Share via

unable to remove a member from group while provisioning through Azure.

vijayan t 21 Reputation points
2022-10-11T09:52:40.467+00:00

We are trying to execute below use case,

SCIM provisioning of users that are assigned to a AD Group:

When a user is added (provisioned) to a group it works correctly by sending the create group followed by patch group.
When a user is removed (deprovisioned) from the group it does not send a PATCH /Groups/{Id} with the corresponding payload to remove member of the group.

Do we have any other procedure to remove a member from group

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
  1. JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator
    2022-10-26T23:35:57.657+00:00

    @vijayan t
    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

    Issue:

    SCIM provisioning of users that are assigned to a AD Group:
    When a user is added (provisioned) to a group it works correctly by sending the create group followed by patch group.
    When a user is removed (deprovisioned) from the group it does not send a PATCH /Groups/{Id} with the corresponding payload to remove member of the group.

    Solution:

    Tutorial: Configure Dropbox for Business for automatic user provisioning

    When configuring automatic user provisioning for Dropbox for Business in Azure AD. You can Define the users and/or groups that you would like to provision to Dropbox by choosing the desired values in Scope in the Settings section.

    Choosing only the assigned users allowed you to remove users, when "Sync all" users caused the issue.

    254521-image.png

    If you have any other questions, please let me know.
    Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Danny Zollner 10,801 Reputation points Microsoft Employee Moderator
    2022-10-11T16:45:25.613+00:00

    The service is expected to remove a user from a group in the connected SCIM application if the user is removed in the group in Azure AD. If this isn't happening, I'd suggest opening a support case.

    As far as workarounds go, you can perform an action to remove the group member manually in the application if possible or use Postman or another method to make REST API calls and make the SCIM group membership removal call yourself.

    1 person found this answer helpful.
    0 comments
  2. JimmySalian-2011 42,511 Reputation points
    2022-10-11T10:43:55.427+00:00

    Hi @vijayan t ,

    If a user that was previously in scope for provisioning is removed from scope, including being unassigned, the service disables the user in the target system via an update.

    Check this and also the state of the user.

    249371-image.png

    how-provisioning-works

    Hope this helps.

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  3. vijayan t 21 Reputation points
    2022-10-26T10:34:38.65+00:00

    After following below procedure, we were able to remove a member from group.

    Tutorial: https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/dropboxforbusiness-provisioning-tutorial

    there is a step 16, where we have to choose only assigned users. and we will be able to remove users, For the moment it is on sync all users and this caused the issue.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.