| Status | |
| Owner | HEALY-ext, Michael |
| Stakeholders |
Issue
Problem Statement
The organization currently utilizes SailPoint & IAS for identity management; however, it has been determined that SailPoint does not align with our long-term strategic vision for managing external (B2B) identities. The business urgently requires a centralized, purpose-built platform to manage a rapidly growing footprint of over 30,000 external identities. Currently, Syensqo lack a scalable solution capable of efficiently handling the lifecycle, governance, and seamless authentication of this volume of external partners, vendors, and clients.
Why a Decision is Required
A formal architectural decision is required to select and adopt a new B2B identity management platform. To future-proof Syensqo's infrastructure, the chosen solution must natively align with our current Microsoft-focused technology stack (specifically Azure). Furthermore, it must possess the out-of-the-box capability to scale seamlessly across our core enterprise SaaS ecosystem, including deep integration with SAP and Salesforce.
Business and Technical Problems Addressed
This decision will directly address the following critical gaps:
Scale and Performance: Replaces an unscalable external identity process with a cloud-native solution designed to handle 30,000+ concurrent B2B identities without performance degradation or administrative bottlenecks.
Lack of Centralization: Resolves the issue of fragmented identity stores by providing a single, unified control plane to govern all external identities and access rights.
Internal vs. External Segregation: Establishes a clear, secure architectural boundary between internal (employee) identities and external (B2B) identities, fundamentally reducing risk and simplifying compliance.
Frictionless Integration: Ensures out-of-the-box, standards-based integration (e.g., SAML/OIDC) with Azure, SAP, and Salesforce, eliminating customized point-to-point connections.
Recommendation
Recommendation: Implementation to Microsoft Entra (specifically utilizing Entra External ID and Entra ID Governance).
Strategic Rationale For an organization committed to a Microsoft-first technology strategy, maintaining a disparate third-party identity platform like SailPoint for B2B users creates unnecessary architectural complexity, licensing overlap, and integration overhead. Adopting Microsoft Entra as Syensqo's unified identity control plane is the most logical and future-proof path to manage the scale of 30,000+ external identities.
This recommendation is driven by three core architectural pillars:
1. Ecosystem Consolidation & Native Microsoft Alignment - By leveraging Microsoft Entra, the business centralizes its identity and access management directly within the Azure fabric Syensqo already own's and operates. This inherently reduces technical debt and eliminates the need to build and maintain custom connectors. Crucially, it allows the organization to govern external partner access using the exact same enterprise security framework (e.g., Conditional Access, continuous threat monitoring, Zero Trust policies) that currently protects Syensqo's internal Microsoft 365 and Azure environments.
2. Scalable B2B Segregation - Managing an ecosystem of over 30,000 external partners, vendors, and clients requires a purpose-built architecture. Entra External ID establishes a secure, logical boundary between internal employees and external entities, ensuring Syensqo's core employee directory remains unpolluted. Furthermore, it shifts the massive operational burden away from internal IT through a "Bring Your Own Identity" (BYOI) model—allowing external users to securely authenticate using their own organization's credentials—while Entra ID Governance natively automates the onboarding, access review, and offboarding lifecycle.
3. Frictionless Enterprise SaaS Integration (SAP & Salesforce) - While embedded in the Microsoft ecosystem, Entra acts as a highly capable, vendor-agnostic identity broker. It features deep, out-of-the-box integrations built specifically for top-tier enterprise platforms like SAP (via SAP Cloud Identity Services) and Salesforce. Entra utilizes open standards (SAML, OIDC, SCIM) to ensure that when an external identity is approved or terminated in Azure, their access is automatically provisioned or revoked downstream in SAP and Salesforce, guaranteeing a single source of truth across the business.
Background & Context
Explain the context in which the decision is being made.
Assumptions
Clearly describe the underlying assumptions which informed or limited the choices available, or impacted the decision: cost, schedule, regulatory requirements, business drivers, country footprint, technology, etc. Include links as necessary. This section is important because a future change in circumstances might invalidate some key assumptions, which then prompts a decision to be revisited.
Constraints
Capture any constraints or limitations inherent to the recommended option. This could be aspects which, if changed or removed in future, could cause the decision to be revisited or invalidated. For example, a constraint might be that a new product has significant gaps in important functionality, which caused an older alternative to be recommended. If those gaps are closed in future, this might cause the decision to be invalidated.
Impacts
Describe the impact of the decision on other aspects such as other processes, infrastructure, other SAP modules or systems, data cleansing and migration, developments, automations, interfaces, in-flight projects, etc.
Financial Impact
Explain the financial impact of adopting the recommended option. This must explain both the implementation and operational aspects, i.e. both the effort & cost of implementing and operating longer-term.
Business Rules
The decision may translate into business rules which enforce the decision and will require configuration. List these business rules here. For example, "An Outline Agreement cannot be created via the RFQ process. An awarded RFQ can only result in a Purchase Order".
Options considered
List the options (viable options or alternatives) you considered. These often require a longer explanation with diagrams, or references to other documents (links are best, but attachments are also possible). Use enough detail to adequately explain what you considered so that a project or business stakeholder reviewing this decision will not come back and ask "did you think about...?"; this leads to loss of credibility and questioning of other decisions. This section also helps ensure that you considered enough suitable alternatives rather than just copy/pasting SAP's recommendations.
Option A: Option Title
Describe the option in sufficient detail for a reader familiar with the subject matter to understand it properly
Option B: Option Title
Describe the option in sufficient detail for a reader familiar with the subject matter to understand it properly
Option C: Option Title
Describe the option in sufficient detail for a reader familiar with the subject matter to understand it properly
Option D: Option Title
Describe the option in sufficient detail for a reader familiar with the subject matter to understand it properly
Evaluation
Outline why you selected a position. The best format could be a pro/con table (sample below), but is up to you as the author. You must consider complexity, feasibility, cost/effort to implement, but also ongoing operational impact and cost. You must consider the program principles and explain any deviations in detail. This is probably as important as the decision itself.
Option A | Option B | Option C | Option D | |
|---|---|---|---|---|
| Criterion 1 |
|
|
|
|
| Criterion 2 |
|  Con |
|
|
| Criterion 3 |  Pro | Con | Con | Pro |
See also
Insert links and references to other documents which are relevant when trying to understand this decision and its implications. Other decisions are often impacted, so it's good to list them here with links. Attachments are also possible but dangerous as they are static documents and not updated by their authors.
