When will Azure AD support OIDC SSO non-gallery apps with SCIM provisioning?

Question

It appears that if I want to have a non-gallery Enterprise app in Azure AD that supports OIDC SSO and also SCIM provisioning, Azure AD provides no easy way to do this. We cannot register a gallery app because the app is on-premise and not SaaS/cloud-based.

A similar question asked on here suggests two non-gallery enterprise apps are required, one for OIDC (presumably created via an App Registration because otherwise there is no OIDC SSO option), and another for SCIM. That then requires every user/group to be added to both apps independently, doesn’t it, which seems an undesirable maintenance burden?

Is that the best Microsoft can do? When will this work properly, using just one Enterprise app? Especially when it seems Microsoft is favouring OIDC over SAML?

Is it at least a planned capability on the roadmap?

Answer 1

Hi @Kevin Frey ,

I understand that you are looking for an ETA for when Azure AD will support OIDC non-gallery apps with SSO and SCIM provisioning. Right now there are some technical limitations preventing this capability due to the way the SCIM connector works. The product team aims to support this in the future but does not have an ETA for this capability yet.

As you mentioned, the workaround right now is to use two non-gallery apps, one for OIDC SSO and one for SCIM provisioning.

If you would like to make a request this for this feature, you can create one in the Microsoft Ideas forum: https://feedback.azure.com/

If you create a feature request there I will bubble it up with the product team. You can also check for updates on the Release Notes page for Azure AD.

Thanks,

Marilee