Failing to unassign Connectivity agent and failing to connect in On-premises SCIM app

Question

I have multiple issues with both an existing On-premises SCIM app and with a newly created one as well.

1. With the existing one that I have working in the past:
   I have multiple agents across different systems I have used with this app in the past, and I always pick and choose the one that I want to use. When I want to select a new agent on a running vm that I have setup and press Assign Agent(s) I get an error saying We encountered and error while updating agent(s) of On-premises SCIM app. I have found a workaround this error by selecting all the agents, assigning and then selecting the one I want. However, when I do this and I try and Test Connection using the Admin Credentials I get back an InternalServerError however I see no errors in my event logs.
2. I have tried working around this issue by creating a branch new On-premises SCIM app:
   There when I try and test connection my agent seems to be hit and I see an error about failing to convert a json object to a user model. I would assume this would be due to mapping but I don't see the Mappings section that is available in my existing app.
   

When I click on More events in the activity log there's nothing there.

Edit: I'm following these steps:
https://learn.microsoft.com/en-us/entra/identity/app-provisioning/on-premises-scim-provisioning#install-and-configure-the-microsoft-entra-connect-provisioning-agent Thanks

Answer 1

@Igor Meszaros Thank you for reaching out to us, As I understand you are setting up On-premises SCIM app with Entra ID.

InternalServerError occurs mostly due to configuration issue on the application side, as you mentioned you have built the app again and bypassed this issue.

Could you provide screenshot of this error "failing to convert a json object to a user model" to have better understanding of the issue.

Also, you can enable verbose logging for Provisioning Agent to troubleshoot further on this issue.

By default, the agent provides very minimal error messages and stack trace information. You can find these trace logs in the folder: C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace Follow the steps here to gather additional details for troubleshooting agent-related issues.

Stop the service “Microsoft Azure AD Connect Provisioning Agent”

Create a copy of the original config file: C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\AADConnectProvisioningAgent.exe.config

Replace the existing <system.diagnostics> section with the following and all trace messages will go to the file ProvAgentTrace.log

<system.diagnostics>
    <sources>
      <source name="AAD Connect Provisioning Agent">
        <listeners>
          <add name="console"/>
          <add name="etw"/>
          <add name="textWriterListener"/>
        </listeners>
      </source>
    </sources>
    <sharedListeners>
      <add name="console" type="System.Diagnostics.ConsoleTraceListener" initializeData="false"/>
      <add name="etw" type="System.Diagnostics.EventLogTraceListener" initializeData="Azure AD Connect Provisioning Agent">
        <filter type="System.Diagnostics.EventTypeFilter" initializeData="All"/>
     </add>
     <add name="textWriterListener" type="System.Diagnostics.TextWriterTraceListener" initializeData="C:/ProgramData/Microsoft/Azure AD Connect Provisioning Agent/Trace/ProvAgentTrace.log"/>
    </sharedListeners>
  </system.diagnostics>

Start the service “Microsoft Azure AD Connect Provisioning Agent”

You can now use the following command to tail the file and debug issues:

Get-Content “C:/ProgramData/Microsoft/Azure AD Connect Provisioning Agent/Trace/ProvAgentTrace.log” -Wait

Mappings option would be visible only when you pass the test connection with the app. The Microsoft Entra provisioning service generally makes a get-user call to check for a dummy user - https://learn.microsoft.com/en-us/entra/identity/app-provisioning/use-scim-to-provision-users-and-groups#request-3 in three situations: at the beginning of each provisioning cycle, before performing on-demand provisioning and when test connection is selected. This check ensures the target endpoint is available and returning SCIM-compliant responses to the Microsoft Entra provisioning service.

If required, you can send me an email to 'AzCommunity@microsoft.com' with Sub - Attn: Givary and following details in the email body:

Link to this thread/post We can connect offline and discuss further on this. Let me know if you have any further questions, feel free to post back.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.