Entra ID Provisioning not sending User-Agent header to SCIM server tenant

Question

Entra ID Provisioning not sending User-Agent header to SCIM server tenant

Miguel Rodriguez 20

Hi, I created a "non-gallery" Enterprise Application from my Entra Admin Center and now I am testing the SCIM "Automatic" Provisioning following this guide: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/use-scim-to-provision-users-and-groups#integrate-your-scim-endpoint-with-the-microsoft-entra-provisioning-service

In Admin Credentials I introduce the Tenant URL and the Secret Token and when I click on Test Connection I get a 403 (see screenshot). Apparently the requests coming from Entra ID are being blocked by the target firewall (SCIM server side) because they are lacking the "User-Agent" header. (E.g: request Id c902afe1-a3e8-48b4-a3a3-92801e786c6e)

Can you please confirm if this is correct? Is there anything I can do in Entra ID to provide this header in the request?

Thank you!

YADAVALLI Pramod K 0 Reputation points

2024-02-12T15:21:56.1933333+00:00

Hi Danny, Is there an way to retrieve the Source Id or Client Id of enterprise application as part of request (While provisioning in AAD) in SCIM? Thanks Pramod

Accepted answer

0 additional answers

Your answer

YADAVALLI Pramod K 0 Reputation points

2024-02-12T15:21:56.1933333+00:00

Hi Danny, Is there an way to retrieve the Source Id or Client Id of enterprise application as part of request (While provisioning in AAD) in SCIM? Thanks Pramod

Answer 1

Danny Zollner 10,801 Microsoft Employee Moderator

Entra ID Provisioning does not currently send a User-Agent header. Per the HTTP spec, it is recommended but not required. Our engineering team has a backlog item to add this, but due to the potential that suddenly changing to include a header could disrupt existing consumers of the provisioning service's SCIM requests, this will be released in the future as part in a manner that is opt-in.

At present, your options are to adjust the firewall rules to make an exception for the User-Agent header from the Entra ID Provisioning requests, or possibly look at using on-premises provisioning to pass the requests through an agent that runs on a server on your local network and only uses outbound connectivity, therefore bypassing the inbound firewall rules you mentioned.

YADAVALLI Pramod K 0 Reputation points

2024-02-12T16:06:37.77+00:00

Hi Danny, Do Enterprise application has provision to include a custom header field to the HTTP request (While provisioning in AAD) that contains the Source ID information. h "X-SourceId" . Which will make Http Request more robust , SCIM can read the source Id and identify the tenant.
Danny Zollner 10,801 Reputation points Microsoft Employee Moderator

2024-02-12T18:38:21.2633333+00:00

No, that feature does not exist and I'm not aware of it being on the roadmap. If the desire is to use the application or tenant ID as an additional way to determine if the SCIM client is authorized to make calls to the SCIM server, this sort of thing is easily impersonated if you are using readily available data such as the aforementioned identifiers.
YADAVALLI Pramod K 0 Reputation points

2024-02-12T20:05:21.5466667+00:00
If this approach can be compromised then as per documentation

https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#authorization-to-provisioning-connectors-in-the-application-gallery it is suggested that you use a long-lived token for your non-gallery app.

In case we get hold of token and url then anonymously data can be accessed .

What is the recommended approach to make sure that assigned token can only be exercised by pertinent customer.
Danny Zollner 10,801 Reputation points Microsoft Employee Moderator

2024-02-12T21:08:37.9+00:00
This is too complicated of a topic to discuss back-and-forth in the comments of an already resolved Microsoft Q&A post.

My quick(ish..) thoughts, however, are:

It isn't anonymous access if a bad actor has a stolen long-lived bearer token, which grants authorization to the API and should almost surely require authentication before being issued. It's a stolen credential/secret. The answer there is to not allow the secret to be stolen.

An easily discoverable value (app id, tenant id) in a header isn't likely to stop an attacker who has stolen the bearer token.

Other authorization mechanisms exist, even as shown in the doc you linked - two OAuth 2.0 flows. Those aren't supported in the generic SCIM connector ("custom non-gallery app") but they do exist. We should eventually have support for these OAuth options in the generic SCIM connector, but I'm not sure on when. Even then, the same risk of a bad actor stealing your secret(s) still exists.. so see #1 again :)

If you have more questions, I'm happy to move the discussion to email. If you can reach out to AzCommunity@microsoft.com and put Attn: Danny Zollner in the subject line, someone can get you connected to me.

Share via

Entra ID Provisioning not sending User-Agent header to SCIM server tenant

0 additional answers

Your answer