Role attributes are always in the body for patch request

Dabryian, Andrei 65 Reputation points
2023-06-21T02:20:21.8633333+00:00

Steps to reproduce:

  1. Add (provision) user using provision on demand in Azure

 

Result:
Patch operation is initiated with the scope of updates:

  • name.givenName from stored value to updated value
  • roles - from original target value that is empty to {"id":{{AzureIdentifier}}","value":"Member","displayName":"Member"}

As a result, Azure will try to update all provisioned users every provisioning cycle (40 min) even if a user was not updated.

Extract from logs:
RequestBody: {"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"add","path":"roles","value":[{"primary":false,"type":"WindowsAzureActiveDirectoryRole","display":"Member","value":"Member"}]},{"op":"replace","value":{"active":true,"name.givenName":"UserupdatedAgain"}}]}

 

Expected result:
PATCH operation is performed only for changed attributes:

name.givenName from stored value to updated value

Is it possible to fix this behavior?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,149 questions
0 comments No comments
{count} votes

Accepted answer
  1. Danny Zollner 10,571 Reputation points Microsoft Employee
    2023-06-21T04:07:24.4+00:00

    Two separate issues here I think - provisioning on demand with roles and the value for the role being sent on every cycle.

    For the first one, https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/provision-on-demand?pivots=app-provisioning#known-limitations - On-demand provisioning of roles isn't supported. <-- Edit: WRONG - See comments below.

    For the second one, there isn't as clear of an answer. Generally, if something is being retried every cycle it is either because the request failed and generated an error that is being retried, or because something changed on the user and it is being reevaluated. If in the latter case the user is being reevaluated and there is a mismatch in data between what AAD Provisioning is expecting to be there and what is returned on the GET request to read the current state of that user, that's when you'll see a seemingly redundant request.

    If possible, can you share not only the PATCH request but also the current state of the user that is returned in the GET that is done before the PATCH? Most attributes don't matter, the format of the roles attribute and the name.givenName attribute are relevant though. For the name.givenName attribute, as you may not want to provide it - is the value being returned on the GET truly identical to what is sent via PATCH?


1 additional answer

Sort by: Most helpful
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.