We have already posted about this issue before so here is a recap:
We have registered our own SCIM service implementation as Enterprise Application in Azure AD and configured provisioning to sync the users (and groups). We have implemented rate-limiting on our service, and return a 429 response (with a Retry-After header) to let the caller know he should wait a short time before new request will be accepted.
When intiating a new sync we see many export error are logged because of the 429 responses. It seems that the povioning process does not recognise the 429 response and just continues running export request which will all fail. The failures are retried after 40minutes but a lot of them will run into the rate-limit again.
Does the Azure provioning process support rate-limit responses from the SCIM service? How should our service respond (what headers, body) to make the provisioning process wait (a specified time) after a 429 response before continuing?
A response we got was as followed:
For Bring On Your Application (BOYA) SCIM, There is currenty no way to control the rate that Azure AD sends web requests and as such the application will need to handle requests coming from Azure AD without generating 429 responses.
So my next question would be, is the Azure team planning on implementing any support for rate limiting? The sheer amount of requests during an initial sync requires a moderation in amount of requests or it will quickly become more than our servers can handle, especially when you scales this up to dozens/hundreds of customers with each thousands of users/groups.
Currently it is resulting in a quarantine by Azure, and it is something our customers are running into occasionally. I would think that when dealing with large amount of requests, this would be a very welcome feature.