question

Alex-5595 avatar image
0 Votes"
Alex-5595 asked Alex-5595 commented

AZURE AD SICM just for Update and Delete?

Hello,

i have a Enterprise Application with SCIM Provisioning Option. The Web App. itself provides some auto provisioning.
The Use Case Requester would like keep it that way, the SCIM Enterprise App just should Update and Delete but not Create.
I disabled the SCIM Create in the APP but i get jsut following message in the prov. log. what is not marked as error.

Determine if urn:ietf:params:scim:schemas:extension:enterprise:2.0:User is in scope
EntrySynchronizationSkip
Result
Skipped
Description
User 'usernamexxxx@domain.com' will be skipped. Skip Reason: The Add operation was not performed because the Add operations are disabled in the provisioning configuration.
SkipReason
TargetObjectActionDisabled
ReportableIdentifier
usernamexxxx@domain.com

Not sure if there is some matching problem or if SCIM not works like that?





azure-ad-user-managementazure-ad-user-provisioning
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

sikumars avatar image
0 Votes"
sikumars answered Alex-5595 commented

Hello @Alex-5595,

Thanks for reaching out.

This doesn't sound right as for consistency, SCIM should be used to provision and manage the account throughout life cycle (Create, Update and Delete).

At the initial provisioning, we match userPrincipalName (a unique identifier for the user from AAD) to Username (SaaS App). We then establish a link based on the ID value – specifically, it’s linking the primary key from the source directory of AAD (aka the sourceAnchor) with the primary key from the target directory of SaaS App (aka the targetAnchor). Once that link is established, it will persist across any attribute changes except to the primary keys themselves.

If we don't do provisioning via SCIM, I don't think this link will establish, but you could try to update the user object with a value for the matching attribute and see if that works also make sure user object is part of sync scope.

Try using On-demand provisioning which help you troubleshoot configuration issues quickly.

To learn more about, read : https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@skiumars-msft: thank you for your response i will have a look asap on this and report.

0 Votes 0 ·

As you said its not working, i have to go for a group assignment i guess.

0 Votes 0 ·