Entra ID SCIM - User deactivation sending extra name update

KT 46 Reputation points
2023-12-01T18:46:51.1166667+00:00

I am targeting a custom SCIM server, from a Microsoft Entra ID “enterprise application”.

I am seeing Azure/Entra ID sending requests with of the following form when un-assigning a group from an application. The user in question is only assigned to the application via the group.

Path: PATCH /api/scim/v2/Users/b5c03480-6c3f-4296-9770-7be4c78af79f
Body: {"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"Replace","path":"active","value":"False"},{"op":"Add","path":"name.formatted","value":"userto delete20231129a2"}]}]"}

Note the two operations - one to deactivate the user (correctly), and one to update the user's name. No change was made to the user where this name update is expected. In the Provisioning Logs, I see the same.

I believe this is a bug. I expect that when removing a group from an application, the users in that group will have active set to false, and no other change be included in that request.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,460 questions
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 36,246 Reputation points Microsoft Employee
    2023-12-01T19:27:21.6766667+00:00

    @KT ,

    I shared your description with a SCIM expert on my team who believes that this issue is likely by design, but it is not possible to know with just the information provided here.

    It is likely that something changed in the SCIM app, and upon comparison AAD/Entra Provisioning saw that AAD had value A and the SCIM app had value B for the name.formatted, and then included a correction to it.

    I would recommend creating a support case to get this investigated in detail. If you send me an email at AzCommunity@microsoft.com ("Attn: Marilee Turscak") and include your subscription ID and a link to this post, I can open a one-time free support ticket on your behalf.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful