Share via

Claude AI - Entra Enterprise App - Deprovisioning Users

Johnathan Feist 0 Reputation points
2026-01-28T15:26:28.3733333+00:00

I have Claude AI setup with SCIM provisioning in an Entra Enterprise App. When I add users to the app the are created in Claude AI with no issues. When I remove members from the app in Entra the users don't deprovision.

Details

Error code: SystemForCrossDomainIdentityManagementServiceIncompatible

Error message:

StatusCode: BadRequest Message: Processing of the HTTP request resulted in an exception. Please see the HTTP response returned by the 'Response' property of this exception for details. Web Response: {"scimType":"invalidSyntax","detail":"Invalid SCIM Patch: Impossible to search on a mono valued attribute.","schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":"400"}. This operation was retried 0 times. It will be retried again after this date: 2026-01-27T21:49:50.5340673Z UTC

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-01-28T15:26:40.8933333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The error you are encountering, SystemForCrossDomainIdentityManagementServiceIncompatible, along with the message indicating an "Invalid SCIM Patch: Impossible to search on a mono valued attribute," suggests that there is a problem with the SCIM request being sent during the deprovisioning process. This typically occurs when the SCIM endpoint does not support the operation being attempted, particularly if it involves modifying a mono-valued attribute incorrectly.

    To resolve this issue, you should ensure that your SCIM implementation correctly handles the deprovisioning requests. Here are some recommendations:

    1. Check SCIM Compliance: Ensure that your SCIM endpoint is compliant with the SCIM 2.0 specifications, particularly regarding how it handles PATCH requests. The error indicates that the request may be trying to modify a mono-valued attribute in a way that is not allowed.
    2. Review the Deprovisioning Logic: Make sure that the logic for deprovisioning users in your application correctly follows the SCIM protocol. This includes properly formatting the PATCH or DELETE requests as required.
    3. Test with Valid Requests: Use valid SCIM requests to test the deprovisioning process. For example, a typical deprovisioning request might look like this: 
         DELETE /Users/{userId} HTTP/1.1
   Authorization: Bearer ...
    4. Consult Documentation: Refer to the Microsoft Entra provisioning service documentation for guidance on how to handle deprovisioning and ensure that your application can process both soft-deletes and hard-deletes appropriately.

    If the issue persists, consider reaching out to the support team for Claude AI or Microsoft Entra for more specific troubleshooting assistance.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.