Azure AD SCIM provisioning application - quarantine status

Ruchi 386 Reputation points
2023-06-27T14:29:31.51+00:00

Hi,

Please provide the response to below queries related to Quarantining a SCIM application.

  1. Azure documentation says application would be quarantined for following conditions - EncounteredQuarantineException, EncounteredEscrowProportionThreshold and QuarantineOnDemand. Will the application be auto resumed when the quarantine situation gets resolved for any of the scenario?
  2. If the SCIM server endpoint throws an exception (for instance, database connectivity issue) for all the sync requests from Azure SCIM connector application for some time period, probably say 4-5 hours, will it quarantine the scim application?
  3. When will "Retry duration" mentioned in the document gets applied? Would it be applicable for question 2 above.
    https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-quarantine-status#why-is-my-application-in-quarantine
  4. Are there any specific exceptions from SCIM Server endpoint which could be handled gracefully to apply retry logic without quarantining scim application?
  5. Is it possible to customize the quarantine behaviour while onboarding gallery application for any SAAS application?
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,831 questions
0 comments No comments
{count} votes

Accepted answer
  1. Danny Zollner 10,491 Reputation points Microsoft Employee
    2023-06-27T16:09:22.1266667+00:00

    Quarantine is the system's way of identifying "An overwhelmingly high number of the operations being attempted are failing" without wasting resources (compute, network traffic). It will self-recover and leave quarantine on the next cycle where the criteria that caused it to enter the quarantine state are no longer met. If it's a temporary issue like an outage/maintenance then during testing you can manually restart the provisioning job. For customers using this at scale (i.e.: a gallery multi-tenant app), it will self recover on its own and no action can be taken by the SCIM server to expedite that.

    Specific answers to your questions:

    1. Yes.
    2. Yes.
    3. Immediately - exact interval isn't documented, but it's an exponential backoff and roughly can be thought of as 30m -> 1h -> 2h -> 4h -> 8h.. ish.. so if there's a temporary outage lasting for an hour or less, everything should in turn recover within 1-2 hours as it'd probably be between the 2nd and 3rd retries.
    4. Per-object failures are held to be retried and generate what can be referred to as retries or "escrows", if you accumulate enough of those then you'll hit quarantine - OR if there's a global failure (server down, failing initial startup test calls..). If there's a global issue then there is no avoiding entering quarantine, nor should there be.
    5. No.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.