This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 19%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESV%3C/text%3E%3C/svg%3E)
Hello, I am trying to get the correct setup for the 'manager' attribute that comes from the SCIM protocol, enterprise user extension.
According to the SCIM protocol, this is a complex type attribute with 3 sub-attributes: 'value', '$ref', and read-only 'displayName'. But the default setup from Azure AD actually sends manager as a simple attribute:
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager": "user-id".
Is there a way to get the setup that follows the SCIM specification and sends "manager" with "value" and "$ref"?
Regards
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 5%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
I dont think Azure AD Provisioning allows sending any other attribute for manager except id. Let me confirm and come back on this.
Hi @Stefan Vuckovic , The SCIM RFC 4.3 does not require any of these attributes to be mandatory, as such we are only sending ID at the moment. Long term we may have a plan to send manager with value but currently there is no way to achieve it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 13%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDL%3C/text%3E%3C/svg%3E)
Hi @Abhijeet-MSFT ,
If you are only sending the ID, shouldn't it go in the value attribute of the manager object? I mean this:
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value
instead of:
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager
Because according to the spec manager is a complex type and the ID should go in the value attribute. Currently this is breaking existing implementations and libraries which are expecting a complex type in the manager field and are receiving an ID instead.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 49%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
@David L - you are entirely correct.
The Azure AD implementation is obviously not adhering to the spec.
@Abhijeet-MSFT : "The SCIM RFC 4.3 does not require any of these attributes to be mandatory, as such we are only sending ID at the moment." - yes, but you are doing so incorrectly. From the spec:-
manager
The user's manager. A complex type that optionally allows service
providers to represent organizational hierarchy by referencing the
"id" attribute of another User.
It's not good for SCIM service providers to have to implement it the correct way for conformant clients, and incorrectly for AD.
Have you or would you please create a ticket for this to be fixed?
Acknowledging that this is implemented incorrectly by Azure AD's SCIM client. It isn't something that can be fixed overnight however as unfortunately our incorrect implementation has led to some SCIM implementations taking a dependency on this. This is on a list of SCIM client compliance issues that we're hoping to address in the next 3-6 months, at which point we will release another flag similar to aadOptScim062020 (see: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-config-problem-scim-compatibility#flags-to-alter-the-scim-behavior).
Today there is not a supported workaround to flow manager as a complex attribute as we don't support customized referential attributes, customized complex attributes or changing behavior for core SCIM/enterprise extension attributes.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 73%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESJ%3C/text%3E%3C/svg%3E)
Has there been any progress on this? The application obviously doesn't comply to the spec. I'm struggling to see a solution that doesn't break other users of my SCIM API.
Ive been trying to hack my way around the issue. How can I add a custom attribute? For example if I can add:
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:managerId
I can add that parameter to my SCIM schema and just deal with the consequences.
Steve
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 54%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Is there a known custom expression to set as the custom Azure attribute so we can use urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.displayName?
@Abhijeet-MSFT
Hello. For those coming to this answer again, I ran into a another issue with the manager attribute today. When Azure sends the manager attribute they break the spec as per the discussion above. However, when they read the data back they expect the correct format! ie manager.value.
To reproduce just use the 'Provision on demand' function... run it twice and you will see the issue.
I just wasted a morning on this. Who has different models for serialization and deserialiation?
Steve