Rate of SCIM and Azure Active Directory synchronization

Erlong EL1 Wang 0 Reputation points
2024-08-22T06:34:28.8266667+00:00

Hi all, our customer is synchronizing users by configuring SCIM provisioning in Azure AD. In order to provide SCIM endpoint security, we have implemented rate limiting for SCIM service. After 2 days of normal operation,the requests sent by Azure AD suddenly reached the rate limit and our scim service blocked the requests for a short period of time, putting the customer's provisioning into quarantine.

I would like to ask if Azure AD's provision can recognize the 429 response (with Retry-After header) to slow down the rate at which it sends requests?

Also is it possible to tell if the rate at which Azure AD sends requests increases over time, or can you provide the rate at which Azure AD sends requests by default? Thanks!

I read the following paragraph in the documentation, it seems that Microsoft can adjust the sending request for the rate limitation of the target system, is there anything that the target system needs to do in order to implement this? For example, in response to 429(with Retry-After header).

  • Request rate limits and throttling implemented by the target system. Some target systems implement request rate limits and throttling, which can impact performance during large sync operations. Under these conditions, an app that receives too many requests too fast might slow its response rate or close the connection. To improve performance, the connector needs to adjust by not sending the app requests faster than the app can process them. Provisioning connectors built by Microsoft make this adjustment.

from https://learn.microsoft.com/en-us/entra/identity/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user#how-long-will-it-take-to-provision-users

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

1 answer

Sort by: Most helpful
  1. Danny Zollner 10,801 Reputation points Microsoft Employee Moderator
    2024-08-22T15:39:45.63+00:00

    Rate limiting is only configurable for "gallery" provisioning integrations and can only be configured by the Microsoft engineering team. The provisioning service does not have the ability to dynamically adjust to 429 responses.

    The rate of requests when rate limiting is not configured can be described as "as fast as possible", meaning that as soon as the Entra ID provisioning service has calculated a request that needs to be made, it will make it.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.