8

I implemented SCIM API and integrated with Azure.

When I delete a user in AzureAD it does not send DELETE requests. I tried deleting from the application as well as from the directory.

Get Users/[userID], Get Query, and POST /Users working fine. Also I am getting PATCH requests as well, but since I have not implemented PATCH returns 404.

  1. Why it's not sending DELETE requests? As per the Azure AD SCIM Documentation it should send DELETE requests.

  2. How does AzureAD track the "Id" attribute of User sent by SCIM service, is it from the "Id" attribute of SCIM response or with the Uri in Meta/Location attribute. Reason for this question is that when I delete a user in AzureAD how is it going to know the Id of the user.

Dhanuka777
  • 8,331
  • 7
  • 70
  • 126
  • Hey Dhanuka, I am working with AzureAD + SCIM integration. I am receiving POST request for new users, but I dont get PATCH request for any updates. Can you guide me on the same? – Umang Mehta Dec 04 '17 at 05:00

2 Answers2

3

To answer the first question, the Azure AD provisioning service sends the DELETE request only after a user has been hard-deleted from Azure AD.

Here’s more information on how deletion works in Azure AD:

https://david-obrien.net/2014/12/recover-deleted-users-azure-active-directory/

http://www.exchangeitpro.com/2016/10/20/permanently-delete-user-from-office-365-all-you-need-to-know/

If a user is deleted from the portal, they go into a soft-deleted state. They stay in that state for 30 days, after which they are hard-deleted.

The Azure AD provisioning service will send a request to the app to disable the account when a user is soft-deleted in Azure AD.

Upon final hard-deletion, Azure AD sends the request to the app to DELETE the user.

Aaron S
  • 31
  • 2
1

I would like to add a few points in Aaron's answer :

Azure AD either deletes the user or disables it based on :

 - If a user that was previously in scope for provisioning is removed from scope, including being unassigned, the service disables the user in the target system via an update.

 - If a user that was previously in scope for provisioning is disabled or soft-deleted in the source system, the service disables the user in the target system via an update.

 - If a user that was previously in scope for provisioning is hard-deleted in the source system, the service deletes the user in the target system. In Azure AD, users are hard-deleted 30 days after they're soft-deleted.

  • Azure AD sends the PATCH call to update the status of the user(active or disabled). Based on the body of the patch call, the developer should update the disable or enabel in his application.

  • Azure AD does a GET request to fetch all the information about the user. It keeps a mapping between the user in the application and AD. So, because of the GET call, the id will be available to the AD.

Deepak Patankar
  • 3,076
  • 3
  • 16
  • 35