If you were to build an enterprise SaaS app today, what would be the preferred protocol/endpoint to obtain the list of users, emails and groups from an Azure AD deployment?
Historically this was done via LDAP connection to an Active Directory Domain Controller, and I see that Azure offers an LDAPS service (Azure AD DS).
ADFS, which is quite widespread, is just a SAML-compatible IdP, but it doesn't seem to provide an API for listing the directory of users.
The Microsoft Graph API seems to be able to provide at least some of this information, but it seems to be fairly new and very widespread. There's also something called SCIM that appears to have broader support, but it doesn't seem to be super popular on enterprise cloud apps either.
My research has shown that the apparent right answer for this problem is to implement SCIM 2.0 APIs on the product.
The main annoyance of the approach is that SCIM 2.0 is a protocol that is triggered by the directory provider (i.e. a SaaS app will receive an API call from Azure AD when a user needs to be created or updated, instead of the SaaS app contacting a directory endpoint to fetch the information when it is needed).
This creates a few annoyances such as potential race conditions when updating user information in the middle of application processes, or the fact that updates to the directory can't be triggered at convenient times (such as nightly, for example). Debugging/testing is also more problematic.