Skip to Content
Product Information
Author's profile photo Alexander Zubev

SAP and Microsoft join forces to give customers seamless identity experience across SAP and Azure AD

SAP and Microsoft have partnered to help enterprises on their journey to the cloud and enable cross consumption of SAP and Microsoft services. Achieving that cross consumption requires first of all seamless identity and access management across both platforms.

Although SAP identity services can be integrated with Microsoft Azure Active Directory even today, I am thrilled to announce some areas where SAP and Microsoft plan to advance the existing integration to enable an even more seamless experience for end users and simplified configuration and management for IT. These improvements will be valid independently of the Identity Provider the customer has chosen as the primary one, whether this is SAP Cloud Platform Identity Authentication, Azure Active Directory or a third-party one:

Risk-based Authentication, a.k.a. Conditional Access

SAP applications leverage SAP Cloud Platform Identity Authentication either as a means of an authenticating Identity Provider or as federating to another one. Similarly, Microsoft applications leverage Azure Active Directory to do so. The result of this today is that SAP CP Identity Authentication or Azure AD acts as a proxy Identity Provider and the real authenticating provider knows only about it, but not the concrete application. Thus, risk-based authentication rules (a.k.a. Conditional Access) can be applied only in the proxy identity provider but not in the authenticating one. The planned improvement is to make the applications on the other side “known” to the authenticating identity provider, so that it can apply specific rules to those applications as well and allow for more cohesive access management across the enterprise.

Principal Propagation across services on both platforms

Today, consuming Microsoft 365 services from an SAP Fiori application or vice versa, e.g. consuming SAP services from a Microsoft Office Add-In is possible, but requires quite some development effort and the user experience is not as smooth as it could be. The planned improvement here is to achieve principal propagation across SAP Cloud Platform and Azure Active Directory to enable applications to bring together content and services from both platforms into a seamless, personalized experience for end users.

Initial Configuration

Today, setting up the configuration between SAP identity services and Azure Active Directory requires quite some technical steps. The planned improvement here is to come to a “one-click” configuration experience to connect SAP and Azure Active Directory.

Identity Lifecycle Management

Today customers can leverage SAP Cloud Platform Identity Provisioning service to manage the identity lifecycle across SAP and Azure Active Directory. However, as SAP is open, SAP will work together with Microsoft to enable provisioning from Microsoft Azure Active Directory to SAP applications as well.


The information above, or any related document and SAP’s strategy and possible future developments, products and or platforms directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information above is not a commitment, promise or legal obligation to deliver any material, code or functionality. This information is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This blog is for informational purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this blog, except if such damages were caused by SAP’s intentional or gross negligence.

All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates,
and they should not be relied upon in making purchasing decisions.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Murali Shanmugham
      Murali Shanmugham

      Hi Alex,

      I am not clear about this statement "Thus, risk-based authentication rules (a.k.a. Conditional Access) can be applied only in the proxy identity provider but not in the authenticating one. " I recently configured IAS as a proxy with AAD. I was still able to get MFA working on Azure side (the authenticating IdP)  even thought IAS is configured as a Proxy.


      Author's profile photo Alexander Zubev
      Alexander Zubev
      Blog Post Author

      Hi Murali,

      Today you can configure an MFA (conditional access) policy in AzureAD that would be valid for any application using IAS as a proxy. The change here is to be able to configure fine-granular policies, e.g. MFA for SuccessFactors, while Fiori Launchpad is without MFA, both using IAS as a proxy to AzureAD.

      Author's profile photo Dennis Radstake
      Dennis Radstake

      Hi Alexander,

      Do you have any update on the availability of this feature? I am helping a new SAP customer to integrate SAP applications into their IAM solution (Azure AD). At the moment we are struggling with the position SAP IAS in combination with AAD Conditional Access towards the different SAP applications. The ability to differentiate conditional access policies towards the applications integrated into Azure AD is a key component of the customer's IAM setup.

      We would appreciate I you are able to share any information on the availability or the possibility to use this feature in a preview state.


      Dennis Radstake

      Author's profile photo Alexander Zubev
      Alexander Zubev
      Blog Post Author

      Hi Dennis,

      Microsoft is currently working on enabling that sort of Conditional Access , but unfortunately I cannot commit on behalf of them on a timeline

      Regards, Alexander

      Author's profile photo Anil k
      Anil k

      Hello Alexander,

      Can I also use SAP IAS as primary IDP for Authentication when integrating with Azure AD (Cooperate IDP) ?  there by access cooperate applications and  SAP cloud applications without signing again  after authenticated  by  SAP IAS.