I have user and group provisioning set up for an enterprise application in Azure AD. I have a SCIM endpoint setup in my application to consume the SCIM requests from Azure AD. I added this feature flag to my tenant URL to ensure SCIM compliance: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-config-problem-scim-compatibility#flags-to-alter-the-scim-behavior
I have a group assigned to the enterprise application for provisioning to my application. When I add users to that group in Azure AD, I'm seeing two PATCH requests to the Groups/:id SCIM endpoint. The first is an add operation, which I expect because I'm adding this user as a member of the group:
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "add",
"path": "members",
"value": [
{
"value": "directory_user_01F7SGPZHKVGHZMCRNHGJXW1E9"
}
]
}
]
}
The second PATCH request is a replace operation, which is unexpected as I'm not replacing all users in a group with the one member being added:
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "replace",
"path": "members",
"value": [
{
"value": "directory_user_01F7SGPZHKVGHZMCRNHGJXW1E9"
}
]
}
]
}
The SCIM protocol RFC outlines the difference between the add and replace operations in PATCH requests. If users are added as members of a group, there should only be an add operation, not a replace operation. Is there any way to configure Azure so it only sends add operations in this situation? Thanks!
