Share via

PATCH /Groups call only contains the userId when a member is added to a group

M N, Shashank 0 Reputation points
2023-02-27T09:24:52.9433333+00:00

I have users and groups created and added to one of my applications in Azure AD. I have also enabled SCIM provisioning for my application (it is working). But, when I am adding an existing user to an existing group in Azure AD, there is a SCIM /Group/{groupId} PATCH call being made to my server. The body of the PATCH is as below.

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "Add",
            "path": "members",
            "value": "
        }
    ]
}

Here, as part of the value I am only receiving the ID of the user. I wanted to know if there is a way to get displayName, Firstname, lastname, email fields also along with just the ID?
NOTE: I dont have an option to store the email, firstname etc when a POST call is made to my server. Hence, I am looking for a way to get that information during "member added to a group" patch call.

Secondly, Is there a way to call Azure AD with with the userID to get all the information about the user (if there is no way to get it in the patch groups call as requested above)?

Microsoft Security Microsoft Entra Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Patchfox 4,176 Reputation points
    2023-02-28T20:20:50.3066667+00:00

    Hi M N, Shashank I hope I can help you with this question.

    The example in the RFC protocol shows how to handle multi-values. 

    RFC 7644               SCIM Protocol Specification        September 2015


   If the user was already a member of this group, no changes should be
   made to the resource, and a success response should be returned.
   The server responds with either the entire updated Group or no
   response body:

   HTTP/1.1 204 No Content
   Authorization: Bearer h480djs93hd8
   ETag: W/"b431af54f0671a2"
   Location:
   "https://example.com/Groups/acbf3ae7-8463-...-9b4da3f908ce"

   The following example shows how to add one or more attributes to a
   User resource without using a "path" attribute.

   PATCH /Users/2819c223-7f76-453a-919d-413861904646
   Host: example.com
   Accept: application/scim+json
   Content-Type: application/scim+json
   Authorization: Bearer h480djs93hd8
   If-Match: W/"a330bc54f0671c9"

   {
     "schemas":
       ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
     "Operations":[{
       "op":"add",
       "value":{
         "emails":[
           {
             "value":"******@jensen.org",
             "type":"home"
           }
         ],
         "nickname":"Babs"
     }]
   }

   In the above example, an additional value is added to the
   multi-valued attribute "emails".  The second attribute, "nickname",
   is added to the User resource.  If the resource already had an
   existing "nickname", the value is replaced per the processing rules
   above for single-valued attributes.

    https://www.rfc-editor.org/rfc/rfc7644#section-3.5.2:~:text=Hunt%2C%20et%20al.%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Standards%20Track%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%5BPage%2037,processing%20rules%0A%20%20%20above%20for%20single%2Dvalued%20attributes.

    To your second question.

    The Get User Endpoint should give you more information about the user

    https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http#response-1

    Does this help you?

    If the reply was helpful, please don’t forget to upvote or accept it as an answer, thank you.

  2. Danny Zollner 10,801 Reputation points Microsoft Employee Moderator
    2023-03-03T16:13:09.61+00:00

    Two questions - two answers.

    #1

    "Can I get more information besides the SCIM-enabled app's id value when a user is added as a member to a group"

    No. The members.value attribute is the only sub-attribute of the members attribute that we will populate. The only other relevant sub-attributes is $ref, which is just a resource URI pointing towards the actual object - a user in this scenario. Additional information cannot be provided as part of the group resource's members attribute, as it exists to reference other existing objects.

    As a second part of this question..

    NOTE: I dont have an option to store the email, firstname etc when a POST call is made to my server. Hence, I am looking for a way to get that information during "member added to a group" patch call.

    To ensure that we're on the same page - your SCIM server code does not have the ability to store the attribute values you're looking for information on when a POST to /Users is made for a given user? If so, you should really fix that, as it is a core functionality of a SCIM server. Managing data about users has to be done from the /Users endpoint, not via a roundabout call to /Groups.

    #2

    Secondly, Is there a way to call Azure AD with with the userID to get all the information about the user (if there is no way to get it in the patch groups call as requested above)?

    With the SCIM ID value? No. If the externalId attribute is populated by Azure AD's SCIM provisioning client, that is typically mapped to the Azure AD objectId value as a source. Assuming you have that information, write a client to call MS Graph API's /Users endpoint, and have the right OAuth consent/permissions to make the calls to begin with. The OAuth piece is simple enough for a single-tenant internal app for your company, but is more challenging to get customer approval for if this is a multi-tenant/SaaS apps with many customers using it.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.