Skip to Content
Technical Articles
Author's profile photo Peter Neu

Logging on to S/4HANA Public Cloud Bypassing Azure AD

In this blog post I am going to explain how you can bypass Azure AD when Azure AD is setup as the identity provider for SSO and identity federation is disabled. As I could not find the information I needed within appropriate time I want to share my limited knowledge on the topic with you.

Lets start with the basics – how does the integration between Azure AD, IAS and S/4HANA Cloud work?


Integration of Azure AD, SAP IAS and S/4HANA Cloud

Service Integration Scenario

Azure AD provides a user, usually identified by the email address. Once this user successfully logs on to Windows he/she is authorized. When this user now tries to access S/4HANA Cloud the request is passed on to IAS as the central identity and access management for S/4HANA Cloud. IAS receives the information of the successful login and in our case forwards the login name and the successful authentication to S/4HANA Cloud. This usually happens so fast that we won´t even recognize it. User is good to go to use the application. The concept of only logging on to e.g. Azure AD as identity provider is known as Single Sign On (SSO).

If you use an InPrivate window to access the link to S/4HANA, SSO won´t work. However you still need to authenticate with Azure AD:


Login via Azure AD

Also note the link when seeing the screen in the previous picture referencing Microsoft:


Microsoft Link


In SAP help it says regarding the integration of Microsoft Azure AD:

Identity Authentication supports the Identity Federation option. This option allows the application to check if the users authenticated by the corporate identity provider exist in the user store of Identity Authentication. In the default setting, the Identity Federation option is disabled. If Identity Federation is enabled, only the users that are imported in Identity Authentication are able to access the application.”

In our case this means in default you have an Azure AD account and an S/4HANA user but no IAS user as this is not required. If you want to bypass however, an IAS user is required.


User Management Process

In the respective case the business users are created using the “Import Employees” functionality (Import Employees App) in the S/4HANA Public Cloud instance. This then creates the system users in the target application.

Once the users are correctly maintained and authorized, they also need to be uploaded in the IAS directly. This can be done using the Import Users functionality requiring a CSV file with very limited information. After they are created, the information can be enhanced under User Management and an initial password needs to be set.

After that the user is good to go via the previously provided link. Once the first login with initial password is successful, the user is prompted to set his/her own password.



Users can bypass SSO using a special link, actively addressing IAS directly and referencing the target application explicitly.



Using this link results in accessing IAS, which is easily to be seen from the logon page:


LogOn Screen IAS

And from the logon the user is redirected to the application.



In order to bypass Azure AD you need to:

  • create the target application user
  • create (and map) an IAS user
  • use a link to force the authentication on the target application via IAS


Let me know if this post was of help and please share any feedback or additional insights in the comments.


Further Reading

SAP Cloud Identity Services | SAP Community

Integrating the Service with Microsoft Azure AD | SAP Help Portal



Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Mustafa Bensan
      Mustafa Bensan

      Hi Peter,

      If a customer has explicitly set up S/4HANA Cloud with Azure AD as the corporate identity provider for accessing the system, what would be the reason or use case for bypassing this?



      Author's profile photo Peter Neu
      Peter Neu
      Blog Post Author

      Hi Mustafa,


      that is indeed a good question, as Azure AD and having appropriate accounts set up would be the default with no need to do what I wrote about.

      In the particular case we use this to handle multiple accounts for the same person resulting from a earlier design decision that I am not a huge fan of. We also don´t want to have additional Azure AD accounts in this case.

      I could imagine something like that for e.g. emergency or admin users, which have additional authorizations and should not be used in daily business.

      So, it may not be the most common requirement but I liked how much I learned about these things and wanted to share anyway.


      Best regards,




      Author's profile photo Mustafa Bensan
      Mustafa Bensan

      Thanks Peter.  That makes sense.  I suspected it might have been to accommodate multiple accounts for some users.



      Author's profile photo Anand Kapadia
      Anand Kapadia

      Peter Neu not sure if I understood the blog post in all sections correctly. But I would assume you would need to set the option for the S/4HANA Cloud application that IAS users can log on. This can be done in the conditional authentication configurations.

      Once this is set you can also see the bypass URL. Please see:

      Author's profile photo Peter Neu
      Peter Neu
      Blog Post Author

      Thank you for the comment. This is a part in the IAS I am not authorized for and therefore cannot access. As it works I assume the settings must be in place.