Azure AD SCIM Provisioning: Repeating requests for Adding Users to Group

Jan Jancalek 96 Reputation points
2021-07-12T08:45:43.913+00:00

Hello,
We have created a SCIM endpoint for our custom application connecting to Azure AD's SCIM client. We have created an Enterprise Application for our custom application and successfully connected the provisioning. We are creating users and groups successfully.
We are using https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#update-group-add-members as reference.
We are succesfully adding users to groups for the first time.

We have now issue, that AD is trying to add users to group again in next provisioning cycle. That ends in error as user is already added. But AD is trying that again and again. How can we prevent that?

AD is always doing GET request before adding user again. But it cannot check if user is already in group, as AD GET request contain "?excludedAttributes=members" and therefore we are not filling members in response. We are never filling members in reponse. Is this correct?
And we should not as stated in Tutorial: Develop and plan provisioning for a SCIM endpoint in Azure Active Directory: It isn't necessary to support returning all the members of the group. Also examples in Tutorial are not containing them.

What is correct response for AD, when user was already added to group?
Currently we are returning: 409 Conflict
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:Error"
],
"scimType": "uniqueness",
"detail": "schema validation : ErrorStatus(error=Error adding member to group, summary=, statusCode=400)",
"status": 409
}
Is our response correct? Or could something here be root cause of our problem?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,396 questions
0 comments No comments
{count} votes

Accepted answer
  1. Jan Jancalek 96 Reputation points
    2021-07-14T11:37:43.123+00:00

    Solved it by adding check into SCIM and when SCIM received add member to group for member that is already added, then we return 204 without adding user again.
    Maybe not the cleanest solutions, but so far it looks ok.

    Ideal solution would be to process it according Microsoft documentation, but that documentation probably does not exists right now.


0 additional answers

Sort by: Most helpful