ID (formerly Azure AD) and SailPoint are frequently deployed together, but Entra's growing governance capabilities create integration complexity. Entra now offers access reviews, entitlement management (access packages), and lifecycle workflows—features that overlap with SailPoint's core value proposition. The architecture decision isn't "which is better" but "which does what" for your enterprise.

The boundary question: Entra ID Governance is included in premium licenses many organizations already own. Should you use it, or stick with SailPoint for everything? The answer depends on scope, audit requirements, and operational maturity.

The recommended model:

Entra owns: Authentication, Conditional Access, SSO federation, Azure/M365-native governance
SailPoint owns: Enterprise-wide governance, cross-platform certification, complex approval workflows, audit evidence
Hybrid scenarios: Entra access packages for Azure-native resources; SailPoint for enterprise and cross-cloud

This blueprint documents how to integrate without creating duplicate governance processes or audit confusion.

Key Decisions

Decision	Options	Recommendation	Notes / Gotchas
Enterprise IGA platform	SailPoint only / Entra ID Governance only / Hybrid	Hybrid: SailPoint for enterprise; Entra for Azure-native	Pure Entra limits cross-cloud governance
Access packages	Disabled / Entra for Azure / Entra for all	Entra access packages for Azure-native resources only	Access packages and SailPoint roles can conflict
Access reviews	SailPoint / Entra / Both	SailPoint for enterprise; Entra acceptable for Azure-only resources	Avoid duplicate reviews on same resources
Lifecycle workflows	Entra / SailPoint	SailPoint for enterprise lifecycle; Entra for Azure-specific automation	Entra LCW is Azure-scoped
Group governance	Entra / SailPoint	SailPoint governs groups; Entra consumes for assignment	Groups are the integration point
Provisioning to Entra	SailPoint → Entra / HR → Entra directly	SailPoint provisions Entra accounts and groups	Maintains governance chain
Provisioning to M365 apps	Entra-native / SailPoint	Entra license assignment via SailPoint group membership	License groups managed by SailPoint

Function	SailPoint	Entra ID	Notes
Identity creation	✓ Primary	Receives from SailPoint	SailPoint provisions Entra accounts
Enterprise access requests	✓	-	All requests through SailPoint
Azure-specific requests	✓ (preferred) or Entra	Access packages (bounded)	Avoid duplication
Enterprise certifications	✓	-	SailPoint certifies all enterprise access
Azure-only certifications	✓ (preferred) or Entra	Access reviews (bounded)	Single certification system preferred
Group governance	✓	Consumes groups	SailPoint manages; Entra assigns
Conditional Access	-	✓	Entra owns authentication policy
PIM for Azure RBAC	-	✓	Entra PIM for Azure admin roles
License assignment	✓ (via groups)	Consumes groups	License groups managed by SailPoint
Lifecycle workflows	✓	Limited Azure use	SailPoint for enterprise lifecycle

Inventory current Entra ID Governance usage (access packages, reviews, PIM)
Document SailPoint governance scope
Identify overlap (resources governed by both)
Assess licensing (what Entra capabilities are available)
Map audit requirements by compliance framework

Outputs: Current-state map, overlap analysis, licensing assessment

Phase 1: Boundary Design (2-3 weeks)

Inputs: Discovery outputs, business requirements Activities:

Define governance ownership per resource type
Define access package scope (if used)
Define certification ownership
Design group governance model
Document exceptions and rationale

Outputs: Integration boundary document, responsibility matrix

Phase 2: Integration Build (4-6 weeks)

Inputs: Boundary design, API access Activities:

Configure SailPoint → Entra ID connector (SCIM/Graph)
Configure group synchronization
Configure license group management
Disable/limit Entra governance features that conflict
Configure PIM integration (if SailPoint governs PIM assignments)
Configure audit forwarding to SIEM

Outputs: Integrated platforms, clear governance boundaries

Phase 3: Validation & Rollout (3-4 weeks)

Inputs: Integrated platforms, test users Activities:

Test end-to-end lifecycle (hire, role change, termination)
Test access request and approval flow
Test certification campaigns
Validate audit evidence trail
Pilot with limited population

Outputs: Validated integration, pilot results

Phase 4: Operate (Ongoing)

Activities:

Monitor provisioning and governance health
Review boundary exceptions quarterly
Update integration as Microsoft capabilities evolve
Consolidate duplicate governance where found

Deliverables

Integration boundary matrix — who governs what, with rationale
Provisioning architecture — SailPoint → Entra data flow
Group governance model — how groups are managed and consumed
Access package policy — when/how Entra access packages are used (if at all)
Certification strategy — which system certifies which resources
Audit correlation guide — how to trace access across systems

Risks & Failure Modes

Risk	Likelihood	Impact	Early Signals	Mitigation
Duplicate governance	H	H	Same resources reviewed in both systems	Clear boundary; disable conflicting features
Access package sprawl	M	M	Many access packages; unclear ownership	Limit scope; require justification
Microsoft feature creep	M	M	New Entra features enabled without coordination	Change management; boundary review
Audit confusion	M	M	Auditors don't know which system is authoritative	Single audit narrative; SIEM correlation
Group sync failures	M	H	Access not granted/removed	Monitoring; retry logic; alerting
Licensing mismatch	L	M	Entra governance features unavailable	License assessment in discovery

KPIs / Outcomes

Provisioning success rate: % of SailPoint → Entra provisioning successful (target: greater than 99%)
Governance boundary compliance: % of resources following defined governance ownership (target: 100%)
Certification completion: % of certifications completed on time (target: greater than 95%)
Duplicate governance incidents: Count of resources reviewed by both systems (target: 0)
Audit evidence completeness: % of access traceable in designated governance system (target: 100%)

Workshop Questions

Security / IAM

What Entra ID Governance features are currently in use (access packages, access reviews, PIM)?
What's the appetite for Entra governance vs. SailPoint-only for Azure resources?
What audit requirements exist that might drive the governance boundary?

IT / Microsoft Team

What Entra ID license level is deployed (P1, P2, Governance)?
How are Conditional Access policies managed?
What's the current PIM configuration for Azure RBAC?

Governance / Compliance

Do auditors expect a single governance system or can they accept hybrid?
What certification evidence format is required?
How are M365 licenses assigned and reviewed today?

Requirements Gathering Checklist

What Entra ID license level is deployed (P1, P2, Governance)?
What Entra ID Governance features are currently used (access packages, reviews, PIM, lifecycle workflows)?
What's the governance boundary—SailPoint for all vs. hybrid?
How are Entra ID groups managed today (SailPoint, Entra, manual)?
How are M365 licenses assigned (license groups, direct assignment)?
What's the PIM strategy for Azure RBAC roles?
What audit evidence is required and which system provides it?
What access package scope is acceptable (Azure-only, broader)?
How will certifications be coordinated to avoid duplication?
What's the provisioning flow—SailPoint → Entra or HR → Entra?
How will the integration be monitored for failures?
What's the change management process when Microsoft adds new governance features?

Entra ID + SailPoint Integration Blueprint

Overview

Key Decisions

Architecture & Reference Patterns

Pattern 1: SailPoint as Enterprise Governance Hub

Pattern 2: Hybrid with Bounded Entra ID Governance

Integration Boundary Matrix

Access Package Governance Pattern (When Used)

Implementation Approach

Phase 0: Discovery (2-3 weeks)