Hello,
We have created a SCIM endpoint for our custom application connecting to Azure AD's SCIM client. We have created an Enterprise Application for our custom application and successfully connected the provisioning. We are creating users and groups successfully.
We are using https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#update-group-add-members as reference.
We are succesfully adding users to groups for the first time.
We have now issue, that AD is trying to add users to group again in next provisioning cycle. That ends in error as user is already added. But AD is trying that again and again. How can we prevent that?
AD is always doing GET request before adding user again. But it cannot check if user is already in group, as AD GET request contain "?excludedAttributes=members" and therefore we are not filling members in response. We are never filling members in reponse. Is this correct?
And we should not as stated in Tutorial: Develop and plan provisioning for a SCIM endpoint in Azure Active Directory: It isn't necessary to support returning all the members of the group. Also examples in Tutorial are not containing them.
What is correct response for AD, when user was already added to group?
Currently we are returning: 409 Conflict
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:Error"
],
"scimType": "uniqueness",
"detail": "schema validation : ErrorStatus(error=Error adding member to group, summary=, statusCode=400)",
"status": 409
}
Is our response correct? Or could something here be root cause of our problem?