Share via

Disable displayName filter SCIM Groups API

VaishnaviAjitKumar-6022 41 Reputation points
2022-07-12T11:43:08.43+00:00

Hi,
Is there a way to prevent the displayName from being added to the SCIM Groups GET API ?
Currently, the API looks like this
/Groups?excludedAttributes=members&filter=displayName+eq+%22TEST%22",

How do I disable filters such that the API looks like this
/scim/v2/62c53c6618728d002f69cb88/Groups?excludedAttributes=members

Thanks,
Vaishnavi

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

Answer accepted by question author

Danny Zollner 10,831 Reputation points Microsoft Employee Moderator
2022-07-14T15:33:24.6+00:00

Hi @VaishnaviAjitKumar-6022 - the way that our provisioning service works is that whenever a new object is being processed for the first time, our service tries to determine if a matching object exists in the connected SCIM directory. For users, we will send GET /Users?filter=userName eq "xyz" (or potentially filtering on emails[type eq "work"].value or externalId instead), and for groups we must identify between systems using either displayName or externalId. Once we've identified if there is a group or not, we either match and send any required updates, or we create a new group via POST.

In either case, matching or creating a new object, at the end we will know the SCIM id value and store that in the provisioning system. After that, we will always make calls to known resources such as GET /Groups/123?excludedAttributes=members. That id value - "123" - isn't something we can know immediately, and the use of filters on friendly names that would be shared across systems (userName, displayName, etc..) is required for the system to work.

This behavior is not changeable. You can alter what attribute is used as a matching attribute, but you cannot avoid having a matching attribute.

Was this answer helpful?

1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 30,456 Reputation points Microsoft Employee Moderator
    2022-07-14T06:17:03.133+00:00

    Hi @VaishnaviAjitKumar-6022 ,

    Thanks for reaching out.

    I understand you are trying to retrieve the groups details specify that the members attribute is to be excluded from any resource provided in response to the request and do not want to filter requests about member attribute i.e displayName in this case.

    You can directly get the group details without filtering any member attribute from GET /Groups/<id>?excludedAttributes=members HTTP/1.1e

    Reference: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#get-group

    Hope this will help.

    Thanks,
    Shweta

    ---------------------------------

    Please remember to "Accept Answer" if answer helped you.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.