This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 80%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAC%3C/text%3E%3C/svg%3E)
I am trying to build a non gallery app that exposes a SCIM endpoint in java. Currently I have deployed it on localhost.
But When in the provisioning section, I provide the localhost path in the tenant URL , AAD SCIM interface is not able to connect to my app with the following error -
You appear to have entered invalid credentials. Please confirm you are using the correct information for an administrative account.
Error code: SystemForCrossDomainIdentityManagementCredentialValidationUnavailable
Details: We received this unexpected response from your application:
Message: An error occurred while sending the request.
Please check the service and try again.
Request-id: 013b6236-0049-4de2-a9d3-287112b47ec7
Please assist.
Just checking in to see if the below answer (by @Anonymous ) helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Thanks,
Our SCIM provisioning service does require public DNS availability. We have a new feature that is in a limited public preview that may be a better fit for this situation though - please check out this documentation and request access to the preview if it sounds like it meets your needs: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/on-premises-scim-provisioning
@Anonymous The custom app will be deployed in Azure VMSS behind a load balancer. The app will be accessed using private DNS Zone created for the app.
So I don't think the link that you have shared meets our needs as it expects us to download an agent onto the VM where SCIM endpoint is running, which makes sense in case of static infrastructure or on-prem type workloads but not for cloud workloads where VMs are transient and can be replaced anytime. As per our company policy we replace VMs every 14 days.
What I am looking for is a solution that can enable Azure AD provisioning service to connect to private SCIM endpoints.
Your scenario isn't something that is supported. The AAD Provisioning service communicates over the internet using public DNS records. You'll need to have things configured in a manner that your SCIM endpoints are publicly routable, or have a middle layer of one or more hosts using the above mentioned preview/agents and have the host servers then leverage the private DNS.
Just checking if you have any follow-up question? If above answer helped your query, please don’t forget to click Accept the answer and Up-Vote . Thanks.
Hello @Akash Chopra ,
Thanks for reaching out and apologize for delayed response.
You can use http endpoints for testing locally, but the Azure AD provisioning service requires that your endpoint supports HTTPS and make sure your SCIM solution is compliance with TLS Protocol standard per this guidance.
Here is sample SCIM endpoint in Azure Active Directory which you can use for testing.
To learn more about, refer these articles:
https://github.com/AzureAD/SCIMReferenceCode/wiki/Test-Your-SCIM-Endpoint
https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#building-a-custom-scim-endpoint
Hope this helps.
------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Hello @sikumars-msft Does it also requires my app to be available over public DNS ? As we have developed a custom app that will be used only with in our organization and won't be available over public DNS. But we want to utilize azure AD for users and groups provisioning and de-provisioning. Is it possible for Azure AD provisioning service to connect with an app that is not available over public DNS ?