CODEWITHSUNDEEP
azureazure-active-directoryprovisioningscim
Blair Lunceford
Blair Lunceford

Reputation: 21

Azure AD provisioning sends SCIM replace operation when adding user to group

I have user and group provisioning set up for an enterprise application in Azure AD. I have a SCIM endpoint setup in my application to consume the SCIM requests from Azure AD. I added this feature flag to my tenant URL to ensure SCIM compliance: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-config-problem-scim-compatibility#flags-to-alter-the-scim-behavior

I have a group assigned to the enterprise application for provisioning to my application. When I add users to that group in Azure AD, I'm seeing two PATCH requests to the Groups/:id SCIM endpoint. The first is an add operation, which I expect because I'm adding this user as a member of the group:

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "add",
            "path": "members",
            "value": [
                {
                    "value": "directory_user_01F7SGPZHKVGHZMCRNHGJXW1E9"
                }
            ]
        }
    ]
}

The second PATCH request is a replace operation, which is unexpected as I'm not replacing all users in a group with the one member being added:

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "replace",
            "path": "members",
            "value": [
                {
                    "value": "directory_user_01F7SGPZHKVGHZMCRNHGJXW1E9"
                }
            ]
        }
    ]
}

The SCIM protocol RFC outlines the difference between the add and replace operations in PATCH requests. If users are added as members of a group, there should only be an add operation, not a replace operation. Is there any way to configure Azure so it only sends add operations in this situation? Thanks!

Upvotes: 2

Views: 816

Answers (1)

Reingold Shekhtel
Reingold Shekhtel

Reputation: 11

I've encountered the same issue before.

I believe it's a problem with the GET group response. I removed "members" from the GET response, and it resolved the issue.

{
    "displayName": "ABC.Developer.FirstProject",
    "id": "1",
    "meta": {
        "resourceType": "Group",
        "location": "Groups/1"
    },
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:Group"
    ]
}

Upvotes: 1

Related Questions