Need help with custom roles in Azure AD provisioning

Nicolas Ryan 21 Reputation points
2020-11-13T14:35:56.39+00:00

Hello,

I'm trying to provision users with our SCIM custom application using Azure AD automatic provisioning. So far I managed to configured the creation of the user and the assignment of the groups based on the assignments done in the Enterprise Application.

The issue I have now is with the roles mapping.

I followed the indications of this tutorial: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes

  • I modified the manifest and added the roles
  • I assigned the roles to the users in the Enterprise Application
  • I added a new mapping under the user mappings as described in the procedure

![39679-image.png][1]

Where roles is an attribute that I added manually and is of type String.

In the procedure it says that the JSON output I should expect is something like this:

{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"externalId": "alias",
"userName": "alias@Company portal .OnMicrosoft.com",
"active": true,
"displayName": "First Name Last Name",
"meta": {
"resourceType": "User"
},
"roles": [
{
"primary": false,
"type": "WindowsAzureActiveDirectoryRole",
"display": "Admin",
"value": "Admin"
},
{
"primary": false,
"type": "WindowsAzureActiveDirectoryRole",
"display": "User",
"value": "User"
}
]
}

Which is what my application expectes to receive. This is actually what is sent to my app when first creating the user. However, when doing a PATCH operation to update the user roles, this is what I got:

{
"schemas": [
"urn:ietf:Params:Scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "Add",
"path": "roles",
"value": [
{
"value": "{\"id\":\"05b07648-ecfe-489f-8d2f-6325724a46fe\",\"value\":\"25\",\"displayName\":\"Role1234\"}"
},
{
"value": "{\"id\":\"18d14569-c3bd-439b-9a66-3a2aee01d14f\",\"value\":\"22\",\"displayName\":\"user\"}"
}
]
}
]
}

As you can see, the values of the roles are not being passed as an array of objects but rather as values of a String. As a result, my application returns a 500 error because it cannot parse the reply.

Could you please advise how to get something like the following for when patching the user?

{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "add",
"value": {
"roles": [
{
"value": "1",
"display": "System Admin"
}
]
}
}
]
}

Thanks for your help.

Nicolas.-

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,286 questions
0 comments No comments
{count} votes

Accepted answer
  1. Danny Zollner 9,971 Reputation points Microsoft Employee
    2020-11-14T04:00:59.487+00:00

    This behavior has been brought to our engineering team's attention somewhat recently. We're working on long-term changes to this(have to make sure we don't cause other problems by doing this..), but in the meantime you can force the behavior to change by using the ?AzureAdScimPatch062020 flag outlined in this doc:

    https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-config-problem-scim-compatibility#flags-to-alter-the-scim-behavior

    The doc does not mention roles as a behavior that this flag changes, but I can confirm that they are. By using this flag, roles should be in the same consistent format for both POST and PATCH operations. The documentation will be updated to reflect this next week.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.