Azure AD SCIM 2.0 roles is empty, active and enabled are false

Leila Sahebjamee 65 Reputation points
2023-05-31T20:20:53.5433333+00:00

Hi there, In Azure AD I setup SCIM which is working great. However for some reason roles are never sent and Active and Enabled are set to false.

Attributes List:

User's image

Attributes Mapping:

User's image

Azure provisioning log:

User's image

Roles, enabled, active definition in our SCIM schema:

{
        "description": "A Boolean value indicating the User's administrative status. Dependent on if a user is enabled and their current Subscription status",
        "multiValued": false,
        "mutability": "readOnly",
        "name": "active",
        "required": false,
        "returned": "default",
        "type": "boolean"
    }, {
        "description": "A Boolean value indicating if the User is currently enabled",
        "multiValued": false,
        "mutability": "readWrite",
        "name": "enabled",
        "required": false,
        "returned": "default",
        "type": "boolean"
    }, {
        "canonicalValues": ["Org Admin", "Team Admin", "Workflow Admin", "Active Team User", "Lite Team User"],
        "description": "A list of roles for a User that collectively represent a users permissions within a organization e.g, 'Org Admin', 'Active Team User'",
        "multiValued": false,
        "mutability": "readWrite",
        "name": "roles",
        "required": false,
        "returned": "default",
        "type": "string"
    },

SCIM GET Response Body for the provisioned user

{
    "active": false,
    "enabled": false,
    "externalId": "blah-blah-blah",
    "id": "1240",
    "meta": {
        "created": "2023-05-31 18:29:23.179042",
        "lastModified": "2023-05-31 18:29:23.590285",
        "location": "https://api.blah",
        "resourceType": "User"
    },
    "roles": "",
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
    "timezone": "UTC",
    "userName": "blah123@blah.com"
}
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,450 questions
{count} votes

Accepted answer
  1. Danny Zollner 9,861 Reputation points Microsoft Employee
    2023-06-01T00:20:36.04+00:00

    Your SCIM implementation isn't compliant with the SCIM spec. The roles attribute as defined in the spec is a complex multi-valued attribute, not a single-valued string. Enabled is also not an attribute in the SCIM spec - active is what you're looking for there.

    While you can make custom schema extension attributes - such as urn:ietf:params:scim:schemas:extension:YourAppName:2.0:User:myAppRole or urn:ietf:params:scim:schemas:Extension:YourAppName:2.0:User:enabled, those would also not be in line with the guidance in the SCIM spec because it advises to not duplicate functionality of existing attributes (SCIM core schema roles attribute + active attribute, respectively) via custom extensions.

    Your payloads aren't coming through as expected because you're trying to use a switch to turn output that is intended for a complex multi-valued attribute into a single-valued string. For any attributes not present in the core schema for a resource (the core user schema in this case), you also must use the full schema URN prefix, rather than just using a short name like "enabled", which is only allowed for core schema attributes.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful