Leveraging Azure Active Directory and SAP Business Technology Platform

Looking back at 2021

The year 2021 started with a really great announcement from Satya Nadella and Christian Klein during the RISE with SAP event. SAP and Microsoft Partnership Expands | SAP News Center Christian stated that by integrating SAP solutions with Microsoft Teams “we will bring collaboration to the next level, jointly determining the future of work and enabling the frictionless enterprise. ”

Integrating with Teams

So the teams started to work on the integration and we already see lots of applications being released with hundreds of companies already using in it.

• SAP Sales Cloud – SAP Sales Cloud and Microsoft Teams Ease Remote Selling | SAP News
• SAP Business ByDesign – SAP Business ByDesign for Microsoft Teams (Beta) | SAP Blogs (-> Thanks Richard Qin)
• SuccessFactors – Place learning in the flow of work – by leveraging integrations of SAP SuccessFactors Learning and Microsoft | SAP Blogs
• and much more currently in development

Building your own Teams integration

All this focus from SAP and Microsoft on the Teams integration obviously also led to a lot of customer specific developments. Creating new apps in Teams is well documented (https://docs.microsoft.com/en-us/microsoftteams/platform/mstdd-landing). You can even use Low-Code tools from the Power Platform, like Power Virtual Agent which empowers you to build a chatbot within minutes, and even integrate it with SAP (Power Platform + SAP (7/10): Creating a Chatbot in Teams to access data from SAP – YouTube). However, a common question from customers was how to enable a single sign-on from Teams / Azure Active Directory to the SAP System. Working closely with customers Martin Raepple continued with his amazing multi-part series on principal propagation and showed how the integration in Teams  using the very same user that is authenticated in Teams using Azure Active Directory is also the user that is accessing the SAP system. Principal propagation in a multi-cloud solution between Microsoft Azure and SAP Business Technology Platform (BTP), Part III: Teams SSO, Process Integration & Core Data Services | SAP Blogs

As you can see in the diagram from Martin the integration can be a little intimidating. That’s why we continue to work closely with Michael Friedrich,  Alexander Zubev and other SAP colleagues  to improve and simplify the integration — stay tuned!

Leveraging Azure Active Directory and BTP

This brings me to my next point: We see a lot of customers using Azure Active Directory in combination with SAP BTP Identity Authentication Service. The official documentation Microsoft Azure Active Directory – SAP Help Portal already provides important information on how to connect both worlds.

Collecting a lot of feedback that we got working with customers on these integrations, together with Martin Pankraz, Christof Claessens, Jelle Druyts, Martin Raepple and other colleagues we worked on a document to provide best practices and lessons learned. The document Scenario – Using Azure Active Directory to secure access to SAP platforms and applications | Microsoft Docs makes the integration of SAP Business Technology Platform and Azure Active Directory more tangible and is the result of actual customer implementations.

The document is split up in 6 sections each

• introducing the topic,
• outlining and explaining our recommendation
• and summarizing the implementation steps.

You can access the sections directly via:

• 1 – Use Federated Authentication in SAP Business Technology Platform and SAP SaaS applications through SAP Identity Authentication Service
• 2 – Use Azure AD for Authentication and IAS/BTP for Authorization
• 3 – Use Azure AD groups for Authorization through Role Collections in IAS/BTP
• 4 – Use a single BTP Subaccount only for applications that have similar Identity requirements
• 5 – Use the Production IAS tenant for all end user Authentication and Authorization
• 6 – Define a Process for Rollover of SAML Signing Certificates

Onboarding new employees

One last topic that we see very often is that customers are using both SAP SuccessFactors and Azure Active Directory. Typically when new employees are joining a company their profile is first created in the “HR world” (SAP SuccessFactors). Now it is another manual step to create this user in the “IT-world” (Azure Active Directory). Here again we (thanks, Chetan Desai | LinkedIn) worked closely with Gerald Reinhard, the SAP team and several partners (SAP SuccessFactors Integrations – Bidirectional Identity Integration with Microsoft Azure Active Directory | SAP Blogs) to create a document that provides best practices on how to connect your SAP SuccessFactors with Azure Active Directory, IDP_Bidirectional_Identitiy_Integration_1.01b.pdf (sap.com)

If inspiration struck you, use the links to get started. Let us know if you have any feedback to make it even better!