25,134 questions
Entra ID Provisioning failure - target application returned a response without an 'id'
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 0%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJG%3C/text%3E%3C/svg%3E)
Jason Gillett
30
Reputation points
When we set our app to start provisioning, initially it does save the groups and users into our system. But then the provisioning gets set to quarantined. I've also tried using the Test Provisioning. Provisioning a Group seems to work fine, but I'm getting an error when trying to do a User.
When looking at Wireshark, I see that two calls are made.
The first seems to be a GET Users request with filter against a random GUID:
.../Users?filter=userName+eq+%228305e45e-591b-43bd-ab18-60c0790016e1%22
Response:
{"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"totalResults":0,"startIndex":1,"itemsPerPage":0,"Resources":[]}
The second is a Get Users request for the actual user being provisioned:
.../Users/2800
Response:
HTTP/1.1 200 OK
Content-Length: 1208
Content-Type: application/scim+json
Date: Tue, 08 Apr 2025 14:28:07 GMT
Server: Kestrel
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"totalResults": 1,
"startIndex": 1,
"itemsPerPage": 1,
"Resources": [
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "******@test.onmicrosoft.com",
"id": "2800",
"externalId": "smartdev",
"name": {
"formatted": "Thomas Smath",
"familyName": "Smath",
"givenName": "Thomas",
"middleName": null,
"honorificPrefix": "",
"honorificSuffix": null
},
"displayName": "Thomas Smath",
"emails": [
{
"value": "******@test.us",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "6095550303",
"type": "",
"primary": true
}
],
"addresses": null,
"active": true,
"meta": {
"resourceType": "User",
"created": "2025-04-04T10:22:00",
"lastModified": "2025-04-08T13:40:00",
"version": null,
"location": null
}
}
]
}
The error message:
The target application returned a response without an 'id'. This 'id' attribute is required per section 3.1 of SCIM RFC 7643. Please contact the application developer and request that they return the 'id' property in the SCIM response. Resource: {"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"active":false,"meta":null,"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":null}.
The response has the 'id' in the message so I don't understand why I'm getting this error.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 77%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Rukmini 3,841 Reputation points Microsoft External Staff Moderator2025-04-11T00:47:47.91+00:00 Hello Jason Gillett, The error occurs because your SCIM server is returning a
ListResponse(meant for searches) instead of a properUserobject during user provisioning (likely after a PATCH/POST). This response is missing the required top-level"id"field. To fix it, ensure your server returns a valid SCIM User resource with"id"in all create/update responses. Please recheck PATCH/POST handler logic.Let me know if any further queries - feel free to reach out!
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 5%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
SrideviM 5,710 Reputation points Microsoft External Staff Moderator2025-04-14T04:20:57.0766667+00:00 Hello Jason Gillett,
Just adding to the earlier response. If your SCIM implementation supports it, enabling debug logs can help trace which request is returning the incomplete payload. It’s a good way to confirm if a specific update or create call is missing required fields like id. Let me know if it works!
Sign in to comment
Sign in to answer