How to fix SCIM provisioning errors

Question

Hello,

I am reviewing our Azure SCIM Provisioning logs for an application that syncs the users from Azure AD Groups. Found the below errors popping up frequently to many users and also noticed that the user is being deactivated in the application. In reality, the user is active in Azure AD.

Appreciate your help to fix these errors. Let me know if you need any more details.

Type

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

Details

Error code

SystemForCrossDomainIdentityManagementServiceIncompatibleFiltering

Error message

StatusCode: Conflict Message: Processing of the HTTP request resulted in an exception. Please see the HTTP response returned by the 'Response' property of this exception for details. Web Response: { "schemas" : [ "urn:ietf:params:scim:api:messages:2.0:Error" ], "status" : "409", "detail" : "User must be Active." }. This operation was retried 0 times. It will be retried again after this date: 2023-03-02T07:43:56.6507375Z UTC

Answer 1

That message is being generated by the external SCIM server that AAD Provisioning is communicating with. It sounds like it doesn't like the attempts at disabling the user.

To touch on what can lead to a user being disabled - any of:

• The user was unassigned from the application/removed from any groups assigned to the application
• The user was disabled in AAD
• The user was soft-deleted in AAD (i.e.: recycle bin)
• The user was filtered by scoping filters

The error response code is interesting - 409 is usually used for conflicts during creation. Do the audit logs in AAD say that a user was trying to be created or updated? If a user is trying to be created with active = false, your mappings may be misconfigured for the active attribute. Typically it should be Not([isSoftDeleted]) -> active.