Rate limiting with SCIM and Azure Active Directory

Guido Spanjers (Infoland) 16 Reputation points
2020-01-08T13:01:49.54+00:00

Heya,

We have already posted about this issue before so here is a recap:

We have registered our own SCIM service implementation as Enterprise Application in Azure AD and configured provisioning to sync the users (and groups). We have implemented rate-limiting on our service, and return a 429 response (with a Retry-After header) to let the caller know he should wait a short time before new request will be accepted.
When intiating a new sync we see many export error are logged because of the 429 responses. It seems that the povioning process does not recognise the 429 response and just continues running export request which will all fail. The failures are retried after 40minutes but a lot of them will run into the rate-limit again.
Does the Azure provioning process support rate-limit responses from the SCIM service? How should our service respond (what headers, body) to make the provisioning process wait (a specified time) after a 429 response before continuing?

A response we got was as followed:
For Bring On Your Application (BOYA) SCIM, There is currenty no way to control the rate that Azure AD sends web requests and as such the application will need to handle requests coming from Azure AD without generating 429 responses.

So my next question would be, is the Azure team planning on implementing any support for rate limiting? The sheer amount of requests during an initial sync requires a moderation in amount of requests or it will quickly become more than our servers can handle, especially when you scales this up to dozens/hundreds of customers with each thousands of users/groups.

Currently it is resulting in a quarantine by Azure, and it is something our customers are running into occasionally. I would think that when dealing with large amount of requests, this would be a very welcome feature.

Kind regards,
Guido

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,225 questions
{count} votes

1 answer

Sort by: Most helpful
  1. FrankHu-MSFT 976 Reputation points
    2020-01-09T02:49:25.007+00:00

    Hey @Guido Spanjers (Infoland)

    For public updates on information regarding Azure AD and SCIM please take a look at the identity blogs and the azure updates page :
    https://azure.microsoft.com/en-us/updates/
    https://techcommunity.microsoft.com/t5/azure-active-directory-identity/bg-p/Identity

    And for your product feedback, please submit it against the feedback forums here, and if there's enough community support the product team will look into implementing it accordingly.

    Unfortunately there are no public mentions of this information, so publicly there are no mentions of this service to be implemented.

    1 person found this answer helpful.
    0 comments No comments