Showing results for 
Search instead for 
Did you mean: 

Entra ID to provision users + authentication to BTP via Cloud Identity Services

Active Contributor

Hi, I'm a bit confused about how to achieve my goals which is to use Cloud Identity Services (CIS) as the only Identity Provider for all my BTP subaccounts, applications and services including "Platform Users", but the users must be replicated from Entra ID and authenticate also via the Microsoft solution.

This is a summary of what I want:

  • Use CIS as the Identity Provider for all my BTP services including Platform Users. Note: This way I don't have to setup direct Trust between Entra ID and each subaccount as I have now. Also, Platform Users can only be SAP ID or CIS users.
  • Use Entra ID as source provisioning system for Cloud Identity Services to provision users + groups. Replicate only relevant (filtered) groups and users belonging to these groups.
  • Use Entra ID authenticate.
  • Be able to use the subaccount "role collection mapping" based on the groups where the user is member in Cloud Identity Services (so not take the user groups from Entra ID but from CIS).

It seems there are 2 ways to provision users to CIS, one is by planning a periodic job in CIS itself to pull the list of users via GraphAPI and replicate the changes in the target system, in this case CIS. This is explained in this blog and it allows me to filter groups and users belonging to them as I need.

The 2nd option is to create Enterprise App directly in Entra ID which will push, the list of users to CIS as in this Microsoft tutorial. This option is easier, but I doesn't seem to be able to push neither the groups nor the list of groups where the user belongs as I wanted. The scoping option also doesn't allow to filter by a list of groups.

I tried option 1 and I have all the users and groups in CIS the way I wanted. Now I would like to solve the authentication part, but the documentation I can find doesn't seem aligned with the option 1 of user provisioning via GraphAPI registered app. Should I create a 2nd Enterprise Application for the authentication part? Or am I missing something?

I'm also confused on how to have SSO but at the same time only users replicated to CIS should be able to login.


View Entire Topic
Active Participant


considering your last statement -

Use risk based authentication in IAS - if you want to restrict / allow specific types of users  to access the application.

Reading the description - it seems you want to authenticate in both IAS and Microsoft AD. Use conditional authentication and setup rules there to meet your requirements. 

Both of above functionalities will work because you already synced the users.


Sushil K Gupta

Active Contributor
0 Kudos

Hi @sushilgupta857 , I want the user to be a Cloud Identity Services user because some services like BTP Platform Users or Cloud ALM only support this option. But I want the authentication to be with Entra ID to have SSO and enforce the company security policies for SAP BTP services like the Entra ID MFA or the validation the validation of an allowed browser for example.

I tried the setup of Entra ID as proxy, but then I faced some issues:

  1. All the users assigned to Entra ID Enterprise App for Cloud Identity Services could authenticate to any BTP service, they just don't get access because they have no role collections but still I don't like that can authenticate and get created as shadows users
  2. If users where being deleted from Entra ID, they were still existing as shadow users in the BTP subaccounts, I hope that with CIS the deletion gets propagated not only to CIS but to all subaccounts where the user exists.
  3. For the subaccount role mapping with groups, it was reading the groups membership from Entra ID not from CIS as I would like.