SCIM provisioning: when disabling a user with active roles, the users roles should be removed as well
Use case
I have a couple of applications who want to provision the different type of administrators to the applications using roles. The normal users are not being provisioned with SCIM.
Problem
When a user is removed from every group inside the enterprise application, a trigger event should deactivate/update the user. This update should contain the removal of all roles. Instead, because we do not use attribute-"Active" in our mapping, the user is not updated at all, when the user is deactivated.
Note
The application does receive an update that the user is removed from the group.
Expected Behaviour
When a user is removed from the group, the users loses the role assigned.
Even when the user is deactivated during the process.
Configuration With Active
When you allow active, only the active attribute is being updated.
Configuration flags tried
- AppRoleAssignmentsComplex([appRoleAssignments]): https://learn.microsoft.com/en-us/entra/identity/app-provisioning/customize-application-attributes
- AssertiveAppRoleAssignmentsComplex([appRoleAssignments]): https://learn.microsoft.com/en-us/answers/questions/671361/patch-behaviour-when-provisioning-custom-roles-wit (recommended by AI)
- flag:aadOptscim062020: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/application-provisioning-config-problem-scim-compatibility
Result: no effect.
How to replicate it?
I used SCIM gateway loki plugin. This allows me to run an in memory SCIM server.
https://github.com/jelhub/scimgateway/tree/master
Thank you for having a look.
Danny