The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure Active Directory!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 none
Azure AD Provisioning Group sync does not send objectId as GET/objectId or PATCH/objectId in request RRS feed

  • Question

  • Hello everyone,

    I am using Azure AD to provision Users/Groups with my SCIM enabled application using non-gallery app. I am able to configure application properly and receiving required requests which Azure AD sends for Users and Groups.

    But the problem is with Group requests. For Group requests, Azure AD always sends GET/<displayName> (same case for PATCH). However, I need GET/PATCH/DELETE requests with <objectId> instead of <displayName>. Consider below example :

    For example, if I am having following group info in my Azure AD account:

    Group name : Group1
    Object Id : abc-123-def-456

    Current GET request for groups is : GET/Group1
    Required request : GET/abc-123-def-456
    (same case for PATCH/DELETE)

    I am new to Azure AD so might be missing something. Can anyone suggest what configuration changes required to achieve above scenario.

    Thanks & Regards

    Mohit Shah



    • Edited by Mohit211 Tuesday, September 10, 2019 1:43 PM
    Tuesday, September 10, 2019 12:42 PM

All replies

  • Hello Mohit211, 

    I don't understand your scenario. What are you trying to do? Are you utilizing the AAD Graph API in a custom graph call request in a custom application? What are you specifically doing? 

    Per the official Microsoft Graph Docs you can see that it take an object id : https://docs.microsoft.com/en-us/graph/api/group-update?view=graph-rest-1.0&tabs=http

    Are you utilizing the AAD Graph API? Note that the AAD Graph API and the MSFT Graph API are different. 

    Wednesday, September 11, 2019 10:00 PM
    Moderator
  • Hello Frank

    Thanks for your reply. I am not using any Graph API. I have configured a non-gallery application on Azure, inside that application's Provisioning section, endpoint for my SCIM based application(which is hosted on my side) is configured along with Secret key. By doing this, I am trying to achieve Users/Groups Provisioning/De-provisioning with my scim based application.

    Azure connects to my application and also sends all the required requests for Users and Groups. But for Groups case, its not sending ObjectId as its id parameter (inside GET/PATCH/DELETE).

    Thanks & Regards

    Thursday, September 12, 2019 6:59 AM
  • Hey Mohit211, 

    I see, have you taken a look at the docs in regards to this issue? The limitations and requirements can be found here : 

    https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/use-scim-to-provision-users-and-groups

    Per the image below, it shows how the flow from Azure to service to provider should be. 

    Shows the user provisioning and de-provisioning sequence

    Tuesday, September 17, 2019 12:45 AM
    Moderator
  • Please remember to mark one of the responses as answer if your question has been answered. If not please let us know if there are anymore questions. Thanks

    Wednesday, September 18, 2019 8:40 PM
    Moderator
  • Hi Frank

    Yes, I followed the above tutorial. In that tutorial, for Group provisioning, the diagram shows that Group PATCH request is based on objectId (not using group display name). But when I enabled Group provisioning, I observed that Azure is sending group display name in PACTH request (which should be objectlId), because objectId is unique for each group and it can be considered as unique attribute in the application for add/update/delete operations.

    So I want to understand, is there any mapping configuration in Azure SCIM application is required to achieve Group GET/PATCH/DELETE via objectId ?

    Thanks & Regards
    Mohit Shah

    Thursday, October 10, 2019 1:43 PM
  •  Hey Mohit,

    I see, so if you're still having an issue here, please email AzCommunity[at]microsoft[dot]com and I can enable a one time free support ticket. Unfortunately, we need much more information to determine what's going on here. 

    We'd need their job ID(aka runProfileIdentifier) and an example of an object they've observed with this behavior in the web traffic + a timestamp.
    Likeliest cause for this is misconfiguration of mappings, but we can't confirm that until we have enough information about the environment to see the config

    Please provide your Azure Subscription GUID and a reference to this thread. And hopefully we can get you on the right path again soon. 


    Please see : https://blogs.msdn.microsoft.com/mschray/2016/03/18/getting-your-azure-subscription-guid-new-portal/

    On how to get a subscription GUID.


    Tuesday, October 15, 2019 9:13 PM
    Moderator
  • Hey Mohit in addition to the last reply, can you check that the object id matching precedence is set to 1? 

    The matching precedence is what is used, to determine which attribute should be used. 

    enter image description here

    Wednesday, October 16, 2019 5:18 PM
    Moderator