Summary of SAP on Azure Authentication and Access
Start course

This course illustrates how to leverage Azure authentication and access features to simplify and streamline users' experience using SAP running on Azure Infrastructure. Azure Active Directory supports single sign-on to SAP applications, while role-based access control, a fundamental building block Azure Resource Manage, enables system administrators to allow access to and protect the resources hosting an SAP environment.

Learning Objectives

  • Underlying concepts of authentication and access in an Infrastructure as a Service environment
  • Learn the steps required to set up Azure Active Directory Authentication with SAP applications
  • Learn how to apply role-based access control to an SAP environment
  • Use resource locks to add an extra layer of security to your infrastructure

Intended Audience

This course is intended for anyone who wants to boost security for their SAP environments on Azure, through the use of authentication and access practices.


There are no particular prerequisites required for this course other than a general understanding of user authentication and access.


When SAP is hosted on Azure, you don't want users to have to authenticate twice, once to gain access to the environment and again to use the applications. You integrate Azure Active Directory authentication through SAML XML with SAP applications to provide a seamless user experience.

The process for enabling single sign-on from Azure is very similar for most SAP applications and involves a few basic steps.

  1. Set up an Enterprise application corresponding to the SAP application you want to authenticate with Azure Active Directory. Do this by browsing the AAD enterprise application gallery.
  2. Assign Active Directory users to the Enterprise application.
  3. Configure single sign-on endpoints in the Enterprise application by entering them manually or using SAML XML downloaded from the SAP target application.
  4. Configure which user attribute or claim to use in the authentication process.
  5. Download federation metadata and/or certificates from Azure to establish trust with the target SAP application.

Azure cannot control what authenticated users can do once logged into an SAP application. However, Azure's role-based access control can specify what users can do within the landscape's Infrastructure. Resources of all types can be protected from any user with locks. Locks can prevent unintended or accidental modifications to existing Infrastructure.

About the Author
Learning Paths

Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a  Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.