Minimum required level of filtering and querying for SCIM

Anton Gorlin 41 Reputation points
2022-11-10T20:43:10.443+00:00

hi,
rfc says that filtering is optional, however this link https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups says that an application has to support "Section 3.4.2. By default, users are retrieved by their id and queried by their username and externalId, and groups are queried by displayName."
Section 3.4.2 covers the whole filtering/querying thing!
So, is it optional or not? Or is there some minimum level we can implement to satisfy the requirements?
In addition, there is this link https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#retrieving-resources
In turn, it says that "Microsoft Azure AD only uses the following operators: eq, and".

Is there a clearly defined minimum functionality that we need to implement?
Thanks.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,886 questions
0 comments No comments
{count} votes

Accepted answer
  1. Danny Zollner 10,496 Reputation points Microsoft Employee
    2022-11-10T20:54:13.813+00:00

    Hi @Anton Gorlin - there are two distinct things to track here, things that the SCIM spec says are optional/required, and things that Azure AD says are optional/required to integrate with us via SCIM. For example, while the SCIM spec says that filtering is optional, Azure AD requires filtering for certain attributes (i.e.: userName on users, displayName on groups) as that is the mechanism used to match objects between AAD and the SCIM app's directory.

    You've already identified the right resources, for the most part - in https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups, the section "SCIM Protocol Requests and Responses" covers most/all of the requests that will be used. I'd treat that as the minimum requirements. I'd also recommend looking at our new SCIM Validator tool, which can help you to confirm proper implementation once you've got the SCIM endpoint up and running. See: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/scim-validator-tutorial

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.