3

We created an application with SCIM support over two year ago now and it always worked fine. However recently we have been getting reports from customers that users were no longer deleted/disabled from the target enterprise application.

I already saw there was another question like this one a few years back but that seems resolved and this seems like another issue.

We did a little research on our own and noticed that azure is not sending any requests at all when we remove a user from the assigned user list. We checked the incoming logs from our application and IIS logging and both do not show any requests are sent our way. (we do get logs from POST/GET/PUT of other provisioning related tasks, like creating a user).

In azure audit logs we do see the following:

  • Remove app role assignment from user
  • Add a deletion-marked app role assignment grant to user as part of link removal Which seems to me that azure is doing something, it's just not sending it to the targeted application

Current situation: We have user A that was created in azure ad and is assigned to our application. Provisioning configuration was done by means of SCIM in azure. And the user is also created in our application, so the connection seems fine.

When I remove the user from the assigned user list in our enterprise application, I expected that counts as a softdelete, causing Azure to sent a PATCH or a PUT to set the active property of the user to false. In case I would delete them entirely from AD I expected them to be removed with the DELETE. I read that it takes up to 30 days which is no problem, but the problem is that user that are no longer assigned are still active in the target application, which is no good.

I have some basic properties mapped on the user and the one thing that might be involved with this issue would be the Not([IsSoftDeleted]) mapping which is mapped to our active property. I don't see how that is wrong, but that's all I can think of at this point.

Anyone that can has any idea what is going here? Thanks!

Guido Spanjers
  • 41
  • 4
  • Please check if this helps : https://learn.microsoft.com/en-us/answers/questions/6670/azure-ad-scim-not-sending-delete-requests.html – Nishant Jul 02 '20 at 14:23

1 Answers1

1

I have had contact with Microsoft regarding this issue and it seems to be a bug on their end which they are currently correcting. It is part of a larger set of bugfixes all regarding similar issues so they could not give me a specific time when this specific issue was resolved, but they think around the 10th of July (2020).

In any case, as this was a bug due to changes pushed by MS this is no longer an issue to be solved.

Update:

I have received some replies that a few bugs were fixed connected to this issue but not all. I'm currently on vacation so i'm not sure if the main issue is fixed as well. They did promise a fix fast though.

For now all I can give you is a workaround. The issue happens when the only change that is happening is the unassignment of users, it simple won't execute this until at least 1 property from an assigned user is also changed. When anything is changed, it will fix all unassignments and disable them all, even if the unassignment was in a different sync cycle. So until the actual fix is pushed, that might be helpful to know.

I will keep this thread updated if I get more information.

Ps: The Azure team requested that if anyone else also ran into this issue they report it through Azure. Their dev team will see if your problem matches up with my issue or if it's something new. So please do that as well.

Guido Spanjers
  • 41
  • 4
  • Have you received any update from Microsoft? We also just noticed this problem and it took a while to understand where the issue was. – anssikin Jul 27 '20 at 13:53
  • I would also appreciate an update on this post. It's been a while that i'm trying to fix a non-working deprovisioning in my app but as you just said, it seems to be a bug on their side. – jdps Sep 14 '20 at 12:19