How to fix SCIM provisioning errors

Ravichandran, Gopi Krishna 161 Reputation points
2023-03-02T08:16:36.39+00:00

Hello,

I am reviewing our Azure SCIM Provisioning logs for an application that syncs the users from Azure AD Groups. Found the below errors popping up frequently to many users and also noticed that the user is being deactivated in the application. In reality, the user is active in Azure AD.

Appreciate your help to fix these errors. Let me know if you need any more details.

Type

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

Details

Error code

SystemForCrossDomainIdentityManagementServiceIncompatibleFiltering

Error message

StatusCode: Conflict Message: Processing of the HTTP request resulted in an exception. Please see the HTTP response returned by the 'Response' property of this exception for details. Web Response: { "schemas" : [ "urn:ietf:params:scim:api:messages:2.0:Error" ], "status" : "409", "detail" : "User must be Active." }. This operation was retried 0 times. It will be retried again after this date: 2023-03-02T07:43:56.6507375Z UTC

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,303 questions
{count} votes

Accepted answer
  1. Danny Zollner 9,496 Reputation points Microsoft Employee
    2023-03-02T15:58:50.9166667+00:00

    That message is being generated by the external SCIM server that AAD Provisioning is communicating with. It sounds like it doesn't like the attempts at disabling the user.

    To touch on what can lead to a user being disabled - any of:

    • The user was unassigned from the application/removed from any groups assigned to the application
    • The user was disabled in AAD
    • The user was soft-deleted in AAD (i.e.: recycle bin)
    • The user was filtered by scoping filters

    The error response code is interesting - 409 is usually used for conflicts during creation. Do the audit logs in AAD say that a user was trying to be created or updated? If a user is trying to be created with active = false, your mappings may be misconfigured for the active attribute. Typically it should be Not([isSoftDeleted]) -> active.


0 additional answers

Sort by: Most helpful