Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
SCIM User Provisioning with Salesforce (via External Client App) results in Time out
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 39%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
EelkeN
0
Reputation points
Hi there!
We set up user provisioning between Entra and Salesforce some time ago using the pre-integrated enterprise app. This allows you to enter the credentials of your admin API user in Salesforce. This works perfectly and are really happy with it.
However, we've heard that Salesforce is changing how you can use their API. This will soon be done via an External Client App that handles incoming API traffic. This means that user provisioning from Entra to Salesforce will no longer be possible using an admin username and password.
We are currently setting up a custom enterprise application where you connect via the OAuth2 Client Credentials method, using the Tenant URL, Token Endpoint, Client ID, and Client Secret we obtained from the External Client App.
The connection is successful. The problem is when we try to test with a user via provisioning on demand. It keeps loading until an error occurs:
Status Code: Request Timeout Message: Processing the HTTP request resulted in an exception. Please see the HTTP response returned by the 'Response' property of this exception for details. Web Response: A request timed out. The request was to https://(tenant).my.salesforce.com/services/scim/v2. The timeout was 60,000.00 milliseconds.
We see in the audit logs that it does indeed find the user in Salesforce and has matched it with the Entra user. So the GET method works, but as soon as it tries to perform a PATCH or POST at the "Perform Action" step, it hangs until it times out.
I've attached our attribute mapping and provision error.
Any idea what's going wrong here? And is Microsoft aware that this change is about to take place and that the pre-registered Salesforce application will likely no longer work?
Many thanks!
Eelke
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Rukmini 8,600 Reputation points Microsoft External Staff Moderator2025-11-10T15:03:19.44+00:00 Hello EelkeN,
Salesforce's deprecation of username/password API authentication is the root of the problem. After setting up your OAuth2 Client Credentials: GET operates because the token has read access. PATCH/POST times out: Either the necessary headers or payload are missing, or the application does not have SCIM write permissions.
To fix the problem:
- Make that the Salesforce External Client App has all SCIM write rights. To confirm access, test SCIM PATCH/POST calls directly using the OAuth token (Postman or curl).
- The pre-integrated Salesforce app will no longer function with OAuth2; instead, use a custom enterprise app in Entra ID. Provisioning will be successful once write permissions and mappings are accurate.
Let me know if any further queries - feel free to reach out!
-
EelkeN 0 Reputation points
2025-11-11T08:21:02.07+00:00 Hi @Rukmini ,
Thank you for your answer.
We have tried using Postman with the same credentials and we are able to update a user with that.
I also tried using Power Automate to test if that worked as well and it did with no delay.I used the following body for that (example):
PATCH https://mycompany.my.salesforce.com/services/scim/v2/Users/<userid> { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ], "Operations": [ { "op": "replace", "value": { "nickName": "user2" } } ] }My guess is that there is nothing wrong with the permissions since it works with PA and PM right?
The selected OAuth scopes in the client app are:You are talking about maybe the necessary headers or payload are missing. I don't know what body Entra is using when trying to perform a PATCH or POST. The pre registered salesforce app was build to communicate with salesforce so we had no problems there. It is possible that the custom app uses the wrong body or target object? Or maybe it is related to the attribute mapping?
I hope you can assist further! :)
-
Rukmini 8,600 Reputation points Microsoft External Staff Moderator
2025-11-11T08:51:55.5433333+00:00 EelkeN, You're correct that scopes and permissions are acceptable because PATCH functions in Postman and Power Automate. The way Entra transmits the SCIM payload is the problem. The request may hang because the general SCIM 2.0 schema used by the custom enterprise application does not entirely match Salesforce's required PATCH format or attribute structure.
To resolve:
- Make your attribute mappings simpler by starting with just one or two important fields, such as nickName.
- Make that the Content-Type: application/scim+json header is supported by Salesforce's SCIM endpoint.
- Examine Entra's provisioning logs (Verbose) to see if the payload matches your successful Postman call. The provisioning will function after the payload and mapping match Salesforce's SCIM format.
-
EelkeN 0 Reputation points
2025-11-11T12:17:27.92+00:00 Hi @Rukmini
I have now 2 attributes for testing (nickName and userName). Still goes to time out.
Where can I see the payload of what Entra pushes to Salesforce?
The only details is see is this:Are we able to modify the body of what entra sends to the target app (Salesforce)?
If that is the problem ofcourse -
Rukmini 8,600 Reputation points Microsoft External Staff Moderator
2025-11-11T12:24:22.1266667+00:00 EelkeN, By selecting Audit Log Level = Verbose under Provisioning → Settings in Entra and then looking at the Request/Response part of the most recent provisioning log, you may see the payload. The payload is automatically created using your attribute mappings and SCIM schema; it cannot be altered. Salesforce's new External Client App probably doesn't completely support SCIM writes if PATCH/POST continues to time out.
-
-
EelkeN 0 Reputation points
2025-11-12T12:03:56.42+00:00 @Rukmini There is no payload visible. I only can find the details shown in the last image.
How can we fix this? I can assume we're not the only company facing this issue right? Salesforce is used by a lot of companies world wide where user provisioning is a must have. There is just so little information available online how to set up user provisioning between Entra and Salesforce (External Client App) correctly.
If the payload is the issue (highly likely) and we can't change that, will Microsoft build a new pre registered application that connects with the External Client App in stead of a admin user?
-
EelkeN 0 Reputation points
2025-11-12T12:13:28.77+00:00 @Rukmini There is no payload visible. I only can find the details shown in the last image.
How can we fix this? I can assume we're not the only company facing this issue right? Salesforce is used by a lot of companies world wide where user provisioning is a must have. There is just so little information available online how to set up user provisioning between Entra and Salesforce (External Client App) correctly.
If the payload is the issue (highly likely) and we can't change that, will Microsoft build a new pre registered application that connects with the External Client App in stead of a admin user?
-
Sign in to comment
Sign in to answer