Azure AD SCIM attempting to create the same user repeatedly

Kyle Besecker 21 Reputation points
2023-01-04T18:59:45.517+00:00

While load testing our SCIM service against azure ad we came across a scenario where the following happened:

  1. Azure checked to see if the user exist
  2. Our SCIM service reported they did not exist
  3. Azure send POST request to create user
  4. Our SCIM service created the user, but before the response could be returned to the caller (Azure), the service died
  5. After the service came back up, Azure re-sent the POST request to create the user
  6. Our SCIM service is now sending Conflict error (409)

Azure appears to be stuck in this 'trying to create' user state, even though the user has been created. Is this an edge case for Azure, or is there a recommended way to make Azure know that the user was correctly provisioned?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

Accepted answer
  1. Danny Zollner 10,801 Reputation points Microsoft Employee Moderator
    2023-01-05T04:23:44.663+00:00

    A requirement for SCIM endpoints to work with Azure AD provisioning is the ability to provide responses within 60 seconds. It sounds like you are not meeting that requirement and the connection is timing out.

    As to 5 + 6, I can't quite recall which of two behaviors it is - it's either that the failure in 4 triggers AAD Provisioning to record that it needs to create a new user but it does not do a check on the future retry attempt, or if it is doing a GET prior to 5, the body of the response is not correctly indicating that a matching user exists.

    I'd suggest improving performance so that you can meet the 60 second response requirement and that should then clear up if it's directly caused by the timeout in 4, or if it's a secondary issue.


1 additional answer

Sort by: Most helpful
  1. Kyle Besecker 21 Reputation points
    2023-01-04T19:27:44.093+00:00

    I'll also add that when I attempt to force provision the user, I see that Azure SCIM checks to see if the users exists and gets a 200 response but Azure still attempts to POST the user.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.