0

I'm implementing SCIM group provision from Azure AD. But I don't support nested groups. Below is the patch call from Azure AD (When a member is added).

{
"schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
"Operations":[{
    "op":"add",
    "path":"members",
    "value":[{
       "ref":"https://example.com/v2/Users/45",
       "value": "45"
     }]
   }]
}

I'm unable to identify whether the member is of user type or group type resource. Kindly, help me how I can restrict this in the code or is there any way I can restrict it directly from Azure AD to not send the Group type members.

Anurag Maheshwari
  • 137
  • 1
  • 9

1 Answers1

0

From the config of the Azure AD Enterprise App, go to Provisioning -> Mappings -> Provision Azure Active Directory Groups -> Show Advanced Options(bottom of screen) -> Edit attribute list for customappsso

This will bring you to the schema editor UI for AAD's representation of the SCIM app's schema for group objects. On the far right side in the column "Referenced Object Attribute", you'll see there are 2 selected values for the members attribute. Open the dropdown and unselect urn:ietf:params:scim:schemas:core:2.0:Group, then save.

That should work. If it doesn't, please let me know (or for faster turnaround, open a support case from the Azure portal).

Zollnerd
  • 725
  • 4
  • 5
  • Thanks for the solution, but it didn't work! It is still sending a PATCH call for GroupType. Kindly, tell me if there is any other way. I'm also gonna open a support case for the same. – Anurag Maheshwari Mar 10 '21 at 19:56
  • Sorry to hear that didn't work. Please open that support case - there may be an issue with this functionality that needs to be fixed. What I suggested should be the solution here. – Zollnerd Mar 11 '21 at 16:20