Share via

Adding members to a group triggers both add and replace SCIM operations

Blair 6 Reputation points
2021-06-10T14:52:49.193+00:00

I have user and group provisioning set up for an enterprise application in Azure AD. I have a SCIM endpoint setup in my application to consume the SCIM requests from Azure AD. I added this feature flag to my tenant URL to ensure SCIM compliance: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-config-problem-scim-compatibility#flags-to-alter-the-scim-behavior

I have a group assigned to the enterprise application for provisioning to my application. When I add users to that group in Azure AD, I'm seeing two PATCH requests to the Groups/:id SCIM endpoint. The first is an add operation, which I expect because I'm adding this user as a member of the group: 

{  
    "schemas": [  
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"  
    ],  
    "Operations": [  
        {  
            "op": "add",  
            "path": "members",  
            "value": [  
                {  
                    "value": "directory_user_01F7SGPZHKVGHZMCRNHGJXW1E9"  
                }  
            ]  
        }  
    ]  
}

The second PATCH request is a replace operation, which is unexpected as I'm not replacing all users in a group with the one member being added: 

{  
    "schemas": [  
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"  
    ],  
    "Operations": [  
        {  
            "op": "replace",  
            "path": "members",  
            "value": [  
                {  
                    "value": "directory_user_01F7SGPZHKVGHZMCRNHGJXW1E9"  
                }  
            ]  
        }  
    ]  
}

The SCIM protocol RFC outlines the difference between the add and replace operations in PATCH requests. If users are added as members of a group, there should only be an add operation, not a replace operation. Is there any way to configure Azure so it only sends add operations in this situation? Thanks!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,534 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Blair 6 Reputation points
    2021-06-11T21:11:31.917+00:00

    Hi @James Hamil !

    It seems to be a recent issue, but I haven't been using SCIM provisioning for very long. We do see two PATCH operations when adding a user to a group most of the time. It can be inconsistent, though.

    It doesn't matter if the two PATCH operations are both add operations, but the issue comes when the second PATCH operation is a replace.

    In this case, adding a user to a group in Azure AD, we would only expect an add operation and not a replace.

    Thanks!
    Blair

  2. James Hamil 23,061 Reputation points Microsoft Employee
    2021-06-14T21:28:55.983+00:00

    Hi @Blair , I agree with @Anonymous . I can set you up with a free support ticket! Please email "azcommunity@microsoft.com" with subject "ATTN: James Hamil" with your subscription ID and I can help you out! Please mark this answer as "Verified" so other users may reference it, and I will post back here when we find a solution.

    Best,
    James

  3. Eduardo de Borba 0 Reputation points
    2024-07-19T22:32:11.5766667+00:00

    Hi @James Hamil,

    I'm seeing a very similar issue. Is there a fix for this already?

    0 comments