Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,904 questions
How to fix role assignment when enabling user provisioning using AssertiveAppRoleAssignmentsComplex
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 61%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJF%3C/text%3E%3C/svg%3E)
Jochen François
6
Reputation points
Issue Summary: I am attempting to customize user provisioning attribute mapping for my SAAS platform within Microsoft Entra ID. Specifically, I am working with the attribute named "roles."
Details: To ensure that roles are accurately removed from the target system when they are not assigned to a user in Entra ID, I have utilized AssertiveAppRoleAssignmentsComplex. However, I am encountering an issue where Patch "add" requests are being generated, which result in roles being added rather than replacing the existing ones.
Assumed Cause: It seems that during the user provisioning process, something goes wrong when fetching the user data. This might prevent the system from correctly deriving the "role" attribute, which then causes the system to add a new role instead of updating the existing one. However, I checked the response of my scim server and it return the roles property (also available on the screenshot).
Observed Behavior: When I initiate provisioning, the system produces inconsistent results regarding the "role" value. In the screenshots you can see that the target value is defined, and at the end its no longer defined.
SCIM GET Response Body for the provisioned user
{
"meta": {
"created": "2024-08-14T14:00:26.634Z",
"resourceType": "User",
"lastModified": "2024-08-14T14:00:26.634Z"
},
"userName": "user@example.com",
"addresses": [
],
"phoneNumbers": [
],
"name": {
"formatted": "FirstName LastName",
"familyName": "LastName",
"givenName": "FirstName"
},
"displayName": "FirstName LastName - Company",
"active": true,
"roles": [
{
"value": "RoleName",
"displayName": "RoleName",
"id": "role-id"
},
{
"value": "{\"id\":\"role-id\",\"value\":\"RoleName\",\"displayName\":\"RoleName\"}"
}
],
"externalId": "user-id",
"emails": [
{
"type": "work",
"value": "user@example.com",
"primary": true
}
],
"preferredLanguage": "en-US",
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"id": "anonymized-id",
"title": "Job Title"
}
{count} vote
-
Danny Zollner 10,061 Reputation points Microsoft Employee2024-08-14T20:06:50.6366667+00:00 You'll need to create a support ticket for this so that our support team can assist in investigating this.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT 32,751 Reputation points Microsoft Employee2024-08-19T05:57:16.6566667+00:00 @Jochen François Thank you for reaching out to us, As Danny mentioned request you to open a case with us, so that we can troubleshoot this issue in detailed.
If in case you don't have a support contract with us, please send us an email on azcommunity [at] microsoft [dot] com referencing this issue with a subject line "ATTN:Givary" along with your Azure subscription id and we can enable one time support option on your subscription to work with our support team.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 24%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDB%3C/text%3E%3C/svg%3E)
Danny Bollaert 20 Reputation points2024-09-23T20:32:41.19+00:00 Hello @Jochen François I am struggling with the same issue. Did you make any progress with this issue?
-
Jochen François 6 Reputation points
2024-09-26T21:02:25.3566667+00:00 Hi Danny,
Unfortunately, I couldn't resolve the issue. After multiple screensharing sessions, emails, and being passed around, the support team was unable to provide a proper solution.
Due to time constraints, I decided to manage the role assignments outside of Entra ID and directly within my platform. If I revisit this in the future, I'll update you via this ticket.
Ideally, it would have been nice to get some insights on the AssertiveAppRoleAssignmentsComplex works internally on how it decides between a REPLACE and an ADD. But I felt they didn't know it either and I should experiment with it until it works.
Sign in to comment
Sign in to answer