Azure AD SCIM random ID in "userName eq"

David S 1 Reputation point
2021-05-24T17:44:52.69+00:00

Hi,

When I provision a user via SCIM, I see there is first a GET request to search for the user via userName, e.g.

GET /scim/v2/Users {"filter":"userName eq "abc@xyz .onmicrosoft.com"", "count":100, "startIndex":1, "page":1}

If I return 200 with zero results, I can see the POST request and the user gets provisioned successfully.

However, on all subsequent updates/checks to the user, the userName in the query appears to be a randomly generated value (it's a different value for the same user every time), e.g.:

GET /scim/v2/Users {"filter":"userName eq "80f18da2-686d-445c-9c47-0cdeaf0c654b"", "count":100, "startIndex":1, "page":1}

This is always followed up with another GET request to the correct user id route (GET /scim/v2/Users/123... etc). So while flow is working, I do not understand how these userName values are generated and why the unnecessary step. How can I ensure that the userPrincipalName value is used in the query?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Danny Zollner 10,801 Reputation points Microsoft Employee Moderator
    2021-05-25T14:43:10.317+00:00

    This is by design - it's part of what steps our service takes at the start of any activity (ie: a provisioning cycle or a provisioning on demand activity) to validate that the SCIM endpoint it is talking to functions correctly. See:

    https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#understand-the-aad-scim-implementation

    Specifically, this piece:

    Microsoft AAD makes requests to fetch a random user and group to ensure that the endpoint and the credentials are valid. It's also done as a part of the Test Connection flow in the Azure portal.

    2 people found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.