Azure AD SCIM 2.0 roles and appRoleAssignments empty

Question

In Azure AD I setup SCIM which is working great. However for some reason roles as well as appRoleAssignments are never sent in the body of a SCIM POST or PATCH request.

As an example, here's the SCIM body for a POST request:

{
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
    ],
    "userName":"testBlaBla@example.com",
    "active":true,
    "displayName":"Test Bla bla",
    "meta": {
        "resourceType":"User"
    },
    "roles":[]
}

This test user has been assigned with Directory Roles and Application Roles. An attribute (with default value "n/a") for the appRoleAssignments was added and mapped. And API permissions for read/write Application Role Assignments was added.

Screenshot of SCIM Attribute mappings with target application

Screenshot of custom added appRoleAssignments attribute

How can I get SCIM in Azure AD to also sent Roles and Application Roles information to the target application?

Answer 1

1. Ensure that you are using a mapping of type expression rather than direct and user the appRoleassignment function.

   https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes#provisioning-a-role-to-a-scim-app

2. Select the target attribute that comes out of the box or if you extend the schema follow the format described here, e.g.:

   urn:ietf:params:scim:schemas:extension:2.0:CustomExtensionName:appRoles
   

   or

   urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User.appRoles:value
   

   https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes#provisioning-a-custom-extension-attribute-to-a-scim-compliant-application