Entra ID - provision user administrative roles alongside app roles using SCIM

Florin Dragos 25 Reputation points
2024-06-21T13:57:09.3066667+00:00

I have a SCIM integration that provisions users from EntraID to my SCIM application. I've followed the instructions provided in Provisioning a role to a SCIM app to make sure it provisions any roles that are assigned to a user. Unfortunately, this only provisions the roles that are assigned for that specific application.

Is there a way to read all roles (Administrative Roles) that user has assigned in EntraID, not just the roles assigned for the SCIM app itself?

Thanks!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,468 questions
Azure Startups
Azure Startups
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.Startups: Companies that are in their initial stages of business and typically developing a business model and seeking financing.
237 questions
{count} votes

Accepted answer
  1. Danny Zollner 9,861 Reputation points Microsoft Employee
    2024-06-24T16:04:15.13+00:00

    Is there a way to read all roles (Administrative Roles) that user has assigned in EntraID, not just the roles assigned for the SCIM app itself?

    No.

    Most applications do not care about the administrative directory roles (Global Admin, etc..) assigned to users in Entra ID. Applications have their own concepts of entitlements. Those app-specific roles are usually represented on the Enterprise Application object in Entra ID, where they can be assigned to users, and SSO + Provisioning can both then leverage those app-specific assignments to send role/entitlement data in SSO claims or SCIM create/update payloads.

    If your application does have a reason to care about the Entra ID directory roles assigned to users, it will need to make calls to Microsoft Graph API to obtain that data, as it is not possible to use a user's assigned Entra ID directory roles as a data source with our provisioning service at this time.


0 additional answers

Sort by: Most helpful