cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP GRC 12.0 Access Control and Microsoft Entra ID Connectivity for user authentication

Y3Phad
Explorer

on ‎2024 Jul 03 10:54 PM

0 Kudos
1,408

Hello Everyone,

I would like to know if anyone has managed to connect SAP GRC 12.0 Access Control for S/4HANA to Microsoft Entra ID for user authentication for GRC guest user page. All the available documentations recommends On-premise Active directory via LDAP. However to be able to connect Entra ID makes the solution more sustainable.

I had raised a SAP Case and received a formal response that above Entra ID connectivity is possible but SAP officially yet to release help documentation for the same.

Any thoughts and guidance will help here.

Regards,

Yatin Phad

Labels

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
Sravan8
Newcomer
‎2024 Dec 12 10:22 PM
Please update thread if there is a way to establish Entra ID as user detail data source for SAP GRC AC (On-prim/Private cloud) without depending on additional services.

Accepted Solutions (0)

Answers (3)

Answers (3)

satyen_mehta
Discoverer
‎2025 Mar 05 10:43 PM
0 Kudos

Have you tried using Azure ADDS? Azure Active Directory Domain Services
AA DS can act as LDAP in GRC 12 to fill the user data from Microsoft Entra Directory. Currently we are using on premise Active Directory as LDAP and planning to switch to AADS.  We have replaced LDAP to point to AADS in other non-SAP systems successfully and hoping it will work for GRC 12.0 as well. I will let you know in few weeks if that works without any other middleware. 

Show replies
Show replies
satyen_mehta
Discoverer
‎2025 Mar 05 10:44 PM
0 Kudos
BTW this is for GRC user provisioning and not for authentication. For authentication we have adopted SAML where possible and SSO 3.0 for Windows GUI users using Microsoft Entra as IDP.
mgahealey-tk
Explorer
‎2024 Nov 22 11:01 AM
0 Kudos

Hello Yatin

Entra ID lead SSO is focussed on "browser based" services e.g. Fiori Launchpad, services in SICF etc. and tutorial below advises how to onboard SAP Netweaver / Fiori Launchpad / S/4HANA. Assuming your GRC 12.0 system is on-premise and only available within corporate VPN - the SSO will only work when users are accessing from within VPN - unless GRC 12.0 system is available from the Cloud.

Tutorial: Microsoft Entra single sign-on (SSO) integration with SAP NetWeaver - Microsoft Entra ID |...

Tutorial: Microsoft Entra single sign-on (SSO) integration with SAP HANA - Microsoft Entra ID | Micr...

Tutorial: Microsoft Entra single sign-on (SSO) integration with SAP Fiori - Microsoft Entra ID | Mic...

Alternatively use SAP Cloud Identity Services to managed SSO to SAP applications and delegate SSO to MS Entra ID as corporate IDP:

Create a New Application | SAP Help Portal

For a more complete solution with the ability to SSO to SAP GUI for Windows too - consider "SAP Secure Login Service for SAP GUI" too that is the successor tool to SAP SSO 3.0. This service uses SAP Cloud Identity Services to initiate SSO to on-premise SAP systems configured in SAP GUI for Windows.

Mike Healey

 

Kind regards

Mike

Show replies
Show replies
MichaelHealy779
Participant
‎2024 Jul 11 2:58 PM
0 Kudos

If you’re referring to SSO, then yes. It’s a simple SAML SSO config which is easily done. If you search for any SAP application SSO config on the MS site you’ll see plenty of documentation on this, I believe there are many blogs on it too. 

Show replies
Show replies
Y3Phad
Explorer
‎2024 Nov 27 10:47 AM
0 Kudos
Thank you for the response Michael, I have achieved the SSO functionality. But here I am referring on how we can use Entra ID to populate users details in the access request form. SAP is already offering LDAP interface to connect On-premise AD for the purpose but it is not available for Entra ID as intended.
MichaelHealy779
Participant
‎2024 Nov 27 11:12 AM
0 Kudos
You can use the Azure Sync to sync your Entra groups to an on prem LDAP group and then use the LDAP source to populate the IDs.
Y3Phad
Explorer
‎2024 Nov 27 1:06 PM
0 Kudos
Hello Michael, by doing Azure Sync to sync Entra groups to an on prem LDAP group and then use the LDAP source to populate is not needed, as On-premise AD is still the primary source and sync is occuring to Entra ID for users and groups. Are you aware of any direct connectivity between Entra ID and Access Control to fetch user information in the access request page 'User details' without involving On-prem AD.
MichaelHealy779
Participant
‎2024 Nov 27 1:11 PM
0 Kudos
If you already have this integration set up, then why do you want to link straight to Entra? There is no direct connection support that I am aware of with GRC. IAG may have something you could use but I highly doubt it
Ask a Question