Azure AD SCIM provisioning calls not made from documented CIDR range IP addresses

Question

Azure AD SCIM provisioning calls not made from documented CIDR range IP addresses

Connected Identity 40

Our SCIM server is deployed in an environment which is not exposed to public internet (SCIM APIs only accessible internally via company VPN if IPs not whitelisted). For Azure AD SCIM provisioning to work, we have whitelisted the Microsoft Azure CIDR ranges so that calls originating from these IPs will be able to access our SCIM endpoints.

We have picked the CIDR blocks to whitelist from https://learn.microsoft.com/en-us/azure/databricks/administration-guide/users-groups/scim/aad#azure-active-directory-provisioning-service-ip-range-not-accessible

But, we see that calls are made from different IPs which are not in the CIDR range documented (IPs with which calls were made by Azure AD SCIM provisioning are listed below). Due to this, provisioning is failing.

20.190.151.34
20.190.153.36
20.190.155.25
40.126.2.43
40.126.27.34
40.126.4.45

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Danny Zollner 10,821 Microsoft Employee Moderator

The IP addresses ranges that can be used change over time, and the documentation is updated ahead of time to include those new ranges. In the current JSON file I see the ranges 40.126.0.0/18 and 20.190.128.0/18 in the AzureActiveDirectory tag, and those ranges combined cover all of the IP addresses you listed above.

Olivier Hault (Level IT) 11 Reputation points

2025-12-11T11:41:54.27+00:00

AzureActiveDirectory tag should not be confused with the scope of "Azure AD SCIM provisioning service". It's far too large. The very basic need would be to have a perfect understanding of what IP addresses are used by Region/Datacenter for egress traffic initiated by Azure AD SCIM provisioning service.

Share via

Azure AD SCIM provisioning calls not made from documented CIDR range IP addresses

0 additional answers

Your answer