Azure AD SCIM random ID in "userName eq"

David S 1 Reputation point


When I provision a user via SCIM, I see there is first a GET request to search for the user via userName, e.g.

GET /scim/v2/Users {"filter":"userName eq "abc@xyz"", "count":100, "startIndex":1, "page":1}

If I return 200 with zero results, I can see the POST request and the user gets provisioned successfully.

However, on all subsequent updates/checks to the user, the userName in the query appears to be a randomly generated value (it's a different value for the same user every time), e.g.:

GET /scim/v2/Users {"filter":"userName eq "80f18da2-686d-445c-9c47-0cdeaf0c654b"", "count":100, "startIndex":1, "page":1}

This is always followed up with another GET request to the correct user id route (GET /scim/v2/Users/123... etc). So while flow is working, I do not understand how these userName values are generated and why the unnecessary step. How can I ensure that the userPrincipalName value is used in the query?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,724 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Danny Zollner 9,396 Reputation points Microsoft Employee

    This is by design - it's part of what steps our service takes at the start of any activity (ie: a provisioning cycle or a provisioning on demand activity) to validate that the SCIM endpoint it is talking to functions correctly. See:

    Specifically, this piece:

    Microsoft AAD makes requests to fetch a random user and group to ensure that the endpoint and the credentials are valid. It's also done as a part of the Test Connection flow in the Azure portal.

    2 people found this answer helpful.