Attributes are not updated during initial create user payload via SCIM on Azure AD

Issue

User attributes from Azure AD weren't being updated in the initial SCIM create payload and required subsequent SCIM updates during the next provisioning cycle.

Cause

Incorrect Attribute Schema configuration in Azure AD.

Resolution

In order to have attributes imported into Immuta from Azure AD on the initial create user payload, the attribute schemas must adhere to the following format where only CustomExtensionName and CustomAttribute are able to be modified:

urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:CustomAttribute

If the attribute schema in Azure AD does not comply with the format above then you will likely see errors such as the following in the logs in Azure AD:

"description": A property of an entry was not exported, because exporting the property is not supported for this operation: Add. The entry is [email protected]. The property is custom:country.

Note: Attributes will still be updated on the next provisioning cycle (40 minute interval) but will delay the process and create more background jobs.

PreviousEntra ID - Creating an attribute with toUpper or toLower NextAttempting to sign-in with AzureAD SSO fails with AADSTS75011

Last updated 1 year ago

hashtagIssue

hashtagCause

hashtagResolution

Issue

Cause

Resolution