Microsoft Security | Microsoft Entra | Other
Additional Microsoft Entra services and features related to identity, access, and network security
relevent document is not for salesforce
SCIM integration in Entra for Salesforce
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 52%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Sharma, Santosh (IT-DEL)
0
Reputation points
We are trying to setup SCIM in Microsoft Entra for Salesforce application so that we can auto provision users in salesforce once we added the user in a AD group. The SCIM Test connection is succesfull, but the users are not able to login to the Salesforce application and getting below error in Entra - Error code
SystemForCrossDomainIdentityManagementServiceIncompatibleFiltering
Error message
StatusCode: Conflict Message: Processing of the HTTP request resulted in an exception. Please see the HTTP response returned by the 'Response' property of this exception for details. Web Response: {"schemas":"["urn:ietf:params:scim:api:messages:2.0:Error"]","detail":"REQUIRED_FIELD_MISSING:user_must_have_one_entitlement_which_must_be_a_profileid;","status":409}
Can someone check the above logs and share your feedback - how can we resolve this issue?
Microsoft Security | Microsoft Entra | Other
2 answers
Sort by: Most helpful
-
Q&A Assist2026-03-19T14:44:02.1033333+00:00 AI generated content. This question contains an answer created with AI from Q&A Assist. Learn moreThe SCIM endpoint is returning HTTP 409 with the Salesforce-specific error
REQUIRED_FIELD_MISSING:user_must_have_one_entitlement_which_must_be_a_profileid. This means Salesforce is rejecting the SCIM request because the user being provisioned does not have a required profile/entitlement set in the payload.From the Microsoft Entra side, the SCIM client is working (Test Connection succeeds), but the target SCIM service (Salesforce) is enforcing additional business rules beyond the base SCIM spec. To resolve this, the provisioning attribute mappings in the Salesforce enterprise app must be configured so that every provisioned user is sent a valid Salesforce profile/entitlement value.
Actionable steps:
- Open the Salesforce enterprise application in Microsoft Entra admin center and go to Provisioning → Mappings for Users.
- Identify the attribute that Salesforce expects for the profile/entitlement (for example, a SCIM attribute like
entitlements,profileId, or a Salesforce-specific extension attribute). This must match what the Salesforce SCIM endpoint requires. - Map an appropriate Microsoft Entra attribute (for example, a fixed value, a group-based expression, or a user attribute) to this required Salesforce attribute so that every provisioned user receives a valid profile/entitlement.
- Ensure the mapping is marked as Required if Salesforce always requires it, and verify that the value being sent is valid in Salesforce (matches an existing profile/entitlement ID or name, depending on how Salesforce expects it).
- Save the mappings and run provisioning again (either on‑demand for a test user or wait for the next cycle). Confirm in the provisioning logs that the SCIM request now includes the required profile/entitlement attribute and that Salesforce returns 2xx instead of 409.
If Salesforce still returns 409 after adding the mapping, review the Salesforce SCIM documentation or logs to confirm the exact attribute name and allowed values for the required entitlement/profile.
References: