Getting StartedConnect Your IAM Systems
Connect Your IAM Systems
How to connect Azure AD, Okta, SailPoint, and other IAM systems to Compass.
Connectors are how Compass pulls live data from your IAM infrastructure. Each connector integrates with a specific platform and extracts the metrics needed for your assessment.
Supported Connectors
| Connector | Category | Key Metrics |
|---|---|---|
| Azure AD / Entra ID | Identity Provider | Users, groups, MFA status, sign-in activity, conditional access |
| Okta | Identity Provider | User lifecycle, MFA enrollment, application assignments |
| SailPoint IdentityNow | Governance | Access certifications, role composition, entitlements |
| SailPoint IIQ | Governance (Legacy) | Certifications, policy violations, provisioning |
| Saviynt | Governance | Access requests, SoD analysis, role analytics |
| CyberArk | Privileged Access | Safe inventory, session recordings, credential rotation |
| Delinea | Privileged Access | Secret management, privilege elevation, audit trails |
| AWS IAM | Cloud IAM | IAM users, roles, policies, access analyser findings |
| GCP IAM | Cloud IAM | Service accounts, role bindings, policy insights |
| HashiCorp Vault | Secrets Management | Secret engines, access policies, lease management |
| ServiceNow | Service Management | Ticket volumes, SLA compliance, workflow automation |
| Workday | HR Source | Employee data, org hierarchy, joiner/mover/leaver events |
Adding a Connector
- Go to Settings > Connectors in your Compass dashboard
- Click Add Connector
- Select the platform you want to connect
- Enter the required credentials (varies by platform)
- Click Test Connection to verify access
- Save the connector
Credential Requirements
Each connector needs different credentials depending on the platform:
Azure AD / Entra ID
- Tenant ID — Your Azure AD directory ID
- Client ID — An app registration with read permissions
- Client Secret — The app registration's secret
- Required permissions:
Directory.Read.All,AuditLog.Read.All,User.Read.All
Okta
- Okta Domain — Your Okta org URL (e.g.,
yourcompany.okta.com) - API Token — An API token with read-only admin access
SailPoint IdentityNow
- Tenant URL — Your SailPoint ISC tenant URL
- Client ID — An API client with read permissions
- Client Secret — The API client secret
CyberArk
- PVWA URL — Your CyberArk Password Vault Web Access URL
- Username — A user with audit/read permissions
- Password — The user's password
What Data Does Compass Collect?
Compass only reads data — it never modifies your IAM systems. The data collected includes:
- Aggregate metrics — User counts, group counts, certification completion rates
- Configuration data — Policy settings, role structures, access rules
- Activity data — Sign-in patterns, provisioning times, ticket volumes
Compass does not collect:
- Individual user passwords or credentials
- Personal data beyond what's needed for metric calculation
- Raw log files or full audit trails
Connector Refresh
Connectors fetch fresh data each time you run a discovery. Data is not continuously synced — it's a point-in-time snapshot taken when you create or rerun a discovery.
Troubleshooting
Connection test fails
- Verify your credentials have the required permissions
- Check that your firewall allows outbound connections to Compass
- Ensure API rate limits haven't been exceeded
Metrics look incomplete
- Some metrics require specific license tiers on the source platform (e.g., Azure AD P1/P2 for sign-in logs)
- Verify the service account has read access to all relevant areas
- Check the connector's last sync timestamp to ensure data is current