SAP IDM retirement: what the cloud-first governance shift means

TL;DR: SAP’s SAP IDM 8.0 roadmap ends mainstream maintenance in 2027 and extended maintenance in 2030, pushing customers toward cloud-first identity governance, Microsoft Entra ID, SAP Cloud Identity Services, and partner-led migration paths according to Pathlock. The shift breaks the assumption that legacy IDM can be treated as a routine upgrade; it is a forced architecture change with lifecycle, compliance, and hybrid integration consequences.

NHIMG editorial — based on content published by Pathlock: SAP IDM End of Life Timelines

By the numbers:

• According to experts, a typical IAM migration takes between 18 and 36 months for a large organization.
• SAP will provide full support, including bug fixes, security patches, and support for new browser versions and operating systems, until 31st December 2027.

Questions worth separating out

Q: What breaks when SAP IDM is retired before workflows are redesigned?

A: What breaks first is continuity of lifecycle control.

Q: When should organisations prioritise SAP IDM replacement over other IAM work?

A: Organisations should prioritise SAP IDM replacement when the retirement timeline becomes shorter than the time needed to inventory, redesign, test, and cut over identity workflows.

Q: How do you know if a cloud identity model is actually governing SAP access?

A: You know it is working when provisioning, access review, SoD analysis, and revocation all operate across SAP and non-SAP systems with clear policy ownership.

Practitioner guidance

• Build a migration inventory for every custom IDM workflow Catalogue scripts, connectors, approval chains, and exception paths in SAP IDM before the 2027 cutoff.
• Separate authentication from governance in the target architecture Use your identity provider for login and the governance layer for provisioning, certification, SoD, and revocation.
• Rebuild joiner-mover-leaver logic around business events Trigger provisioning and deprovisioning from HR, contractor, and project lifecycle changes rather than from manual tickets.

What's in the full article

Pathlock's full article covers the operational detail this post intentionally leaves for the source:

• The retirement timeline breakdown for SAP IDM 8.0, including mainstream and extended maintenance milestones.
• The phased migration approach from visibility and cleanup through lifecycle replacement and advanced governance.
• The detailed connector model for SAP ECC, S/4HANA, BTP, SuccessFactors, Entra ID, and non-SAP systems.
• The specific governance functions Pathlock says its cloud platform maps to provisioning, SoD, certification, and firefighter use cases.

👉 Read Pathlock's analysis of SAP IDM end of life and migration paths →

SAP IDM retirement: what the cloud-first governance shift means?

Explore further

View Full Forum →  |  NHI Foundation Course →