Azure Active Directory SCIM: Deprovision member of a group not working

Question

Using Azure AD Premium, Enterprise App & SCIM 2.0 Provisioning Scope - Only assigned Users & Groups

I'm trying to work through the use case below:

SCIM provisioning of users that are assigned to a given AD Group

When a user is added (provisioned) to a group it correctly fires off a PATCH /Groups/{Id} to add member of the group
When a user is removed (deprovisioned) from the group it does not correctly fires a PATCH /Groups/{Id} to remove member of the group

What am I'm doing wrong?

In addition, I wonder which call azure active directory executes to get to know who is currently member of a given group. (I've noticed that every call AAD makes to my SCIM/group service implementation has the excludedAttributes=members as query parameter)

Any suggestions appreciated.

@CarlZhao: In the audit logs no errors appear. It only shows adds for a member of a group. A remove of member call never seems to occur — hannes neukermans, Jan 04 '21 at 14:52

score 2 · Answer 1 · answered Apr 04 '21 at 16:17

From what I saw, Azure SCIM sends this request to groups endpoint:

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "Remove",
            "path": "members",
            "value": [
                {
                    "value": "49a5f81e-9f63-4f5e-b3e8-41db044c1af9"
                }
            ]
        }
    ]
}

I use ngrok during the development to see an analyse requests from Azure SCIM integration.

Azure Active Directory SCIM: Deprovision member of a group not working

1 Answers1