CODEWITHSUNDEEP
azure-active-directoryprovisioningscimscim2
Anurag Maheshwari
Anurag Maheshwari

Reputation: 167

SCIM : How to restrict Group type members in Group patch request while provisioning from Azure AD

I'm implementing SCIM group provision from Azure AD. But I don't support nested groups. Below is the patch call from Azure AD (When a member is added).

{
"schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
"Operations":[{
    "op":"add",
    "path":"members",
    "value":[{
       "ref":"https://example.com/v2/Users/45",
       "value": "45"
     }]
   }]
}

I'm unable to identify whether the member is of user type or group type resource. Kindly, help me how I can restrict this in the code or is there any way I can restrict it directly from Azure AD to not send the Group type members.

Upvotes: 0

Views: 762

Answers (2)

dominic detta
dominic detta

Reputation: 221

As described in [RFC 7643 Section 3.3 2.4][1]

[1]: https://www.rfc-editor.org/rfc/rfc7643.html#section-2.4 the sub-attribute $ref allow you to identify the resource type in a multivalued attribute as members. Just search in the reference value the word Users or Groups to identify his type. By the way the attribute name is $ref instead of ref.

Upvotes: -1

Zollnerd
Zollnerd

Reputation: 912

From the config of the Azure AD Enterprise App, go to Provisioning -> Mappings -> Provision Azure Active Directory Groups -> Show Advanced Options(bottom of screen) -> Edit attribute list for customappsso

This will bring you to the schema editor UI for AAD's representation of the SCIM app's schema for group objects. On the far right side in the column "Referenced Object Attribute", you'll see there are 2 selected values for the members attribute. Open the dropdown and unselect urn:ietf:params:scim:schemas:core:2.0:Group, then save.

That should work. If it doesn't, please let me know (or for faster turnaround, open a support case from the Azure portal).

Upvotes: 0

Related Questions