Share via

Azure AD SCIM provisioning

Bob Mazaika 25 Reputation points
2024-06-26T18:21:29.09+00:00

We have an AD that has 1M users and 1.3M groups and want to limit the number we sync with an application. I was hoping that using Sync Only Assigned Users and Groups would do what I want but it doesn't appear to do what I want.

The desire is to assign an number of groups and a subset of the users in each group. However what happens is that I get all the groups assigned but ALL the users in those groups.

Is there anyway to do what I want?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,584 questions
Accepted answer
  1. Danny Zollner 10,056 Reputation points Microsoft Employee
    2024-06-27T02:51:00.3833333+00:00

    There are two levels of filtering/scoping - assignment to the application, and scoping filters. You can use scoping filters to narrow down the initial set of users that are brought in scope from membership in assigned groups.

    Another approach that I'm 90% confident will work is to assign one or more groups to the application that contain users as direct members of the group(s), with those groups being used to control what users are granted access. Separately, create a group that then only has groups as direct members. That parent group will bring the groups that it has as members into scope without granting any entitlement to the users within.

    Rough example:

    Group A and Group B are assigned directly to the app. No other groups are assigned directly.

    Group A's direct members: All users that should have access to the app

    Group B's direct members: Groups Q, R, S, T

    Groups A, B, Q, R, S, and T will be provisioned out to the other app as group objects. The members of groups Q, R, S and T in Entra ID will not be added to the SCIM app as users OR as members of groups Q, R, S or T unless they are also members of Group A.

    Scoping filters can be used to restrict groups A and B from being provisioned into the SCIM app. This may be helpful as A and B are functionally "scoping" groups and may not have direct value in the SCIM app.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2024-06-26T18:21:29.11+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Based on the information provided in the context, it is not possible to limit the number of users synced with an application based on a subset of users in each group. When using the "Sync Only Assigned Users and Groups" option, all users in the assigned groups will be synced. It is recommended to assign a small set of users and groups to the app for testing purposes before rolling out to everyone.

    References:

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.