Azure AD SCIM provisioning - SCIM validators are failing for groups test cases when tested through Schema discovery

Ruchi 386 Reputation points
2023-11-06T05:30:29.29+00:00

The SCIM validator is failing for group test cases with the below error when it is tested through "Discover Schema". But the same test cases are passing when it is tested through "Use Default attributes".

Error:
Internal Server Error: The attribute members[type eq "User"].value for Group is not supported by the SCIM protocol.

**
JSON template we are using:

{"id": "urn:ietf:params:scim:schemas:core:2.0:Group",
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,160 questions
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 35,631 Reputation points Microsoft Employee
    2023-11-08T00:21:51.1466667+00:00

    Hi @Ruchi ,

    The only attributes you should need for groups testing are displayName and externalId (if you have implemented it). Group members will be tested even if it not present in the UI.

    The validation is failing for you because Azure AD's SCIM implementation does not use the "type" sub-attribute on the members attribute. The "type" isn't an attribute on the group schema. Rather, it's a sub-attribute of the complex "members" attribute. The SCIM Validator does test memberships even though the members attribute isn't listed there.

    There is a change planned in the future to make it clearer from the product standpoint and in the documentation that members are tested.

    Let me know if this helps and if you have further questions.

    See related thread for additional context.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information. Otherwise let us know if you have further questions.

    0 comments No comments

0 additional answers

Sort by: Most helpful