question

GuidoSpanjersInfoland-1826 avatar image
0 Votes"
GuidoSpanjersInfoland-1826 asked ·

Rate limiting with SCIM and Azure Active Directory

Heya,

We have already posted about this issue before so here is a recap:

We have registered our own SCIM service implementation as Enterprise Application in Azure AD and configured provisioning to sync the users (and groups). We have implemented rate-limiting on our service, and return a 429 response (with a Retry-After header) to let the caller know he should wait a short time before new request will be accepted.
When intiating a new sync we see many export error are logged because of the 429 responses. It seems that the povioning process does not recognise the 429 response and just continues running export request which will all fail. The failures are retried after 40minutes but a lot of them will run into the rate-limit again.
Does the Azure provioning process support rate-limit responses from the SCIM service? How should our service respond (what headers, body) to make the provisioning process wait (a specified time) after a 429 response before continuing?

A response we got was as followed:
For Bring On Your Application (BOYA) SCIM, There is currenty no way to control the rate that Azure AD sends web requests and as such the application will need to handle requests coming from Azure AD without generating 429 responses.


So my next question would be, is the Azure team planning on implementing any support for rate limiting? The sheer amount of requests during an initial sync requires a moderation in amount of requests or it will quickly become more than our servers can handle, especially when you scales this up to dozens/hundreds of customers with each thousands of users/groups.

Currently it is resulting in a quarantine by Azure, and it is something our customers are running into occasionally. I would think that when dealing with large amount of requests, this would be a very welcome feature.

Kind regards,
Guido

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

FrankHuMSFT-3200 avatar image
0 Votes"
FrankHuMSFT-3200 answered ·

Hey @GuidoSpanjersInfoland-1826

For public updates on information regarding Azure AD and SCIM please take a look at the identity blogs and the azure updates page :
https://azure.microsoft.com/en-us/updates/
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/bg-p/Identity

And for your product feedback, please submit it against the feedback forums here, and if there's enough community support the product team will look into implementing it accordingly.

Unfortunately there are no public mentions of this information, so publicly there are no mentions of this service to be implemented.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.