(A Complete Step-by-Step Guide)**

Hi Folks,

After extensive analysis and hands-on troubleshooting with user provisioning in SAP Cloud Identity Services, I decided to document the entire process. My goal is to help others quickly and smoothly integrate Microsoft Entra ID (formerly Azure Active Directory) with SAP Cloud Identity Services.

If you are planning to onboard corporate users into SAP’s Identity Authentication Service (IAS) using Identity Provisioning Service (IPS), this guide will save you hours of effort.

Requirement

1. Sync all corporate users from Microsoft Entra ID into SAP Cloud Identity Services (CIS).
   These users already exist in Entra ID and need to be replicated to IAS.

2. Avoid manual user creation in IAS.
   By configuring IPS, we can schedule daily jobs to automatically sync new or updated users.

3. Use the synced users in SAP BTP applications
   (especially those using CIS for authentication) to assign roles, groups, and access for our SAP Build Work Zone.

Analysis

After diving deep into SAP Help documentation and performing several tests, I consolidated the exact approach that fulfills the requirement. The complete activity consists of five main steps.

Five-Step Integration Process

Step 1: Perform App Registration in Microsoft Entra ID

This activity is typically handled by the Azure team.
Refer to SAP Help documentation for detailed instructions:
Microsoft Entra ID Integration
https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/microsoft-entra-id

Once App Registration is complete, the Azure team will share the following information:

• Application ID

• Directory Tenant ID

• Object ID

• Client Secret Value

• Client Secret ID

• aad.domain.name

These parameters will be used in the Source System configuration of Identity Provisioning Service (IPS).

Step 2: Configure Microsoft Entra ID as a Source System in IPS

Follow the SAP Help documentation:
Microsoft Entra ID – Source System Configuration
https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/microsoft-entra-id

Below is the Screen Shot which shows the Source System:

Below is an example of mandatory source system properties:

Property Name Value

Below the screenshot for same:

Step 3: Configure Identity Authentication (IAS) as the Target System

SAP Help documentation for IAS as a target:
Identity Authentication – Target System Configuration
https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/target-identity-authentica...

Important:
Select the correct Source System for this Target System.
Otherwise, IAS will attempt to read data from all existing source systems in IPS.

Below is the Screen shot of Target System for referece:

Mandatory IAS target system properties:

Property Name Value

Step 4: Run the “Simulate Job”

Before performing the actual sync, run the Simulate Job from the Source System.

Below is the screen shot to run the Simulate Job:

This job allows you to check:

• How many users will be read

• What changes will be made

• Any potential errors or mismatches

You can view results under Provisioning Logs in IPS.

Step 5: Run the “Read Job” (Actual User Sync)

This is the real provisioning job.

• IPS reads users from Microsoft Entra ID

• Then writes them into Identity Authentication Service (IAS)

Check Provisioning Logs for status, errors, or successful user creation. 

Below is the screen shot for reference:

Optional: Schedule Recurring Provisioning Jobs

You can set up a scheduled job (daily, weekly, etc.) to automatically sync delta changes from Microsoft Entra ID into IAS.

This ensures user data stays consistently updated without manual intervention.

Summary

This guide provides all essential steps required to integrate Microsoft Entra ID with SAP Cloud Identity Services using Identity Provisioning Service (IPS). I hope it helps you streamline user onboarding and avoid manual user creation in IAS.

If you have any questions or face any issues, feel free to ask.

Regards,
Rohit Gera