Issue

Problem Statement

The organization currently utilizes SailPoint & IAS for identity management; however, it has been determined that SailPoint does not align with our long-term strategic vision for managing external (B2B) identities. The business urgently requires a centralized, purpose-built platform to manage a rapidly growing footprint of over 30,000 external identities. Currently, Syensqo lack a scalable solution capable of efficiently handling the lifecycle, governance, and seamless authentication of this volume of external partners, vendors, and clients.

Why a Decision is Required

A formal architectural decision is required to select and adopt a new B2B identity management platform. To future-proof Syensqo's infrastructure, the chosen solution must natively align with our current Microsoft-focused technology stack (specifically Azure). Furthermore, it must possess the out-of-the-box capability to scale seamlessly across our core enterprise SaaS ecosystem, including deep integration with SAP and Salesforce.

Business and Technical Problems Addressed

This decision will directly address the following critical gaps:

• Scale and Performance: Replaces an unscalable external identity process with a cloud-native solution designed to handle 30,000+ concurrent B2B identities without performance degradation or administrative bottlenecks.

• Lack of Centralization: Resolves the issue of fragmented identity stores by providing a single, unified control plane to govern all external identities and access rights.

• Internal vs. External Segregation: Establishes a clear, secure architectural boundary between internal (employee) identities and external (B2B) identities, fundamentally reducing risk and simplifying compliance.

• Frictionless Integration: Ensures out-of-the-box, standards-based integration (e.g., SAML/OIDC) with Azure, SAP, and Salesforce, eliminating customized point-to-point connections.

Recommendation

Recommendation:  Implementation to Microsoft Entra (specifically utilizing Entra External ID and Entra ID Governance).

Strategic Rationale For an organization committed to a Microsoft-first technology strategy, maintaining a disparate third-party identity platform like SailPoint for B2B users creates unnecessary architectural complexity, licensing overlap, and integration overhead. Adopting Microsoft Entra as Syensqo's unified identity control plane is the most logical and future-proof path to manage the scale of 30,000+ external identities.

This recommendation is driven by three core architectural pillars:

1. Ecosystem Consolidation & Native Microsoft Alignment - By leveraging Microsoft Entra, the business centralizes its identity and access management directly within the Azure fabric Syensqo already own's and operates. This inherently reduces technical debt and eliminates the need to build and maintain custom connectors. Crucially, it allows the organization to govern external partner access using the exact same enterprise security framework (e.g., Conditional Access, continuous threat monitoring, Zero Trust policies) that currently protects Syensqo's internal Microsoft 365 and Azure environments.

2. Scalable B2B Segregation - Managing an ecosystem of over 30,000 external partners, vendors, and clients requires a purpose-built architecture. Entra External ID establishes a secure, logical boundary between internal employees and external entities, ensuring Syensqo's core employee directory remains unpolluted. Furthermore, it shifts the massive operational burden away from internal IT through a "Bring Your Own Identity" (BYOI) model—allowing external users to securely authenticate using their own organization's credentials—while Entra ID Governance natively automates the onboarding, access review, and offboarding lifecycle.

3. Frictionless Enterprise SaaS Integration (SAP & Salesforce) - While embedded in the Microsoft ecosystem, Entra acts as a highly capable, vendor-agnostic identity broker. It features deep, out-of-the-box integrations built specifically for top-tier enterprise platforms like SAP (via SAP Cloud Identity Services) and Salesforce. Entra utilizes open standards (SAML, OIDC, SCIM) to ensure that when an external identity is approved or terminated in Azure, their access is automatically provisioned or revoked downstream in SAP and Salesforce, guaranteeing a single source of truth across the business.

Background & Context

Syensqo operates within a complex, multi-tenanted enterprise environment with a substantial Microsoft-first cloud strategy anchored in Azure. The organization currently manages over 30,000 external identities—including partners, vendors, contractors, clients, and ecosystem participants—across multiple geographies and business units.

Historically, Syensqo relied on SailPoint Identity Governance as its primary identity and access management (IAM) platform, supplemented by Microsoft Entra ID (formerly Azure AD) for employee identity governance. However, SailPoint was architected primarily for managing internal employee lifecycles and has proven inadequate for the scale, speed, and unique requirements of managing B2B external identities.

The organization's core enterprise applications—SAP ERP, Salesforce, Microsoft 365, and Azure—require seamless, standards-based identity provisioning and access controls. The current point-to-point integration architecture is brittle, difficult to maintain, and fails to provide a unified governance posture across internal and external user bases.

Recent business growth, increased M&A activity, and expanded partner ecosystems have accelerated the external identity footprint beyond SailPoint's operational scalability. This has created an urgent business need to adopt a purpose-built, cloud-native B2B identity solution that can operate at scale while maintaining enterprise-grade security and compliance.

Assumptions

• Technology & Architecture

  • Syensqo is committed to a long-term Microsoft-first cloud strategy with Azure as the primary cloud platform and Microsoft 365 as the foundation for employee productivity.
  • Microsoft Entra External ID will remain the strategic platform for B2B identity management throughout the planning horizon (minimum 3–5 years), with no material shifts anticipated in Microsoft's roadmap for external identity capabilities.
  • Azure remains operationally and financially viable as the organization's primary cloud platform; no material shift to multi-cloud or alternative cloud providers is anticipated.
  • Microsoft Entra ID Governance licensing and capabilities will continue to be available and supported; no significant licensing model changes are anticipated.
  • Open identity standards (SAML 2.0, OIDC, SCIM) will continue to be the primary integration mechanism across SAP, Salesforce, and other enterprise SaaS platforms.
  • Azure infrastructure and managed services (App Service, Function Apps, etc.) will remain available at current or competitive pricing.

  Organizational & Operational

  • The organization will establish and fund a dedicated Cloud Identity team with expertise in Microsoft Entra, SCIM provisioning, and enterprise identity architecture; existing SailPoint expertise will be re-allocated or phased out.
  • Business stakeholders will accept and adopt a 'Bring Your Own Identity' (BYOI) model for external users, requiring cultural shift and change management; legacy password-based authentication for external users will be deprecated.
  • External user onboarding and offboarding processes will be re-engineered to align with Entra's lifecycle workflows and governance models; business units will adopt standardized processes rather than custom workarounds.
  • Regulatory and compliance frameworks (GDPR, SOC 2, industry-specific certifications) will remain stable; no material new compliance requirements are anticipated that would invalidate Entra's suitability.

  Financial & Commercial

  • Microsoft Entra ID Governance licensing costs will remain within acceptable bounds; no material price increases beyond standard annual inflation are anticipated.
  • SailPoint contract terms permit exit without material financial penalty or can be renegotiated; license sunk costs are accepted as a migration expense.
  • Internal IT and security teams will accept the operational cost of managing a separate external identity platform alongside the internal employee identity system (dual management model) as a strategic necessity.
  • The organization has sufficient capital and operational budget to fund both the migration program and ongoing operational overhead for the planned 5-year period.

  Risk & Compliance

  • Microsoft Entra External ID meets all applicable data residency, sovereignty, and regulatory requirements (e.g., GDPR, CCPA, industry-specific data protection mandates) for all geographies in which Syensqo operates.
  • No material regulatory changes that would materially restrict or prohibit cloud-based B2B identity management are anticipated during the planning horizon.
  • Microsoft Entra's security posture, threat detection, and compliance certifications will remain at or above industry standards and will satisfy audit and compliance requirements.

Constraints

Feature & Functional Constraints

• Microsoft Entra External ID is optimized for cloud-native B2B scenarios and OAuth/OIDC flows. Organizations with significant on-premises applications requiring LDAP or proprietary authentication protocols may require additional middleware or custom connectors, increasing complexity and maintenance burden.
• Entra's access lifecycle workflows, while comprehensive, are less flexible than purpose-built IAM platforms for highly customized, business-process-specific approval hierarchies or conditional access rules. Complex approval chains involving external approvers or multi-stage hierarchical reviews may require custom Logic App extensions.
• Entra's out-of-the-box user attribute mapping and provisioning is constrained by SCIM schema limitations. Organizations requiring bespoke user attribute transformations or tenant-specific data enrichment may incur development overhead.
• Entra's native integration with SAP is mediated through SAP Cloud Identity Services; direct, native integration with SAP ERP is not available. This introduces an additional identity broker in the architecture, adding complexity to the provisioning pipeline.

Operational & Organizational Constraints

• Entra's governance capabilities require adoption of a dual-identity-platform model: internal employees remain managed via Entra (core), while external identities are managed via Entra External ID. This introduces operational overhead and requires distinct team expertise.
• Organizations cannot consolidate internal and external user directories into a single Entra directory without material security and data governance implications. A separate, dedicated directory for external identities is a mandatory architectural constraint.
• Entra ID Governance's access review and attestation workflows rely heavily on business rule configuration and custom extensions; there is no 'low-code' UI for complex governance scenarios, limiting self-service capability for business unit admins.
• Bring Your Own Identity (BYOI) models require that external organizations maintain active Azure AD or Microsoft Account infrastructure. External partners without existing Microsoft identity infrastructure will require credential issuance, creating a support burden.

Licensing & Cost Constraints

• Microsoft Entra ID Governance licensing is consumed on a Monthly Active User (MAU) basis for guest users. Organizations with highly volatile external user populations (frequent additions/removals) may experience unpredictable monthly costs.
• Premium Entra features (advanced access reviews, lifecycle workflows, custom extensions) require Microsoft Entra Suite or standalone Entra ID Governance licenses at tier-2 or tier-3 pricing, limiting the ability to manage large external populations cost-effectively.
• Entra licensing does not include dedicated support for third-party application connectors (e.g., custom SAP or Salesforce integrations); professional services or custom development may be required, incurring additional cost.

Integration & Platform Constraints

• Salesforce integration relies on SAML or OIDC via Entra; Salesforce does not natively support SCIM-based user provisioning to the standard Salesforce org. Attribute synchronization and user lifecycle updates may require manual configuration or custom Salesforce automation.
• SAP integration is achieved via SAP Cloud Identity Services as an intermediary. Direct, real-time provisioning updates from Entra to on-premises SAP systems (e.g., SAP ERP running on-premises) may require additional middleware or API gateways.
• Entra's conditional access policies are limited to Azure/Microsoft 365 environments; enforcing conditional access rules on external user access to third-party SaaS applications (SAP, Salesforce) requires additional third-party solutions or custom integrations.

Impacts

Identity Architecture & Infrastructure

• Entra Directory Structure: A dedicated, separate Microsoft Entra directory will be created for external identities, isolated from the employee directory. This creates a clear security boundary but requires dual directory management and governance.
• Provisioning Pipelines: SAP and Salesforce provisioning workflows must be re-architected to consume identity and access data from Entra External ID via SCIM provisioning agents and API connectors. Existing SailPoint connectors will be deprecated and decommissioned.
• On-Premises Identity Sync: Any on-premises AD/LDAP systems currently synchronized with SailPoint will require re-architecture or consolidation; hybrid identity scenarios must be carefully planned to avoid directory pollution.

SAP Ecosystem Impact

• SAP User Provisioning: All external user provisioning to SAP systems (including User Master, role assignments, and system access) must be re-routed through Entra → SAP Cloud Identity Services → SAP. This introduces a new intermediary in the provisioning chain.
• SAP Access Reviews & Governance: Attestation workflows for SAP user access must be integrated with Entra ID Governance access reviews; existing SailPoint audit logs will no longer be authoritative.
• SAP Compliance & Audit: SAP audit trails, system logs, and compliance reports must be reconfigured to reflect identity changes sourced from Entra External ID rather than SailPoint. Audit trail continuity across the migration must be carefully managed.
• SAP On-Premises vs. Cloud: If Syensqo operates both on-premises SAP ERP and cloud-based SAP solutions (e.g., SAP SuccessFactors, SAP Analytics Cloud), provisioning strategies may differ; each platform must be evaluated individually for Entra integration maturity.

Salesforce Ecosystem Impact

• Salesforce User Provisioning: External user provisioning to Salesforce orgs must be implemented via SAML/OIDC SSO and custom Salesforce automation (e.g., workflows, Flows) to handle user lifecycle events (create, update, deactivate). Native SCIM support is limited.
• Salesforce License Consumption: External user access to Salesforce may consume Salesforce licenses (e.g., Partner Community, Customer Community licenses) depending on the use case; license planning and cost optimization are critical.
• Salesforce Metadata & Config: Entra attribute mappings must align with Salesforce user attributes (e.g., custom fields, profile assignments); any mismatch will require custom Salesforce development or middleware transformation logic.

Data Migration & Cutover

• Legacy External User Data: All historical external user records, attributes, and access assignments currently stored in SailPoint must be extracted, transformed, and migrated to Entra External ID. Data cleansing and validation are critical to prevent access control errors.
• Access Rights Migration: All existing access package assignments, group memberships, and role assignments for external users must be re-created in Entra; this is a manual, time-intensive effort if not fully automated.
• Historical Audit Trail: SailPoint audit logs and historical identity change records must be preserved for compliance and forensic purposes; this data may need to be exported and archived separately.

Organizational & Governance

• Identity Governance Team: Existing SailPoint-focused identity team members must upskill on Entra External ID, SCIM provisioning, and lifecycle workflows. SailPoint expertise will become obsolete.
• Business Process Re-engineering: External user onboarding workflows (e.g., HR systems, vendor management platforms) must be re-engineered to trigger Entra provisioning actions; current SailPoint integrations will be deprecated.
• Change Management: External partners and employees must be informed of and trained on new authentication methods (e.g., BYOI, MFA); legacy password-based access will be phased out.
• Governance Council: Entra-specific governance decisions (e.g., access review cadence, approval hierarchies, external sponsorship models) must be established and communicated to business stakeholders.

Security & Compliance

• Conditional Access: New Conditional Access policies must be designed and deployed to enforce Zero Trust principles for external users (e.g., device compliance, location-based restrictions, risk-based adaptive auth).
• Audit & Logging: All Entra identity events, provisioning actions, and access reviews must be logged to Azure Log Analytics and integrated with SIEM/security monitoring platforms. Existing SailPoint SIEM integrations must be replaced.
• Compliance Attestation: Audit and compliance teams must validate that Entra External ID meets all applicable regulatory requirements (GDPR, SOC 2, industry-specific mandates) in all operating regions.

In-Flight Projects & Dependencies

• Any active projects involving identity management, access control, or provisioning changes must be assessed for impact and either aligned with the Entra migration or deferred until post-migration.
• Planned cloud migrations or SAP/Salesforce upgrades should be sequenced carefully to avoid collision with the Entra deployment; careful project roadmap alignment is required.

Financial Impact

Implementation Costs

The primary implementation costs associated with this decision fall into three categories. First, professional services and internal effort required to design, configure, and deploy the Entra External ID and Entra ID Governance environment — including tenant configuration, Conditional Access policy design, access package and catalog structure, lifecycle workflow development, and the build-out of SCIM-based provisioning flows to SAP and Salesforce. Second, the data cleansing and migration effort to extract external identities from SailPoint, remediate data quality issues, and onboard those identities into Entra with correctly mapped attributes, entitlements, and governance policies. Third, upskilling and training costs for the IAM team and broader IT operations staff who must develop competency in Entra ID Governance administration alongside their existing SailPoint expertise.

Licensing and Subscription Costs

The ongoing licensing model introduces a shift in cost structure. Internal employee governance remains on existing SailPoint licensing, which is unaffected. For external identities, Syensqo must maintain the prerequisite Microsoft Entra ID P1 or P2 subscription at the tenant level, the Entra ID Governance product subscription, and — critically — the Microsoft Entra ID Governance for Guests add-on, which operates on a consumption-based Monthly Active User (MAU) billing model rather than a fixed per-seat cost. This means the external identity governance cost will fluctuate month to month based on the number of guest users actively triggering billable governance events. While this model can be cost-efficient during periods of low activity, it introduces a degree of financial variability that must be monitored and forecasted, particularly as the external identity population grows beyond the current 30,000 baseline. An Azure subscription must also be linked to the tenant to enable guest billing.

Operational Costs

On an ongoing basis, Syensqo will bear the operational cost of managing a dual-platform identity governance model — SailPoint for internal and Entra for external. This includes the administrative overhead of maintaining two sets of operational procedures, two sets of integrations into downstream systems like SAP and Salesforce, and consolidated reporting across both platforms for audit and compliance purposes. However, this is partially offset by the reduction in operational burden that Entra's self-service and automation capabilities introduce — particularly the BYOI model, automated lifecycle workflows, and delegated access package management, all of which reduce the manual effort currently required to manage external identities.

Cost Offsets and Efficiencies

The decision is expected to deliver cost efficiencies over time by eliminating the need for custom-built connectors and manual processes that currently support external identity management within SailPoint. The native alignment with Syensqo's existing Microsoft investment reduces integration overhead and avoids the licensing overlap of maintaining a third-party platform for a function that can be delivered within the incumbent ecosystem. The extent of these savings will depend on the volume and complexity of external identity operations that are successfully automated through Entra's governance capabilities.

Business Rules

Business Rules

The following business rules are derived from this decision and must be enforced through platform configuration, policy, and operational procedure.

Identity Platform Segregation

All external (B2B) identities — including partners, vendors, clients, and any non-employee entity — must be created, managed, and governed exclusively within Microsoft Entra External ID. No new external identity may be provisioned within SailPoint. SailPoint remains the sole governance platform for internal (employee) identities. An identity cannot be governed by both platforms simultaneously.

Guest User Type Classification

Every external identity onboarded into the Entra tenant must be assigned a userType of Guest. Under no circumstances may an external user be provisioned as a Member within the core employee directory. This classification is non-negotiable and underpins both the architectural segregation model and the guest billing mechanism.

Access Must Be Package-Based

Access to downstream systems — including SAP, Salesforce, Microsoft 365 resources, and any other integrated application — must not be granted to external users on an ad hoc or manual basis. All external user access must be assigned through a defined Entra ID Governance access package with an associated policy that specifies approval requirements, duration, and review cadence. Direct role or group assignment outside of the access package model is not permitted for external identities.

Bring Your Own Identity as Default Authentication

External users must authenticate using their own organization's identity provider wherever possible under the BYOI model. Federated authentication via SAML 2.0 or OIDC is the preferred and default method. Email one-time passcode or local account authentication may only be used as a fallback for partners who do not operate a compatible identity provider, and this exception must be documented and reviewed periodically.

Sponsorship and Approval Required for Onboarding

No external identity may be onboarded without a designated internal sponsor. Every access package policy for external users must include at least one approval stage with a named sponsor or delegated approver from the relevant business unit. Self-approval by the requesting external user is not permitted.

Time-Bound Access with Mandatory Review

All access granted to external identities must be time-bound. Open-ended or permanent access assignments are not permitted for B2B users. Every access package assignment must carry a defined expiry period, and recurring access reviews must be configured to ensure that continued access is re-certified by the appropriate business owner or sponsor at a defined cadence. Failure to complete a review within the defined window must result in automatic revocation of access.

Automated Lifecycle Enforcement

External identity lifecycle events — onboarding, access modification, and offboarding — must be managed through Entra ID Governance lifecycle workflows and entitlement management policies, not through manual administrative action. When an external user's engagement with Syensqo ends or their access package assignment expires without renewal, their access to all downstream systems must be automatically revoked and their guest account must be disabled or removed in accordance with the defined offboarding workflow.

Provisioning and Deprovisioning Must Be Automated

The provisioning and deprovisioning of external user accounts in downstream systems — specifically SAP (via SAP Cloud Identity Services) and Salesforce (via the SCIM connector) — must be automated through Entra. Manual creation or removal of external user accounts directly within SAP or Salesforce is not permitted. The Entra directory must remain the single source of truth for external identity status, and downstream systems must reflect changes propagated from Entra.

No Governance Without Billing Enablement

The Microsoft Entra ID Governance for Guests add-on must remain enabled and linked to an active Azure subscription at all times. Governance features for external users — including access reviews, entitlement management policies scoped to guests, and lifecycle workflows — are non-functional without this billing linkage. Allowing the add-on to lapse or become disconnected is treated as a critical operational failure.

Consolidated Audit and Compliance Reporting

Identity governance evidence for audit and regulatory purposes must be producible from both SailPoint (for internal identities) and Entra (for external identities). A consolidated reporting mechanism or process must be established and maintained to ensure that auditors receive a complete and coherent view of Syensqo's identity governance posture without requiring independent interrogation of each platform.

Data Quality Standards for External Identities

External identity records in Entra must meet defined minimum data quality standards before being granted access to any downstream system. At a minimum, each record must include a verified external email address, a mapped organizational affiliation, a designated internal sponsor, and correctly populated attributes required for downstream provisioning. Records that do not meet these standards must be quarantined and remediated before access is provisioned.

Options considered

Option A: 

Option B: 

Option C: 

Option D: 

Evaluation

	Option A	Option B	Option C	Option D
Criterion 1	Pro Con	Pro Pro	Pro Con	Pro Con
Criterion 2	Pro Con	Con	Pro Pro	Con Con
Criterion 3	Pro	Con	Con	Pro

See also

Change log