Share via

Are Mail-Enabled Security Groups supported for provisioning enterprise applications via SCIM?

Matt S 20 Reputation points
2024-08-12T22:33:14.7266667+00:00

Hello,

I'm trying to enable SCIM between our Azure tenant and Zoho One. I am still pretty new to SCIM synchronization in Azure.

I have configured the Zoho One enterprise application and enabled provisioning for both users and groups. I have not made any changes to the default attribute mappings. I have started automatic provisioning and it has been successful for any users and regular security groups that I assign to the application.

However, provisioning keeps failing for any assigned mail-enabled security groups. The provisioning logs indicate a failure at "Step 4 - Provision Group in ZohoOne". The troubleshooting tab shows me the following:

Error Code: SystemForCrossDomainIdentityManagementBadResponse
Error Message: A required attribute is missing from a response. The missing attribute is Identifier.

Does this mean that mail-enabled security groups have no Identifier attribute, so they cannot be used for SCIM integration with Zoho One or any other apps that require it? Or are they just not compatible with Zoho One for some reason? I've tried looking up info on Zoho's support pages but I'm not finding anything of use.

Thanks,
Matt

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,827 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Danny Zollner 10,646 Reputation points Microsoft Employee
    2024-08-13T19:13:15.1266667+00:00

    The error returned appears to be related to the response from Zoho One on a SCIM POST (Create) request. Specifically, it sounds like Entra's provisioning service sends a POST and whatever response that Zoho One's SCIM endpoint returns is either syntactically incorrect or is syntactically valid but does not contain the "id" attribute for the group in Zoho One, which is a required attribute similar to Entra's objectId attribute in nature. It isn't acceptable to not return that SCIM "id" value, and if Zoho isn't returning it, that is the cause of the error.

    If you aren't sure if what I described is what is happening, you should open a support case to get assistance in reviewing what has transpired between the Entra provisioning service's SCIM client and Zoho One's SCIM server.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.