How to scope User SCIM provisioning based on App Roles

Question

TL DR: What's the problem?

I don't see any output for users when testing 'AppRoleAssignmentsComplex([appRoleAssignments])' in Expression Builder. How do I see this output in the context of a specific app, and test how conditional logic around it will impact User provisioning scope or provisioned fields?

Background

GitHub Enterprise Managed Users relies on Azure AD SCIM provisioning as its only source of configuration of user information/management. The out-of the box user provisioner looks like this:

I also have 2 types of Groups I want to pass through to the provisioner:

• License level groups: Security Groups which use Roles like User, Enterprise Owner, Admin, etc. which consume a license for a user
• Permission set groups: M365 Groups with "isSecurityEnabled=True" which are used to set GitHub Team memberships which match the M365 Teams ONLY IF the user is already licensed (For details on GitHub IdP teams https://docs.github.com/en/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/managing-team-memberships-with-identity-provider-groups).

I have essentially accomplished this by setting the License level groups with the appropriate role, and setting the M365 groups with a role of "Restricted User". However, this leads to excessive API calls through SCIM with numerous errors, for each appearance of an unlicensed user.

How to solve this?

I think the best way to solve this would be to use either a Scoping Rule, which ignores users who do not have one of the actual roles like "User", "Enterprise Owner", "Billing Contact", etc. assigned. Another way to solve this would be use similar logic to set the 'active' attribute to false if the user does not have these roles assigned.

What is the issue?

I cannot find a way to query the user's appRoles in Expression Builder. Everytime I try to use "AppRoleAssignmentsComplex([appRoleAssignments]) in Expression Builder, I get null for output. Will this work to get the list of App Role assignments in the SCIM provisioning? What is the expected ouput? I am warry to edit this on our production connection, any suggestions on how best to test the resulting output and logic filtering around this field?

Answer 1

It is not supported to build scoping filters off of the appRoleAssignments attribute, either with or without a function processing the value of it. I believe there is an item in our engineering backlog to remove this value from the scoping filters UI. Apologies for the bad experience here.

Answer 2

Guess it's the same post as on Stack Overflow, so will just post the answer here too.

We worked around this with scope filters with extension attributes in Azure AD. You basically set the attribute value based on the user's membership and let the scope filters do the rest. Works for us in Bitwarden, and if we ever move from AzDO to GHE, this will probably be the way. I am quite sad that it is not supported out of box.

You can use it for scopes, role values etc. all based on group memberships. Should be easy enough and straightforward to replicate to other scenarios.

Recently blogged about this with full automation via Azure Functions - https://hajekj.net/2023/09/18/entra-id-user-and-group-provisioning-with-bitwarden/