| Status | Pending SteerCo Review |
| Owner | HEALY-ext, Michael |
| Stakeholders |
Issue
Problem Statement
The organization currently utilizes SailPoint & IAS for identity management; however, it has been determined that SailPoint does not align with our long-term strategic vision for managing external (B2B) identities. The business urgently requires a centralized, purpose-built platform to manage a rapidly growing footprint of over 30,000 external identities. Currently, Syensqo lack a scalable solution capable of efficiently handling the lifecycle, governance, and seamless authentication of this volume of external partners, vendors, and clients.
Why a Decision is Required
A formal architectural decision is required to select and adopt a new B2B identity management platform. To future-proof Syensqo's infrastructure, the chosen solution must natively align with our current Microsoft-focused technology stack (specifically Azure). Furthermore, it must possess the out-of-the-box capability to scale seamlessly across our core enterprise SaaS ecosystem, including deep integration with SAP and Salesforce.
Business and Technical Problems Addressed
This decision will directly address the following critical gaps:
Scale and Performance: Replaces an unscalable external identity process with a cloud-native solution designed to handle 30,000+ concurrent B2B identities without performance degradation or administrative bottlenecks.
Lack of Centralization: Resolves the issue of fragmented identity stores by providing a single, unified control plane to govern all external identities and access rights.
Internal vs. External Segregation: Establishes a clear, secure architectural boundary between internal (employee) identities and external (B2B) identities, fundamentally reducing risk and simplifying compliance.
Frictionless Integration: Ensures out-of-the-box, standards-based integration (e.g., SAML/OIDC) with Azure, SAP, and Salesforce, eliminating customized point-to-point connections.
Recommendation
Recommendation: Implementation to Microsoft Entra (specifically utilizing Entra External ID and Entra ID Governance).
Strategic Rationale For an organization committed to a Microsoft-first technology strategy, maintaining a disparate third-party identity platform like SailPoint for B2B users creates unnecessary architectural complexity, licensing overlap, and integration overhead. Adopting Microsoft Entra as Syensqo's unified identity control plane is the most logical and future-proof path to manage the scale of 30,000+ external identities.
This recommendation is driven by three core architectural pillars:
1. Ecosystem Consolidation & Native Microsoft Alignment - By leveraging Microsoft Entra, the business centralizes its identity and access management directly within the Azure fabric Syensqo already own's and operates. This inherently reduces technical debt and eliminates the need to build and maintain custom connectors. Crucially, it allows the organization to govern external partner access using the exact same enterprise security framework (e.g., Conditional Access, continuous threat monitoring, Zero Trust policies) that currently protects Syensqo's internal Microsoft 365 and Azure environments.
2. Scalable B2B Segregation - Managing an ecosystem of over 30,000 external partners, vendors, and clients requires a purpose-built architecture. Entra External ID establishes a secure, logical boundary between internal employees and external entities, ensuring Syensqo's core employee directory remains unpolluted. Furthermore, it shifts the massive operational burden away from internal IT through a "Bring Your Own Identity" (BYOI) model—allowing external users to securely authenticate using their own organization's credentials—while Entra ID Governance natively automates the onboarding, access review, and offboarding lifecycle.
3. Frictionless Enterprise SaaS Integration (SAP & Salesforce) - While embedded in the Microsoft ecosystem, Entra acts as a highly capable, vendor-agnostic identity broker. It features deep, out-of-the-box integrations built specifically for top-tier enterprise platforms like SAP (via SAP Cloud Identity Services) and Salesforce. Entra utilizes open standards (SAML, OIDC, SCIM) to ensure that when an external identity is approved or terminated in Azure, their access is automatically provisioned or revoked downstream in SAP and Salesforce, guaranteeing a single source of truth across the business.
Background & Context
Assumptions
Constraints
Impacts
Financial Impact
Business Rules
Options considered
Option A:
Option B:
Option C:
Option D:
Evaluation
Option A | Option B | Option C | Option D | |
|---|---|---|---|---|
| Criterion 1 |
|
|
|
|
| Criterion 2 |
|  Con |
|
|
| Criterion 3 |  Pro | Con | Con | Pro |