hannes neukermans
Reputation: 13347
Azure Active Directory SCIM: Deprovision member of a group not working
Using Azure AD Premium, Enterprise App & SCIM 2.0 Provisioning Scope - Only assigned Users & Groups
I'm trying to work through the use case below:
SCIM provisioning of users that are assigned to a given AD Group
- When a user is added (provisioned) to a group it correctly fires off a PATCH /Groups/{Id} to add member of the group
- When a user is removed (deprovisioned) from the group it does not correctly fires a PATCH /Groups/{Id} to remove member of the group
What am I'm doing wrong?
In addition, I wonder which call azure active directory executes to get to know who is currently member of a given group. (I've noticed that every call AAD makes to my SCIM/group service implementation has the excludedAttributes=members as query parameter)
Any suggestions appreciated.
Upvotes: 3
Views: 727
Answers (1)
neverEugene
Reputation: 91
From what I saw, Azure SCIM sends this request to groups endpoint:
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "Remove",
"path": "members",
"value": [
{
"value": "49a5f81e-9f63-4f5e-b3e8-41db044c1af9"
}
]
}
]
}
I use ngrok during the development to see an analyse requests from Azure SCIM integration.
Upvotes: 2
Related Questions
- Azure User/Group provisioning with SCIM problem with boolean values
- Azure AD does not emit group claims
- Azure AD SCIM client implementation - Users/Groups clarification
- Get groups of user during provisioning on Enterprise application in Azure AD
- SCIM endpoint. Error when testing from Azure AD
- Azure AD users are no longer deactivated when removed from assigned users
- AzureAD SCIM integration not sending DELETE requests
- Resource group with Azure AD Domain Service is not getting deleted
- Permissions required to run Remove-AzureRMAdGroup
- Azure AD User Provisioning with SCIM 2.0