It is not supported to build scoping filters off of the appRoleAssignments attribute, either with or without a function processing the value of it. I believe there is an item in our engineering backlog to remove this value from the scoping filters UI. Apologies for the bad experience here.
How to scope User SCIM provisioning based on App Roles

TL DR: What's the problem?
I don't see any output for users when testing 'AppRoleAssignmentsComplex([appRoleAssignments])' in Expression Builder. How do I see this output in the context of a specific app, and test how conditional logic around it will impact User provisioning scope or provisioned fields?
Background
GitHub Enterprise Managed Users relies on Azure AD SCIM provisioning as its only source of configuration of user information/management. The out-of the box user provisioner looks like this:
I also have 2 types of Groups I want to pass through to the provisioner:
- License level groups: Security Groups which use Roles like User, Enterprise Owner, Admin, etc. which consume a license for a user
- Permission set groups: M365 Groups with "isSecurityEnabled=True" which are used to set GitHub Team memberships which match the M365 Teams ONLY IF the user is already licensed (For details on GitHub IdP teams https://docs.github.com/en/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/managing-team-memberships-with-identity-provider-groups).
I have essentially accomplished this by setting the License level groups with the appropriate role, and setting the M365 groups with a role of "Restricted User". However, this leads to excessive API calls through SCIM with numerous errors, for each appearance of an unlicensed user.
How to solve this?
I think the best way to solve this would be to use either a Scoping Rule, which ignores users who do not have one of the actual roles like "User", "Enterprise Owner", "Billing Contact", etc. assigned. Another way to solve this would be use similar logic to set the 'active' attribute to false if the user does not have these roles assigned.
What is the issue?
I cannot find a way to query the user's appRoles in Expression Builder. Everytime I try to use "AppRoleAssignmentsComplex([appRoleAssignments]) in Expression Builder, I get null for output. Will this work to get the list of App Role assignments in the SCIM provisioning? What is the expected ouput? I am warry to edit this on our production connection, any suggestions on how best to test the resulting output and logic filtering around this field?