Some User creation failed in Azure AD Enterprise App

Question

Some User creation failed in Azure AD Enterprise App

Ananay Ojha 91

Hi Everyone,

I folllowed a tutorial to establish SSO with AWS using Azure AD User and Groups. For this I enabled Auto provisioning of assigned users in my enterprise app (AWS). Suprisingly out of 4 users assigned only 1 user succesfully created and I am able to SSO with that user, while other user creation failed. I have also attached the screenshots

Please help me resolve this.

Thanks

1 answer

Your answer

Answer 1

Danny Zollner 10,816 Microsoft Employee Moderator

The information you need is likely in one of the other tabs of the provisioning logs - I'm not sure which it would be in.

I was able to find this provisioning activity in our backend logs, however. It looks like this is failing due to an error about a duplicate resource (user) existing. That error is generated by AWS, and to understand the logic behind when and why AWS' SCIM server returns that error you would need to reach out to their support team.

Ananay Ojha 91 Reputation points

2022-02-18T03:57:34.783+00:00

Hi @Anonymous ,

Firstly thanks for answering I'll try to contact AWS Support for this.
If possible, please explain that even my root account (with which I signed up for Azure subscription) user creation failed. But for other IAM Users, only the one with a Microsoft account was successful while others failed.
Danny Zollner 10,816 Reputation points Microsoft Employee Moderator

2022-02-18T04:55:59.803+00:00
I don't fully understand the question you're asking but I'll try to answer with some helpful information:

Our provisioning service uses the SCIM standard to provision to other services such as AWS SSO. The flow that is happening here is:

Azure AD does a SCIM GET call to /Users?filter=userName eq "******@y.com"

AWS responds saying no user with that userName value exists

Azure AD, seeing that no user appears to exist, sends a SCIM POST request to create a user with userName = "******@y.com"

AWS responds to the POST request with an error saying "Refused to create a new duplicate resource"

The error from AWS does not explicitly say that it is a duplicate userName value causing the issue - it could be another value such as the email address that is also being used to check for duplicates. This is where help from AWS support is needed, as Azure AD merely checks to see if the user exists and then tries to create it. The rejection of that attempt comes from AWS.
JamesTran-MSFT 37,226 Reputation points Microsoft Employee Moderator

2022-02-22T17:53:20.657+00:00

@Ojha18a-0713
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Share via

Some User creation failed in Azure AD Enterprise App

1 answer

Your answer