How to scope User SCIM provisioning based on App Roles

Justin Seaman - Admin 0 Reputation points

TL DR: What's the problem?

I don't see any output for users when testing 'AppRoleAssignmentsComplex([appRoleAssignments])' in Expression Builder. How do I see this output in the context of a specific app, and test how conditional logic around it will impact User provisioning scope or provisioned fields?


GitHub Enterprise Managed Users relies on Azure AD SCIM provisioning as its only source of configuration of user information/management. The out-of the box user provisioner looks like this:

User's image

I also have 2 types of Groups I want to pass through to the provisioner:

I have essentially accomplished this by setting the License level groups with the appropriate role, and setting the M365 groups with a role of "Restricted User". However, this leads to excessive API calls through SCIM with numerous errors, for each appearance of an unlicensed user.

How to solve this?

I think the best way to solve this would be to use either a Scoping Rule, which ignores users who do not have one of the actual roles like "User", "Enterprise Owner", "Billing Contact", etc. assigned. Another way to solve this would be use similar logic to set the 'active' attribute to false if the user does not have these roles assigned.

What is the issue?

I cannot find a way to query the user's appRoles in Expression Builder. Everytime I try to use "AppRoleAssignmentsComplex([appRoleAssignments]) in Expression Builder, I get null for output. Will this work to get the list of App Role assignments in the SCIM provisioning? What is the expected ouput? I am warry to edit this on our production connection, any suggestions on how best to test the resulting output and logic filtering around this field?

User's image

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,500 questions
Microsoft Graph Users API
Microsoft Graph Users API
A Microsoft API that allows you to build compelling app experiences based on users, their relationships with other users and groups, and the resources they access for example their mails, calendars, files, administrative roles, group memberships.
636 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Danny Zollner 6,071 Reputation points Microsoft Employee

    It is not supported to build scoping filters off of the appRoleAssignments attribute, either with or without a function processing the value of it. I believe there is an item in our engineering backlog to remove this value from the scoping filters UI. Apologies for the bad experience here.