Hi Peers, I’m Prem, an SAP MDG Techno-Functional Consultant. This is my first blog on SCN, and I wanted to share something genuine gap and a to be use case in MDG. I didn’t want to rewrite SAP documentation. Instead, I aimed to provide a real insight into something I got my hands on, figured out, ran into issues and ultimately got working.
In one of the client projects I’m working on, we needed to sync user information from the client’s Azure Active Directory with SAP. This meant keeping identity data up to date across both systems. The business wanted user profiles, contact details, and organizational data from Azure AD to be accessible in the MDG landscape without having data stewards enter it manually each time. The question was clear: how do we get SAP to read from Azure Active Directory? This led me to the ABAP SDK for Azure – an open-source toolkit supported by Microsoft. What began as a simple exploration turned into a full end-to-end integration. We set up SAP to authenticate with Azure AD using OAuth2, call the Microsoft Graph API, and pull live user data into the system.
The setup had its share of trial and errors, a few configuration missteps, some back and forth with IDs and certificates. What helped me get through it was the ABAP SDK for Azure repository on GitHub and the work its contributors have put into the documentation and demo programs. Solid resource – I’d recommend bookmarking it before you start
However after all these hiccups it works now. Throughout this process, I gained a strong Introductory Understanding of OAuth2, SSL certificate management, cloud identity concepts, and, most importantly, what Azure Active Directory is and how it fits into an SAP MDG landscape.
Now, what is Azure Active Directory?
Azure Active Directory recently renamed Microsoft Entra ID is where most companies manage their employee identities. Each person in the organization has a profile there, including their name, email, department, job title, manager, and the applications they can access. It serves as the single source of truth for who works in the organization and what they are allowed to do. If SAP MDG is where your organization manages critical business master data, Azure AD is where it manages people data. Connecting the two ensures that your master data in SAP stays current and accurate, just like your HR directory.
The Real Gap
Azure AD has the people data, while SAP MDG has the business data. Both are within the same organization, but they do not communicate. Data stewards manually bridge this gap, which is not a data quality issue. It is an integration gap.
What becomes possible once SAP can communicate with Azure AD?
Here’s what opens up in MDG with this connection:
User onboarding: When a new employee is created in Azure AD, SAP reads that profile and automatically provisions their MDG roles and workflow assignments. No tickets or waiting involved.Business Partner enrichment: Information like job title, department, phone number, and reporting manager resides in Azure AD. Instead of manual typing by data stewards, the system pulls this information directly. It becomes accurate and requires no manual input.Contact validation: If a data steward enters a contact person on a vendor record, the system validates it against Azure AD in real time. It checks whether this person exists in the organization. If not, it raises a flag before the change request can proceed.Dynamic workflow routing: Rather than having fixed approvers, the workflow reads the requestor’s manager directly from Azure AD. If the approver changes roles, the routing automatically adjusts.Access governance: Periodically comparing MDG role assignments with Azure AD helps identify if someone has left the organization but still holds active MDG roles. These roles can then be flagged for removal. No more inactive users remaining in governance roles.
Five use cases, one integration, one endpoint.
What we built and how it works
The technical setup involves SAP authenticating with Azure AD, receiving an OAuth2 token, and using that token to call the Microsoft Graph API. It requires one RFC destination for authentication, another for the API, three configuration tables, and the ABAP SDK for Azure manages the rest.
I will guide you through every step including every mistake I have gone through in the upcoming parts of this series.
What’s next?
This was the why part & Part 2 will cover the how. You’ll see a complete technical walkthrough, from creating an Azure account to seeing user data appear in your SAP system
Stay tuned.
Hi Peers, I’m Prem, an SAP MDG Techno-Functional Consultant. This is my first blog on SCN, and I wanted to share something genuine gap and a to be use case in MDG. I didn’t want to rewrite SAP documentation. Instead, I aimed to provide a real insight into something I got my hands on, figured out, ran into issues and ultimately got working.In one of the client projects I’m working on, we needed to sync user information from the client’s Azure Active Directory with SAP. This meant keeping identity data up to date across both systems. The business wanted user profiles, contact details, and organizational data from Azure AD to be accessible in the MDG landscape without having data stewards enter it manually each time. The question was clear: how do we get SAP to read from Azure Active Directory? This led me to the ABAP SDK for Azure – an open-source toolkit supported by Microsoft. What began as a simple exploration turned into a full end-to-end integration. We set up SAP to authenticate with Azure AD using OAuth2, call the Microsoft Graph API, and pull live user data into the system.The setup had its share of trial and errors, a few configuration missteps, some back and forth with IDs and certificates. What helped me get through it was the ABAP SDK for Azure repository on GitHub and the work its contributors have put into the documentation and demo programs. Solid resource – I’d recommend bookmarking it before you startHowever after all these hiccups it works now. Throughout this process, I gained a strong Introductory Understanding of OAuth2, SSL certificate management, cloud identity concepts, and, most importantly, what Azure Active Directory is and how it fits into an SAP MDG landscape.Now, what is Azure Active Directory?Azure Active Directory recently renamed Microsoft Entra ID is where most companies manage their employee identities. Each person in the organization has a profile there, including their name, email, department, job title, manager, and the applications they can access. It serves as the single source of truth for who works in the organization and what they are allowed to do. If SAP MDG is where your organization manages critical business master data, Azure AD is where it manages people data. Connecting the two ensures that your master data in SAP stays current and accurate, just like your HR directory.The Real GapAzure AD has the people data, while SAP MDG has the business data. Both are within the same organization, but they do not communicate. Data stewards manually bridge this gap, which is not a data quality issue. It is an integration gap. What becomes possible once SAP can communicate with Azure AD?Here’s what opens up in MDG with this connection:User onboarding: When a new employee is created in Azure AD, SAP reads that profile and automatically provisions their MDG roles and workflow assignments. No tickets or waiting involved.Business Partner enrichment: Information like job title, department, phone number, and reporting manager resides in Azure AD. Instead of manual typing by data stewards, the system pulls this information directly. It becomes accurate and requires no manual input.Contact validation: If a data steward enters a contact person on a vendor record, the system validates it against Azure AD in real time. It checks whether this person exists in the organization. If not, it raises a flag before the change request can proceed.Dynamic workflow routing: Rather than having fixed approvers, the workflow reads the requestor’s manager directly from Azure AD. If the approver changes roles, the routing automatically adjusts.Access governance: Periodically comparing MDG role assignments with Azure AD helps identify if someone has left the organization but still holds active MDG roles. These roles can then be flagged for removal. No more inactive users remaining in governance roles.Five use cases, one integration, one endpoint. What we built and how it worksThe technical setup involves SAP authenticating with Azure AD, receiving an OAuth2 token, and using that token to call the Microsoft Graph API. It requires one RFC destination for authentication, another for the API, three configuration tables, and the ABAP SDK for Azure manages the rest.I will guide you through every step including every mistake I have gone through in the upcoming parts of this series.What’s next?This was the why part & Part 2 will cover the how. You’ll see a complete technical walkthrough, from creating an Azure account to seeing user data appear in your SAP system Stay tuned. Read More Technology Blog Posts by Members articles
#SAP
#SAPTechnologyblog
