How can I force a sync of group Members in SCIM provisioning

Question

How can I force a sync of group Members in SCIM provisioning

Brogi, Clemens 20

I am using Enta IDs scim provisioning. If I have a group in Entra ID which is out of sync in respect of it's members - how can I force an Update that adds missing members and remove members no longer in that group?

Accepted answer

2 additional answers

Your answer

Answer 1

Hello Brogi, Clemens

Provisioning on demand for syncing groups with every number of group members can be challenging due to limitations in SCIM provisioning. Issues such as group memberships not being re-added after group deletion and the need for specific configurations to sync groups are common. The articles and documentation provide various solutions and insights into managing these challenges, including using specific settings in provisioning jobs and leveraging APIs for listing sync members.

https://learn.microsoft.com/en-us/entra/identity/app-provisioning/provision-on-demand?pivots=app-provisioning#known-limitations.

Hope this helps. Do let us know if you have any further queries

If this answers your query, do click `Accept Answer` and `Yes`

Answer 2

Andy David - MVP 155.9K MVP Moderator

Take a look at on demand provisioning ( and the limitations):

https://learn.microsoft.com/en-us/entra/identity/app-provisioning/provision-on-demand?pivots=app-provisioning#known-limitations

Brogi, Clemens 20 Reputation points

2025-04-29T12:50:07.91+00:00

That means there is no solution to my problem?!
Since the MS implemantation of group synchronisation is quite error-prone, this are bad news.
Andy David - MVP 155.9K Reputation points MVP Moderator

2025-04-29T13:05:10.5766667+00:00

Hi, sorry, not sure I understand. Are you saying that on demand provisioning for the users is not working? Or a resync isnt working etc...?
Brogi, Clemens 20 Reputation points

2025-04-29T13:14:35.7666667+00:00

No the on demand provisioning for a group isn't working in the way that it corrects the group member-ship.
Brogi, Clemens 20 Reputation points

2025-04-29T13:18:30.66+00:00

In my opinion Entra ID should at least try to determine the group members and should add missing group members in packages, not one by one.
Brogi, Clemens 20 Reputation points

2025-04-29T13:30:45.8566667+00:00

In my opinion Entra ID should at least try to determine the group members and should add missing group members in packages, not one by one.In our application we use groups for access-control. We need a way to ensure, that the group in entra ID and in our application are in sync.
Vigneshwar Duvva 795 Reputation points Microsoft External Staff Moderator

2025-04-29T18:42:52.4766667+00:00

Hello Brogi, Clemens

I would like to check this up offline with you to understand the scenario better. Please share your contact details over private message and your availability for a call.

Answer 3

I believe the issue is as follows:

When a group is synchronized and there are many changes — for example, when several members are added to or removed from the group — EntraID sends a separate PATCH request for each change as part of the SCIM provisioning process. However, these requests are not sent sequentially; instead, they are dispatched in parallel using multithreading. This parallel execution leads to database locks, causing some of the requests to fail and, ultimately, the synchronization to break. A more effective approach would be to consolidate the operations into as few requests as possible — ideally into a single request — to prevent such issues from occurring.

Share via

How can I force a sync of group Members in SCIM provisioning

2 additional answers

Your answer