Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

User Managment IAS/Azure

tskwin
Participant

on ‎2025 Feb 27 1:16 PM

0 Likes
739

Hello everyone,

I’m looking for best practices for user management in IAS in connection with Azure AD and SAP Cloud Apps.

Current situation:

  • If a user is deleted or deactivated in Azure AD, they are also removed from SAP Cloud Apps (including content, e.g., in SAC) and lose access to all cloud apps, including non-SAP apps.
  • If a user is removed from an Azure AD group, they also lose access to SAP Cloud Apps (including content, e.g., in SAC).

Our requirement:

  • The user (Azure AD ) should only be deactivated for SAP Cloud Apps but should still have access to non-SAP apps (which are also connected to the same Azure tenant).

Is there a way to control access in a more targeted way without deactivating or deleting the user in Azure AD for all apps (inc. non-SAP apps)  ?

Many Thanks

 

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (1)

Answers (1)

Yogananda
Product and Topic Expert
Product and Topic Expert
‎2025 Feb 27 1:34 PM
0 Likes

@tskwin 

you will have to define the group in Azure AD to have that assigned to user and when user syncs to SAP IAS and SAC you will filter those fields according to the group defined to the particular application. 

In this way user will access the application based on Single Sign On matching to Azure AD and group with authroization access.

Show replies
Show replies
tskwin
Participant
‎2025 Feb 27 5:30 PM
0 Likes

Hello @Yogananda 

 

thanks for your reply!

We do it the same way: defining groups in Azure (e.g., sac_admins), provisioning them to IAS, and filtering them to cloud apps like SAC.

There are three options to manage users in Azure:

  1. Remove the user from the sac_admins group (but don’t delete them from Azure). The IPS job will then remove this user from SAC and deleting their content.
  2. Deactivate or delete the user in Azure - that removes access for this user to all cloud apps in Azure
  3. Deactivate the user in IAS, but they will be overwritten by the next IPS job.

What’s the best way to delete a user in cloud apps via IPS while avoiding automatic content deletion (e.g SAC)  and ensuring the user can still access other apps in Azure?

Many Thanks

Best Regards

Yogananda
Product and Topic Expert
Product and Topic Expert
‎2025 Feb 27 8:53 PM
0 Likes

@tskwin if User is still in your company, he/she should be present in your AD (Azure) and have the same group and if user is left the company - do you still need to provide a access to SAC ?? then how is it Azure AD works with SSO.. ?? still need to know some details ...

Best Practice : 

  • User ABC is in Azure AD with group SAC_Admin
  • User ABC will sync from Azure AD to SAP IAS and Status with Active and Group gets assigned from Azure to IAS Group for that user with SAC_Admin
  • User ABC with group SAC_Admin will identify the user needs a access to SAC.. IPS will do sync from IAS to SAC
    User ABC logins with SAC .. it will be SSO with Azure AD which will be authenticated.
  • User ABC left the company , Azure AD will make status to Inactive or end date
  • User ABC will not be able to authenticate and cannot access the application
tskwin
Participant
‎2025 Mar 03 5:30 AM
0 Likes

Hello @Yogananda 

Thank you for your explanation, it clarifies the process well.

But there are situations where, for example, a user stays in the company and should remain in Azure AD, but their access to SAC should be revoked.

I cannot deactivate this user in Azure AD (since they would lose access to other applications in Azure). If I remove user ABX from the sac_admin group, they will also be deleted from SAC, and their content will be lost.

Do you have any tips on how to proceed when access to SAC needs to be revoked, but the user's content in SAC and the user in the IdP should remain?

Is there a way to manage this more effectively in Azure AD or SAP IAS ?

 

Many Thanks

Best Regards

Yogananda
Product and Topic Expert
Product and Topic Expert
‎2025 Mar 03 8:10 AM
0 Likes

@tskwin 
I cannot deactivate this user in Azure AD (since they would lose access to other applications in Azure). If I remove user ABX from the sac_admin group, they will also be deleted from SAC, and their content will be lost.
If you say that removing the access from SAC for that user will be lost the data ? Are you sure ? and also if you don't provide the access to the user for SAC.. who will see the data of that user, since that user is not able to access SAC ?

Do you have any tips on how to proceed when access to SAC needs to be revoked, but the user's content in SAC and the user in the IdP should remain?

I only think of remove all SAC related group to be unassigned in IAS for that user (Azure AD to IAS Transformation) and in that way User is active in SAC but User cannot access the application due to no groups assigned. (IAS to SAC User Sync will unassign all the groups) but user is present

Ask a Question