![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 51%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFR%3C/text%3E%3C/svg%3E)
2,338 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi Fraczek, Rafal SW/WRO-DCDZA,
Thanks for reaching out.
externalId is expected to be uniqueness constrained by the client but is explicitly defined in the reference section as having a mutability of readWrite.
To update the ExternalID attribute in your Azure Active Directory SCIM provisioning setup, you will need to make sure that the new attribute you choose to use has the same value as the current ExternalID attribute for each user. This is because the ExternalID attribute is used to uniquely identify each user in the application, and changing it will cause the application to see each user as a new user.
As far as how this links to Entra, SCIM/provisioning, and external apps - a user in the Entra side that is provisioned to a SCIM-enabled app will have a 1:1 relationship there. However, Organizations go through mergers/acquisitions, divestitures, and on-premises to cloud migrations. Those can lead to a group being recreated in Entra and having its Entra objectId change, and the objectId maps to SCIM externalId. Even with the object in Entra changing, the relation to external systems may still be intended to be the same.
Reference: https://datatracker.ietf.org/doc/html/rfc7643#section-3.1
Hope this will help.
Thanks,
Shweta
Please remember to "Accept Answer" if answer helped you.
