From 807c402694a72467ce49d53eaf2f8d3154216c40 Mon Sep 17 00:00:00 2001 From: MartinPankraz Date: Wed, 18 Dec 2024 17:21:38 +0100 Subject: [PATCH 1/5] add idm hints --- .../eslz-identity-and-access-management.md | 23 ++++++++++++------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/docs/scenarios/sap/eslz-identity-and-access-management.md b/docs/scenarios/sap/eslz-identity-and-access-management.md index 9905f2e7c5..f61443aa39 100644 --- a/docs/scenarios/sap/eslz-identity-and-access-management.md +++ b/docs/scenarios/sap/eslz-identity-and-access-management.md @@ -15,6 +15,9 @@ ms.custom: think-tank, e2e-sap, UpdateFrequency2 This article builds on several considerations and recommendations defined in the article [Azure landing zone design area for identity and access management](../../ready/landing-zone/design-area/identity-access.md). This article describes the identity and access-management recommendations for deploying an SAP platform on Microsoft Azure. SAP is a mission-critical platform, so you should include the Azure landing zone design area guidance in your design. +> [!IMPORTANT] +> SAP SE has [sunset](https://community.sap.com/t5/technology-blogs-by-sap/preparing-for-sap-identity-management-s-end-of-maintenance-in-2027/ba-p/13596101) the SAP Identity Management (IDM) product and recommends all its customers to migrate to [Microsoft Entra ID Governance](/entra/id-governance/scenarios/migrate-from-sap-idm). + ## Design considerations - Review the required Azure administration and management activities for your team. Consider your SAP on Azure landscape. Determine the best possible distribution of responsibilities within your organization. @@ -38,27 +41,31 @@ Here are common administration and management activities of SAP on Azure: | Networking | Microsoft.Network/networkSecurityGroups | Read NSG | | Networking | Microsoft.Network/azureFirewalls | Read firewall | -- If you're using SAP Business Technology Platform (BTP) services, consider using principal propagation to forward an identity from the SAP BTP application to your SAP landscape by using SAP Cloud Connector. +- Secure Network File System (NFS) communication between Azure NetApp Files and Azure Virtual Machines with [NFS client encryption using Kerberos](/azure/azure-netapp-files/configure-kerberos-encryption). Azure NetApp Files supports Active Directory Domain Services (AD DS) and Microsoft Entra Domain Services for Microsoft Entra connections. Consider the [performance effect of Kerberos on NFS v4.1](/azure/azure-netapp-files/configure-kerberos-encryption#kerberos_performance). + +- Secure the Network File System (NFS) communication between Azure NetApp Files and Azure Virtual Machines with NFS client encryption using Kerberos. Azure NetApp Files require either AD DS or Microsoft Entra Domain Services connection for Kerberos ticketing. Consider the performance effect of Kerberos on NFS v4.1. -- Consider Microsoft Entra provisioning service to automatically provision and deprovision users and groups to [SAP Analytics Cloud](/azure/active-directory/saas-apps/sap-analytics-cloud-provisioning-tutorial) and [SAP Identity Authentication](/azure/active-directory/saas-apps/sap-cloud-platform-identity-authentication-provisioning-tutorial). +- Secure Remote Function Call (RFC) connections between SAP systems with secure network communications (SNC) by using appropriate protection levels, like quality of protection (QoP). SNC protection generates some performance overhead. To protect RFC communication between application servers of the same SAP system, SAP recommends using network security instead of SNC. The following Azure services support SNC-protected RFC connections to an SAP target system: Providers of Azure Monitor for SAP Solutions, the self-hosted integration runtime in Azure Data Factory, and the on-premises data gateway in case of Power BI, Power Apps, Power Automate, Azure Analysis Services, and Azure Logic Apps. SNC is required to configure single sign-on (SSO) in these cases. + +### SAP User governance and provisioning - Consider that a migration to Azure might be an opportunity to review and realign identity and access management processes. Review the processes in your SAP landscape and the processes at your enterprise level: - Review the SAP dormant user lockout policies. - Review the SAP user password policy and align it with Microsoft Entra ID. - Review the leavers, movers, and starters (LMS) procedures and align them with Microsoft Entra ID. If you're using SAP Human Capital Management (HCM), SAP HCM likely drives the LMS process. -- Consider provisioning users from [SuccessFactors Employee Central](/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial) into Microsoft Entra ID, with optional write-back of email address to SuccessFactors. +- Consider using [SAP principal propagation](/power-platform/sap/connect/entra-id-apim-oauth) to forward an Microsoft identity to your SAP landscape. -- Secure Network File System (NFS) communication between Azure NetApp Files and Azure Virtual Machines with [NFS client encryption using Kerberos](/azure/azure-netapp-files/configure-kerberos-encryption). Azure NetApp Files supports Active Directory Domain Services (AD DS) and Microsoft Entra Domain Services for Microsoft Entra connections. Consider the [performance effect of Kerberos on NFS v4.1](/azure/azure-netapp-files/configure-kerberos-encryption#kerberos_performance). +- Consider Microsoft Entra provisioning service to automatically provision and deprovision users and groups to [SAP Analytics Cloud](/azure/active-directory/saas-apps/sap-analytics-cloud-provisioning-tutorial), [SAP Identity Authentication](/azure/active-directory/saas-apps/sap-cloud-platform-identity-authentication-provisioning-tutorial) and more SAP services. -- SAP Identity Management (IDM) integrates with Microsoft Entra ID by using SAP cloud identity provisioning as a proxy service. Consider Microsoft Entra ID as a central data source for users using SAP IDM. Secure the Network File System (NFS) communication between Azure NetApp Files and Azure Virtual Machines with NFS client encryption using Kerberos. Azure NetApp Files require either AD DS or Microsoft Entra Domain Services connection for Kerberos ticketing. Consider the performance effect of Kerberos on NFS v4.1. +- Consider provisioning users from [SuccessFactors](/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial) into Microsoft Entra ID, with optional write-back of email address to SuccessFactors. -- Secure Remote Function Call (RFC) connections between SAP systems with secure network communications (SNC) by using appropriate protection levels, like quality of protection (QoP). SNC protection generates some performance overhead. To protect RFC communication between application servers of the same SAP system, SAP recommends using network security instead of SNC. The following Azure services support SNC-protected RFC connections to an SAP target system: Providers of Azure Monitor for SAP Solutions, the self-hosted integration runtime in Azure Data Factory, and the on-premises data gateway in case of Power BI, Power Apps, Power Automate, Azure Analysis Services, and Azure Logic Apps. SNC is required to configure single sign-on (SSO) in these cases. +- Migrate your SAP Identity Management (IDM) solution to Microsoft Entra ID Governance. ## Design recommendations - Implement SSO by using Windows AD, Microsoft Entra ID, or AD FS, depending on the access type, so that the end users can connect to SAP applications without a user ID and password once the central identity provider successfully authenticates them. - - Implement SSO to SAP SaaS applications like [SAP Analytics Cloud](/azure/active-directory/saas-apps/sapboc-tutorial), [SAP Cloud Platform](/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial), [Business by design](/azure/active-directory/saas-apps/sapbusinessbydesign-tutorial), [SAP Qualtrics](/azure/active-directory/saas-apps/qualtrics-tutorial) and [SAP C4C](/azure/active-directory/saas-apps/sap-customer-cloud-tutorial) with Microsoft Entra ID using SAML. + - Implement SSO to SAP SaaS applications like [SAP Analytics Cloud](/azure/active-directory/saas-apps/sapboc-tutorial), [SAP Business Technology Platform (BTP)](/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial), [Business by design](/azure/active-directory/saas-apps/sapbusinessbydesign-tutorial), [SAP Qualtrics](/azure/active-directory/saas-apps/qualtrics-tutorial) and [SAP C4C](/azure/active-directory/saas-apps/sap-customer-cloud-tutorial) with Microsoft Entra ID using SAML. - Implement SSO to [SAP NetWeaver](/azure/active-directory/saas-apps/sap-netweaver-tutorial)-based web applications like [SAP Fiori](/azure/active-directory/saas-apps/sap-fiori-tutorial) and SAP Web GUI by using SAML. - You can implement SSO to SAP GUI by using SAP NetWeaver SSO or a partner solution. - For SSO for SAP GUI and web browser access, implement SNC – Kerberos/SPNEGO (simple and protected GSSAPI negotiation mechanism) due to its ease of configuration and maintenance. For SSO with X.509 client certificates, consider the SAP Secure Login Server, which is a component of the SAP SSO solution. @@ -68,6 +75,6 @@ Here are common administration and management activities of SAP on Azure: - Consider Microsoft Entra ID an identity provider for SAP systems hosted on RISE. For more information, see [Integrating the Service with Microsoft Entra ID](https://help.sap.com/docs/identity-authentication/identity-authentication/integrating-service-with-microsoft-azure-ad). - For applications that access SAP, you might want to use [principal propagation to establish SSO](https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md). -- If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), [consider implementing SSO between SAP Cloud Identity Authentication Services and Microsoft Entra ID](/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial) to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Microsoft Entra ID as the central user store and identity provider. +- If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), [consider implementing SSO between SAP Cloud Identity Authentication Services and Microsoft Entra ID](/entra/fundamentals/scenario-azure-first-sap-identity-integration) to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Microsoft Entra ID as the central user store and identity provider. - If you're using SAP SuccessFactors, consider using the Microsoft Entra ID [automated user provisioning](/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial). With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Microsoft Entra ID. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Microsoft Entra ID. Use write-back of the email address to SAP SuccessFactors. From ef816ce96ab8ec5165072c9bb7cecd64f4bb000a Mon Sep 17 00:00:00 2001 From: MartinPankraz Date: Fri, 20 Dec 2024 13:08:43 +0100 Subject: [PATCH 2/5] clarify --- .../sap/eslz-identity-and-access-management.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/scenarios/sap/eslz-identity-and-access-management.md b/docs/scenarios/sap/eslz-identity-and-access-management.md index f61443aa39..3aa73ffe4c 100644 --- a/docs/scenarios/sap/eslz-identity-and-access-management.md +++ b/docs/scenarios/sap/eslz-identity-and-access-management.md @@ -60,10 +60,10 @@ Here are common administration and management activities of SAP on Azure: - Consider provisioning users from [SuccessFactors](/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial) into Microsoft Entra ID, with optional write-back of email address to SuccessFactors. -- Migrate your SAP Identity Management (IDM) solution to Microsoft Entra ID Governance. - ## Design recommendations +- [Migrate](/entra/id-governance/scenarios/migrate-from-sap-idm) your SAP Identity Management (IDM) solution to Microsoft Entra ID Governance. + - Implement SSO by using Windows AD, Microsoft Entra ID, or AD FS, depending on the access type, so that the end users can connect to SAP applications without a user ID and password once the central identity provider successfully authenticates them. - Implement SSO to SAP SaaS applications like [SAP Analytics Cloud](/azure/active-directory/saas-apps/sapboc-tutorial), [SAP Business Technology Platform (BTP)](/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial), [Business by design](/azure/active-directory/saas-apps/sapbusinessbydesign-tutorial), [SAP Qualtrics](/azure/active-directory/saas-apps/qualtrics-tutorial) and [SAP C4C](/azure/active-directory/saas-apps/sap-customer-cloud-tutorial) with Microsoft Entra ID using SAML. - Implement SSO to [SAP NetWeaver](/azure/active-directory/saas-apps/sap-netweaver-tutorial)-based web applications like [SAP Fiori](/azure/active-directory/saas-apps/sap-fiori-tutorial) and SAP Web GUI by using SAML. @@ -72,9 +72,9 @@ Here are common administration and management activities of SAP on Azure: - Implement [SSO by using OAuth for SAP NetWeaver](/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth) to allow third-party or custom applications to access SAP NetWeaver OData services. - Implement [SSO to SAP HANA](/azure/active-directory/saas-apps/saphana-tutorial) -- Consider Microsoft Entra ID an identity provider for SAP systems hosted on RISE. For more information, see [Integrating the Service with Microsoft Entra ID](https://help.sap.com/docs/identity-authentication/identity-authentication/integrating-service-with-microsoft-azure-ad). -- For applications that access SAP, you might want to use [principal propagation to establish SSO](https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md). +- Implement Microsoft Entra ID as identity provider for SAP systems hosted on RISE. For more information, see [Integrating the Service with Microsoft Entra ID](https://help.sap.com/docs/identity-authentication/identity-authentication/integrating-service-with-microsoft-azure-ad). +- For applications that access SAP, use [principal propagation to establish SSO](https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md). -- If you're using SAP BTP services or SaaS solutions that require SAP Identity Authentication Service (IAS), [consider implementing SSO between SAP Cloud Identity Authentication Services and Microsoft Entra ID](/entra/fundamentals/scenario-azure-first-sap-identity-integration) to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Microsoft Entra ID as the central user store and identity provider. +- If you're using SAP BTP services or SaaS solutions that require SAP Cloud Identity Service, Identity Authentication (IAS), [use implementing SSO between SAP Cloud Identity Authentication Services and Microsoft Entra ID](/entra/fundamentals/scenario-azure-first-sap-identity-integration) to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Microsoft Entra ID as the central user store and identity provider. -- If you're using SAP SuccessFactors, consider using the Microsoft Entra ID [automated user provisioning](/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial). With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Microsoft Entra ID. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Microsoft Entra ID. Use write-back of the email address to SAP SuccessFactors. +- If you're using SAP SuccessFactors, use Microsoft Entra ID [automated user provisioning](/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial). With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Microsoft Entra ID. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Microsoft Entra ID. Use write-back of the email address to SAP SuccessFactors. From c6b40df8b04197b6d5a5915e6d1375e9e998b85f Mon Sep 17 00:00:00 2001 From: MartinPankraz Date: Fri, 20 Dec 2024 13:32:26 +0100 Subject: [PATCH 3/5] fixes --- docs/scenarios/sap/eslz-identity-and-access-management.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/scenarios/sap/eslz-identity-and-access-management.md b/docs/scenarios/sap/eslz-identity-and-access-management.md index 3aa73ffe4c..7e34dd12a1 100644 --- a/docs/scenarios/sap/eslz-identity-and-access-management.md +++ b/docs/scenarios/sap/eslz-identity-and-access-management.md @@ -43,8 +43,6 @@ Here are common administration and management activities of SAP on Azure: - Secure Network File System (NFS) communication between Azure NetApp Files and Azure Virtual Machines with [NFS client encryption using Kerberos](/azure/azure-netapp-files/configure-kerberos-encryption). Azure NetApp Files supports Active Directory Domain Services (AD DS) and Microsoft Entra Domain Services for Microsoft Entra connections. Consider the [performance effect of Kerberos on NFS v4.1](/azure/azure-netapp-files/configure-kerberos-encryption#kerberos_performance). -- Secure the Network File System (NFS) communication between Azure NetApp Files and Azure Virtual Machines with NFS client encryption using Kerberos. Azure NetApp Files require either AD DS or Microsoft Entra Domain Services connection for Kerberos ticketing. Consider the performance effect of Kerberos on NFS v4.1. - - Secure Remote Function Call (RFC) connections between SAP systems with secure network communications (SNC) by using appropriate protection levels, like quality of protection (QoP). SNC protection generates some performance overhead. To protect RFC communication between application servers of the same SAP system, SAP recommends using network security instead of SNC. The following Azure services support SNC-protected RFC connections to an SAP target system: Providers of Azure Monitor for SAP Solutions, the self-hosted integration runtime in Azure Data Factory, and the on-premises data gateway in case of Power BI, Power Apps, Power Automate, Azure Analysis Services, and Azure Logic Apps. SNC is required to configure single sign-on (SSO) in these cases. ### SAP User governance and provisioning @@ -75,6 +73,6 @@ Here are common administration and management activities of SAP on Azure: - Implement Microsoft Entra ID as identity provider for SAP systems hosted on RISE. For more information, see [Integrating the Service with Microsoft Entra ID](https://help.sap.com/docs/identity-authentication/identity-authentication/integrating-service-with-microsoft-azure-ad). - For applications that access SAP, use [principal propagation to establish SSO](https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md). -- If you're using SAP BTP services or SaaS solutions that require SAP Cloud Identity Service, Identity Authentication (IAS), [use implementing SSO between SAP Cloud Identity Authentication Services and Microsoft Entra ID](/entra/fundamentals/scenario-azure-first-sap-identity-integration) to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Microsoft Entra ID as the central user store and identity provider. +- If you're using SAP BTP services or SaaS solutions that require SAP Cloud Identity Service, Identity Authentication (IAS), [implement SSO between SAP Cloud Identity Authentication Services and Microsoft Entra ID](/entra/fundamentals/scenario-azure-first-sap-identity-integration) to access those SAP services. This integration lets SAP IAS act as a proxy identity provider and forwards authentication requests to Microsoft Entra ID as the central user store and identity provider. - If you're using SAP SuccessFactors, use Microsoft Entra ID [automated user provisioning](/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial). With this integration, as you add new employees to SAP SuccessFactors, you can automatically create their user accounts in Microsoft Entra ID. Optionally, you can create user accounts in Microsoft 365 or other SaaS applications that are supported by Microsoft Entra ID. Use write-back of the email address to SAP SuccessFactors. From fb86949758721a235707ed55837f8b47ffaf4e77 Mon Sep 17 00:00:00 2001 From: Chad Kittel Date: Fri, 20 Dec 2024 08:04:14 -0600 Subject: [PATCH 4/5] Apply suggestions from code review --- docs/scenarios/sap/eslz-identity-and-access-management.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/scenarios/sap/eslz-identity-and-access-management.md b/docs/scenarios/sap/eslz-identity-and-access-management.md index 7e34dd12a1..d4e9b75d2f 100644 --- a/docs/scenarios/sap/eslz-identity-and-access-management.md +++ b/docs/scenarios/sap/eslz-identity-and-access-management.md @@ -45,7 +45,7 @@ Here are common administration and management activities of SAP on Azure: - Secure Remote Function Call (RFC) connections between SAP systems with secure network communications (SNC) by using appropriate protection levels, like quality of protection (QoP). SNC protection generates some performance overhead. To protect RFC communication between application servers of the same SAP system, SAP recommends using network security instead of SNC. The following Azure services support SNC-protected RFC connections to an SAP target system: Providers of Azure Monitor for SAP Solutions, the self-hosted integration runtime in Azure Data Factory, and the on-premises data gateway in case of Power BI, Power Apps, Power Automate, Azure Analysis Services, and Azure Logic Apps. SNC is required to configure single sign-on (SSO) in these cases. -### SAP User governance and provisioning +### SAP user governance and provisioning - Consider that a migration to Azure might be an opportunity to review and realign identity and access management processes. Review the processes in your SAP landscape and the processes at your enterprise level: - Review the SAP dormant user lockout policies. @@ -56,7 +56,7 @@ Here are common administration and management activities of SAP on Azure: - Consider Microsoft Entra provisioning service to automatically provision and deprovision users and groups to [SAP Analytics Cloud](/azure/active-directory/saas-apps/sap-analytics-cloud-provisioning-tutorial), [SAP Identity Authentication](/azure/active-directory/saas-apps/sap-cloud-platform-identity-authentication-provisioning-tutorial) and more SAP services. -- Consider provisioning users from [SuccessFactors](/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial) into Microsoft Entra ID, with optional write-back of email address to SuccessFactors. +- Consider provisioning users from [SuccessFactors](/entra/identity/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial) into Microsoft Entra ID, with optional write-back of email address to SuccessFactors. ## Design recommendations From 1159e5ca78130937f167d6d574c0d1e4385e2c63 Mon Sep 17 00:00:00 2001 From: Courtney Wales <62625502+Court72@users.noreply.github.com> Date: Mon, 6 Jan 2025 08:33:41 -0700 Subject: [PATCH 5/5] Apply suggestions from PR review --- docs/scenarios/sap/eslz-identity-and-access-management.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/scenarios/sap/eslz-identity-and-access-management.md b/docs/scenarios/sap/eslz-identity-and-access-management.md index d4e9b75d2f..aeea4c0a84 100644 --- a/docs/scenarios/sap/eslz-identity-and-access-management.md +++ b/docs/scenarios/sap/eslz-identity-and-access-management.md @@ -52,9 +52,9 @@ Here are common administration and management activities of SAP on Azure: - Review the SAP user password policy and align it with Microsoft Entra ID. - Review the leavers, movers, and starters (LMS) procedures and align them with Microsoft Entra ID. If you're using SAP Human Capital Management (HCM), SAP HCM likely drives the LMS process. -- Consider using [SAP principal propagation](/power-platform/sap/connect/entra-id-apim-oauth) to forward an Microsoft identity to your SAP landscape. +- Consider using [SAP principal propagation](/power-platform/sap/connect/entra-id-apim-oauth) to forward a Microsoft identity to your SAP landscape. -- Consider Microsoft Entra provisioning service to automatically provision and deprovision users and groups to [SAP Analytics Cloud](/azure/active-directory/saas-apps/sap-analytics-cloud-provisioning-tutorial), [SAP Identity Authentication](/azure/active-directory/saas-apps/sap-cloud-platform-identity-authentication-provisioning-tutorial) and more SAP services. +- Consider Microsoft Entra provisioning service to automatically provision and deprovision users and groups to [SAP Analytics Cloud](/azure/active-directory/saas-apps/sap-analytics-cloud-provisioning-tutorial), [SAP Identity Authentication](/azure/active-directory/saas-apps/sap-cloud-platform-identity-authentication-provisioning-tutorial), and more SAP services. - Consider provisioning users from [SuccessFactors](/entra/identity/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial) into Microsoft Entra ID, with optional write-back of email address to SuccessFactors.