question

Blair-8670 avatar image
0 Votes"
Blair-8670 asked Blair-8670 commented

Adding members to a group triggers both add and replace SCIM operations

I have user and group provisioning set up for an enterprise application in Azure AD. I have a SCIM endpoint setup in my application to consume the SCIM requests from Azure AD. I added this feature flag to my tenant URL to ensure SCIM compliance: https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-config-problem-scim-compatibility#flags-to-alter-the-scim-behavior

I have a group assigned to the enterprise application for provisioning to my application. When I add users to that group in Azure AD, I'm seeing two PATCH requests to the Groups/:id SCIM endpoint. The first is an add operation, which I expect because I'm adding this user as a member of the group:

 {
     "schemas": [
         "urn:ietf:params:scim:api:messages:2.0:PatchOp"
     ],
     "Operations": [
         {
             "op": "add",
             "path": "members",
             "value": [
                 {
                     "value": "directory_user_01F7SGPZHKVGHZMCRNHGJXW1E9"
                 }
             ]
         }
     ]
 }

The second PATCH request is a replace operation, which is unexpected as I'm not replacing all users in a group with the one member being added:

 {
     "schemas": [
         "urn:ietf:params:scim:api:messages:2.0:PatchOp"
     ],
     "Operations": [
         {
             "op": "replace",
             "path": "members",
             "value": [
                 {
                     "value": "directory_user_01F7SGPZHKVGHZMCRNHGJXW1E9"
                 }
             ]
         }
     ]
 }

The SCIM protocol RFC outlines the difference between the add and replace operations in PATCH requests. If users are added as members of a group, there should only be an add operation, not a replace operation. Is there any way to configure Azure so it only sends add operations in this situation? Thanks!


azure-ad-user-provisioningazure-ad-group-management
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, we are investigating your issue and will update you shortly.

Best,
James

0 Votes 0 ·

Hi @Blair-8670 , has this always happened where you've seen 2 patch operations after adding a user to a group, or is it only a recent issue? Does it happen to all users or just certain ones?

Best,
James

0 Votes 0 ·
Blair-8670 avatar image
0 Votes"
Blair-8670 answered ZollnerD commented

Hi @JamesHamil-MSFT!

It seems to be a recent issue, but I haven't been using SCIM provisioning for very long. We do see two PATCH operations when adding a user to a group most of the time. It can be inconsistent, though.

It doesn't matter if the two PATCH operations are both add operations, but the issue comes when the second PATCH operation is a replace.

In this case, adding a user to a group in Azure AD, we would only expect an add operation and not a replace.

Thanks!
Blair

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Blair-8670, could you open a support case so that someone can look into it with you in more detail than is possible via Q&A?

0 Votes 0 ·
JamesHamil-MSFT avatar image
0 Votes"
JamesHamil-MSFT answered Blair-8670 commented

Hi @Blair-8670 , I agree with @ZollnerD . I can set you up with a free support ticket! Please email "azcommunity@microsoft.com" with subject "ATTN: James Hamil" with your subscription ID and I can help you out! Please mark this answer as "Verified" so other users may reference it, and I will post back here when we find a solution.

Best,
James

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JamesHamil-MSFT I'm trialing on a free account - can I still talk to a support representative? We're still seeing this behavior and it's causing a lot of problems.

0 Votes 0 ·