AzureAD SCIM integration with Country Code field

Question

AzureAD SCIM integration with Country Code field

ScimUser 1

I've configured Azure AD with my SCIM endpoint to provision users. My mapping definition includes mapping the country code from the Azure country to addresses[type eq "work"].country, but provisioning fails for users whose country code is more than two characters long (e.g. USA instead of US). The failure on the SCIM endpoint indicates the country code is too long.

I see the SCIM spec (https://tools.ietf.org/html/rfc7643) says the country code must be in ISO 3166-1 "alpha-2" code format, so the SCIM endpoint rejecting this user sounds correct.

How can I configure Azure AD to either:

Convert the 3 char country code to 2 char for transmission via the SCIM protocol (preferred), or
Not send the country code field for users whose country code value violates the SCIM spec?

FrankHu-MSFT 971 Reputation points

2019-12-12T00:19:26.623+00:00

Hey @ScimUser thanks for letting us know about this, I'm currently looking into this, as per the RFC it does appear that country codes should be in fact 2 letters.
Fabrice Dutron 21 Reputation points

2022-10-14T16:08:47.153+00:00

This is an extract of the SCIM specification (https://datatracker.ietf.org/doc/html/rfc7643#section-4.1.2):

The country name component. When specified, the value
MUST be in ISO 3166-1 "alpha-2" code format [ISO3166]; e.g.,
the United States and Sweden are "US" and "SE", respectively

So Azure SCIM does not support the country claim.

FrankHu-MSFT 971 Reputation points

2019-12-12T00:19:26.623+00:00

Hey @ScimUser thanks for letting us know about this, I'm currently looking into this, as per the RFC it does appear that country codes should be in fact 2 letters.
Fabrice Dutron 21 Reputation points

2022-10-14T16:08:47.153+00:00

This is an extract of the SCIM specification (https://datatracker.ietf.org/doc/html/rfc7643#section-4.1.2):

The country name component. When specified, the value
MUST be in ISO 3166-1 "alpha-2" code format [ISO3166]; e.g.,
the United States and Sweden are "US" and "SE", respectively

So Azure SCIM does not support the country claim.

Answer 1

It looks like this is an issue that can be fixed either by changing the source data or config on your server side,

Changing the source data part(values in AAD) is straightforward enough.
If you would like implement logic that says "If a user has USA, send US, if they have CAN send CA, etc.." then you will need to do that yourself.

You can use the Switch function for that.
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/functions-for-customizing-application-data#switch

However there are no current built in methods in Azure for this right now. I apologize for the inconvenience, I suggest submitting your feedback in regards to this here : https://feedback.azure.com/forums/169401-azure-active-directory and if there's enough community support the product team will put this on the roadmap to implement in the future.

AzureAD SCIM integration with Country Code field

1 answer

Activity