|
| 1 | +--- |
| 2 | +title: Manage access to your SAP applications |
| 3 | +description: Manage access to your SAP applications. Bring identities from SAP SuccessFactors into Azure AD and provision access to SAP ECC, SAP S/4 Hana, and other SAP applications. |
| 4 | +services: active-directory |
| 5 | +documentationcenter: '' |
| 6 | +author: amsliu |
| 7 | +manager: amycolannino |
| 8 | +editor: markwahl-msft |
| 9 | +ms.service: active-directory |
| 10 | +ms.workload: identity |
| 11 | +ms.tgt_pltfrm: na |
| 12 | +ms.topic: conceptual |
| 13 | +ms.subservice: compliance |
| 14 | +ms.date: 5/12/2023 |
| 15 | +ms.author: amsliu |
| 16 | +ms.reviewer: markwahl-msft |
| 17 | +ms.collection: M365-identity-device-management |
| 18 | +--- |
| 19 | + |
| 20 | +# Manage access to your SAP applications |
| 21 | + |
| 22 | + |
| 23 | +SAP likely runs critical functions such as HR and ERP for your business. At the same time, your business relies on Microsoft for various Azure services, Microsoft 365, and Entra Identity Governance for managing access to applications. This document describes how you can use Entra Identity Governance to manage identities across your SAP applications. |
| 24 | + |
| 25 | + |
| 26 | + |
| 27 | + |
| 28 | +## Bring identities from HR into Azure AD |
| 29 | + |
| 30 | +#### SuccessFactors |
| 31 | +Customers using SAP SuccessFactors can easily bring identities into [Azure AD](../../active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial.md) or [Active Directory](../../active-directory/saas-apps/sap-successfactors-inbound-provisioning-tutorial.md) using native connectors. The connectors support the following scenarios: |
| 32 | +* **Hiring new employees** - When a new employee is added to SuccessFactors, a user account is automatically created in Azure Active Directory and optionally Microsoft 365 and [other SaaS applications supported by Azure AD](../../active-directory/app-provisioning/user-provisioning.md), with write-back of the email address to SuccessFactors. |
| 33 | +* **Employee attribute and profile updates** - When an employee record is updated in SuccessFactors (such as their name, title, or manager), their user account will be automatically updated Azure Active Directory and optionally Microsoft 365 and [other SaaS applications supported by Azure AD](../../active-directory/app-provisioning/user-provisioning.md). |
| 34 | +* **Employee terminations** - When an employee is terminated in SuccessFactors, their user account is automatically disabled in Azure Active Directory and optionally Microsoft 365 and other SaaS applications supported by Azure AD. |
| 35 | +* **Employee rehires** - When an employee is rehired in SuccessFactors, their old account can be automatically reactivated or re-provisioned (depending on your preference) to Azure Active Directory and optionally Microsoft 365 and other SaaS applications supported by Azure AD. |
| 36 | + |
| 37 | +> [!VIDEO https://www.youtube-nocookie.com/embed/66v2FR2-QrY] |
| 38 | + |
| 39 | +#### SAP HCM |
| 40 | +Customers that are still using SAP HCM can also bring identities into Azure AD. Using the SAP Integration Suite, you can synchronize identities between SAP HCM and SAP SuccessFactors. From there, you can bring identities directly into Azure AD or provisioning them into Active Directory Domain Services, using the native provisioning integrations mentioned above. |
| 41 | + |
| 42 | + |
| 43 | + |
| 44 | +## Provision identities into modern SAP applications. |
| 45 | +Once your users are in Azure Active Directory, you can provision accounts into the various SaaS and on-premises SAP applications that they need access to. You've three ways to accomplish this. |
| 46 | +* **Option 1:** Use the enterprise application in Azure AD to configure both SSO and provisioning to SAP applications such as [SAP analytics cloud](../../active-directory/saas-apps/sap-analytics-cloud-provisioning-tutorial.md). With this option, you can apply a consistent set of governance processes across all your applications. |
| 47 | +* **Option 2:** Use the [SAP IAS](../../active-directory/saas-apps/sap-cloud-platform-identity-authentication-provisioning-tutorial.md) enterprise application in Azure AD to provision identities into SAP IAS. Once you bring all the identities into SAP IAS, you can use SAP IPS to provision the accounts from SAP IAS into the application when required. |
| 48 | +* **Option 3:** Use the [SAP IPS](https://help.sap.com/docs/IDENTITY_PROVISIONING/f48e822d6d484fa5ade7dda78b64d9f5/f2b2df8a273642a1bf801e99ecc4a043.html) integration to directly export identities from Azure AD into your [application](https://help.sap.com/docs/IDENTITY_PROVISIONING/f48e822d6d484fa5ade7dda78b64d9f5/ab3f641552464c79b94d10b9205fd721.html). When using SAP IPS to pull users into your applications, all provisioning configuration is managed in SAP directly. You can still use the enterprise application in Azure AD to manage single sign-on and use [Azure AD as the corporate identity provider](https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/058c7b14209f4f2d8de039da4330a1c1.html). |
| 49 | + |
| 50 | +## Provision identities into on-premises SAP systems such as SAP ECC that aren't supported by SAP IPS |
| 51 | + |
| 52 | +Customers who have yet to transition from applications such as SAP ECC to SAP S/4 Hana can still rely on the Azure AD provisioning service to provision user accounts. Within SAP ECC, you'll expose the necessary BAPIs for creating, updating, and deleting users. Within Azure AD, you have two options: |
| 53 | +* **Option 1:** Use the lightweight Azure AD provisioning agent and web services connector to provision users into apps such as SAP ECC. |
| 54 | +* **Option 2:** In scenarios where you need to do more complex group and role management, use the [Microsoft Identity Manager](https://learn.microsoft.com/microsoft-identity-manager/reference/microsoft-identity-manager-2016-ma-ws) to manage access to your legacy SAP applications. |
| 55 | + |
| 56 | +## SSO, workflows, and separation of duties |
| 57 | +In addition to the native provisioning integrations that allow you to manage access to your SAP applications, Azure AD supports a rich set of integrations with SAP. |
| 58 | +* SSO: Once you’ve setup provisioning for your SAP application, you’ll want to enable single sign-on for those applications. Azure AD can serve as the identity provider and server as the authentication authority for your SAP applications. Learn more about how you can [configure Azure AD as the corporate identity provider for your SAP applications](https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/058c7b14209f4f2d8de039da4330a1c1.html). |
| 59 | +Custom workflows: When a new employee is hired in your organization, you may need to trigger a workflow within your SAP server. |
| 60 | +* Using the [Entra Identity Governance Lifecycle Workflows](lifecycle-workflow-extensibility.md) in conjunction with the [SAP connector in Azure Logic apps](https://learn.microsoft.com/azure/logic-apps/logic-apps-using-sap-connector), you can trigger custom actions in SAP upon hiring a new employee. |
| 61 | +* Separation of duties: With separation of duties checks now available in preview in Azure AD [entitlement management](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/ensure-compliance-using-separation-of-duties-checks-in-access/ba-p/2466939), customers can now ensure that users don't take on excessive access rights. Admins and access managers can prevent users from requesting additional access packages if they’re already assigned to other access packages or are a member of other groups that are incompatible with the requested access. Enterprises with critical regulatory requirements for SAP apps will have a single consistent view of access controls and enforce separation of duties checks across their financial and other business critical applications and Azure AD-integrated applications. With our [Pathlock](https://pathlock.com/), integration customers can leverage fine-grained separation of duties checks with access packages in Azure AD, and over time will help customers to address Sarbanes Oxley and other compliance requirements. |
| 62 | + |
| 63 | +## Next steps |
| 64 | + |
| 65 | +- [Bring identities from SAP SuccessFactors into Azure AD](../../active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial.md) |
| 66 | +- [Provision accounts in SAP IAS](../../active-directory/saas-apps/sap-cloud-platform-identity-authentication-provisioning-tutorial.md) |
| 67 | + |
| 68 | + |
| 69 | + |
| 70 | + |
0 commit comments