This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 13%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
Hi,
When I provision a user via SCIM, I see there is first a GET request to search for the user via userName, e.g.
GET /scim/v2/Users {"filter":"userName eq "abc@xyz .onmicrosoft.com"", "count":100, "startIndex":1, "page":1}
If I return 200 with zero results, I can see the POST request and the user gets provisioned successfully.
However, on all subsequent updates/checks to the user, the userName in the query appears to be a randomly generated value (it's a different value for the same user every time), e.g.:
GET /scim/v2/Users {"filter":"userName eq "80f18da2-686d-445c-9c47-0cdeaf0c654b"", "count":100, "startIndex":1, "page":1}
This is always followed up with another GET request to the correct user id route (GET /scim/v2/Users/123... etc). So while flow is working, I do not understand how these userName values are generated and why the unnecessary step. How can I ensure that the userPrincipalName value is used in the query?
This is by design - it's part of what steps our service takes at the start of any activity (ie: a provisioning cycle or a provisioning on demand activity) to validate that the SCIM endpoint it is talking to functions correctly. See:
Specifically, this piece:
Microsoft AAD makes requests to fetch a random user and group to ensure that the endpoint and the credentials are valid. It's also done as a part of the Test Connection flow in the Azure portal.
Ah that aligns exactly with what I'm seeing. Thanks for confirming!