Azure AD Enterprise Application Provisioning

Question

Azure AD Enterprise Application Provisioning

Gordon MacPherson 1

We are building a SCIM api for provisioning.

When we receive the POST request I doesn't have members included. What am I doing wrong?

{"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"externalId":"0899060-370e-46a-bc5f-3aas207ed41d","displayName":"Org Admin","members":[],"meta":{"resourceType":"Group"}}

Siva-kumar-selvaraj 15,721 Reputation points

2021-11-25T16:00:25.997+00:00

@Gordon MacPherson ,
Just checking in to see whether the response was helpful. If this answer your question, please don't forget to click "Accept the answer" and Up-Vote for it, which may be useful to other members of the community reading this topic. Please let us know if you have any further questions.
Thanks,

1 answer

Your answer

Siva-kumar-selvaraj 15,721 Reputation points

2021-11-25T16:00:25.997+00:00

@Gordon MacPherson ,
Just checking in to see whether the response was helpful. If this answer your question, please don't forget to click "Accept the answer" and Up-Vote for it, which may be useful to other members of the community reading this topic. Please let us know if you have any further questions.
Thanks,

Answer 1

Siva-kumar-selvaraj 15,721

Hello @Gordon MacPherson ,

Thanks for reaching out and apologized for delayed response.

Group provisioning can be optionally enabled or disabled by selecting the group mapping under Mappings, and setting Enabled to the option you want in the Attribute Mapping screen as shown below:

If group provisioning is enabled in the mappings, the provisioning service synchronizes the users and the groups , and then later synchronizes the group memberships using PATCH request.

Therefore Groups members synchronization only supported if the SCIM implementation supports PATCH. To learn more about, refer how to develop and plan provisioning for a SCIM endpoint in Azure Active Directory.

References:
https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#groups

Here's a link to the RFC - rfc7644 (ietf.org)
Here's a link to our documentation on how we send a PATCH

Hope this helps.

------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Gordon MacPherson 1 Reputation point

2021-11-23T15:01:30.567+00:00

Hi. I'm finding it hard to provision the groups.

When provisioning a new group we are recieving a GET request so we can query if the group exists in our database but when the POST request is received it is empty. What am I doing wrong? Is there a step by step guide the the provisioning the group that includes an expected response if a group doesn't exist?
Danny Zollner 10,801 Reputation points Microsoft Employee Moderator

2021-11-23T17:12:34.847+00:00

As the answer above says, the provisioning service creates the group without members and then later adds them via the HTTP/SCIM PATCH method. The POST to create a new group will never contain values for "members".
Siva-kumar-selvaraj 15,721 Reputation points

2021-12-09T06:50:40.443+00:00

@Gordon MacPherson , I just wanted to check in and see if you had any other questions or if you were able to resolve this issue? If you have any other questions, please let us know. Thank you for your time and patience throughout this issue.

---
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Share via

Azure AD Enterprise Application Provisioning

1 answer

Your answer