SAP and Microsoft have partnered to help enterprises on their journey to the cloud and enable cross consumption of SAP and Microsoft services. Achieving that cross consumption requires first of all seamless identity and access management across both platforms.

Although SAP identity services can be integrated with Microsoft Azure Active Directory even today, I am thrilled to announce some areas where SAP and Microsoft plan to advance the existing integration to enable an even more seamless experience for end users and simplified configuration and management for IT. These improvements will be valid independently of the Identity Provider the customer has chosen as the primary one, whether this is SAP Cloud Platform Identity Authentication, Azure Active Directory or a third-party one:

Risk-based Authentication, a.k.a. Conditional Access

SAP applications leverage SAP Cloud Platform Identity Authentication either as a means of an authenticating Identity Provider or as federating to another one. Similarly, Microsoft applications leverage Azure Active Directory to do so. The result of this today is that SAP CP Identity Authentication or Azure AD acts as a proxy Identity Provider and the real authenticating provider knows only about it, but not the concrete application. Thus, risk-based authentication rules (a.k.a. Conditional Access) can be applied only in the proxy identity provider but not in the authenticating one. The planned improvement is to make the applications on the other side “known” to the authenticating identity provider, so that it can apply specific rules to those applications as well and allow for more cohesive access management across the enterprise.

Principal Propagation across services on both platforms

Today, consuming Microsoft 365 services from an SAP Fiori application or vice versa, e.g. consuming SAP services from a Microsoft Office Add-In is possible, but requires quite some development effort and the user experience is not as smooth as it could be. The planned improvement here is to achieve principal propagation across SAP Cloud Platform and Azure Active Directory to enable applications to bring together content and services from both platforms into a seamless, personalized experience for end users.

Initial Configuration

Today, setting up the configuration between SAP identity services and Azure Active Directory requires quite some technical steps. The planned improvement here is to come to a “one-click” configuration experience to connect SAP and Azure Active Directory.

Identity Lifecycle Management

Today customers can leverage SAP Cloud Platform Identity Provisioning service to manage the identity lifecycle across SAP and Azure Active Directory. However, as SAP is open, SAP will work together with Microsoft to enable provisioning from Microsoft Azure Active Directory to SAP applications as well.

The information above, or any related document and SAP’s strategy and possible future developments, products and or platforms directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information above is not a commitment, promise or legal obligation to deliver any material, code or functionality. This information is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This blog is for informational purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this blog, except if such damages were caused by SAP’s intentional or gross negligence.

All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates,
and they should not be relied upon in making purchasing decisions.