Azure AD provisioning not provisioning assigned users

Gemma Schrum 1 Reputation point
2020-09-12T00:54:44.4+00:00

We are an enterprise application provider and we have had several customers recently run into the same issue when provisioning users from Azure Active Directory into our application using SCIM.

The main issue is that provisioning does not seem to even attempt to provision users or groups that have been assigned to our application. When running provisioning, the provisioning logs do not show any attempts to provision any user.

Each user has been assigned to the 'default access' role and there are no scoping filters setup.

We can successfully provision users using the 'provision on demand' approach.

Audit logs indicate that provisioning was ran and completed.

Another oddity is that this only seems to be applying to newer customers. Our own test environment works correctly even when setup exactly the same as our customers. Could this be due to the changes made in April 2020 to the 'default access' role?

We have attempted to resolve the issue by using the "Clear current state and restart synchronization" option as well as removing and reinstalling the application but these did not have any effect.

Any help would be very appreciated!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,664 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2020-09-14T07:59:52.703+00:00

    Hello @Gemma Schrum ,

    I don't think this is due to the change in April 2020 as if that was the case multiple customers must have reported the issue as of now. However, it would be difficult to provide a confirmation without looking into the backend logs. As documented here, after July 2020, the behavior must be uniform for all applications where user provisioning configuration was done before and after 04/16/2020.

    I would suggest you to gather below information from one of the problematic tenants and get a support ticket opened:

    • Job ID from the provisioning blade, as highlighted below:
      List item
    • UPN and Object ID of the users assigned to the application.
    • Client ID/App ID of the application.
    • Time when you did "Clear current state and restart synchronization" last time. Must be done within last 30 days.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments