Azure AD User Provisioning with SCIM 2.0
I'm trying SCIM 2.0 provisioning with Azure AD
As premise, I have SCIM a server for my product and I'm implementing PATCH endpoints for use with Okta and Microsoft Azure AD.
I'm done testing with Okta, so I'm trying with Azure AD now.
I read this post active-directory-scim-provisioning and the SCIM 2.0 Specification Section 3.5.2.
I set up an enterprise application on our Azure AD with the following mapping
Then, Azure AD sends the following JSON POST request to create users assigned to the application to my server:
POST:
{
"active": true,
"displayName": "$DISPLAY_NAME",
"emails": [
{
"primary": true,
"type": "work",
"value": "$EMAIL"
}
],
"externalId": "$EXTERNAL_ID",
"meta": {
"resourceType": "User"
},
"name": {
"formatted": "$FORMATTED"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"userName": "$USER_NAME"
}
I can process the POST request correctly, but I am unable to consume the PATCH request from Azure AD.
PATCH:
{
"Operations": [
{
"op": "Replace",
"path": "name.givenName",
"value": [
{
"$ref": null,
"value": "$VALUE"
}
]
},
{
"op": "Replace",
"path": "name.familyName",
"value": [
{
"$ref": null,
"value": "$VALUE"
}
]
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}
Is it correct (according to the specification) that the value attribute is of type Array, even if the target is a single-valued attribute? Is the use of the $ref attribute correct in this case?
Or did I misunderstand the specification?
They made a mistake on the value implementation for non-complex objects. You can read more about it here https://social.msdn.microsoft.com/Forums/lync/en-US/e2200b69-4333-41ea-9f51-717d316c7751/automatic-user-provisioning-scim-restful-patch-payload-issue?forum=WindowsAzureAD
- MSAL Redirect on Failure AADSTS50105
- Microsoft Power BI REST API PowerBINotAuthorizedException
- How to get username after logged in?.I am trying with MSAL (@azure/msal-angular) for Azure Signin
- Display all the user's files using Microsoft Graph API not working
- Get Access Token from Microsoft Graph for ClientId with delegated permissions
- How to call Microsoft Graph API from ASP.NET Core Web API that is called by SPA
- add-kdsrootkey error the request is not supported
- AADSTS50011: The redirect URI http does not match the redirect URIs
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com
- Getting user data through an Azure AD OAuth login - React Native Expo App
- HTTP request to update Service Principal Entra
- on-behalf-of flow, getting error AADSTS50013 while acquiring obo token
- Azure AD B2C Password Reset
- ASP.NET Core 5 WebAPI - Azure AD - Call Graph API Using Azure Ad Access Token
- Programmatically Assign Exchange Roles to a Group in Azure AD using Microsoft Graph API
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Signature validation of my Azure access-token, Private-key?
- Entra ID OIDC Failed Auth Attempt Logs
- REST API service when called from azure APIM returning empty response body with Status code 200
- How to register your Azure resource as an Application in Azure Active Directory?
- Is it possible to add multiple audiences to AAD bearer token?
- Non-interactive way to authenticate to Azure AD using AADInternals?
- I am trying to update an existing user i made through graph api in my code, but i get a 403 error back from azure graph api
- Configuring spring-boot-starter-oauth2-client to authenticate with Azure AD
- Getting a token from Microsoft Intra ID with PostMan using MFA
- MSAL for non-SPA? Server side authentication?
- Error 403 User not authorized when trying to access Azure Databricks API through Active Directory
- Add Azure Active Directory User to Azure SQL Database
- How to use stored procedure parameters as dynamic content in copy activity using ADF
- Azure AD B2C error AADB2C90057 when I am NOT trying to use the implicit flow