Share via

SCIM Provisioning: Group Memberships Not Re-Added After Group Deletion in the Target Application

Amir Dohmosh 20 Reputation points
2025-02-05T15:30:09.05+00:00

I’m experiencing an issue with Azure AD SCIM provisioning where group membership operations are skipped when a group is re-added.

Scenario:

  1. Azure AD provisions a group to my SCIM-compatible application (target app), including its members.
  2. I delete the group from my backend application.
  3. During the next provisioning cycle, Azure AD detects the missing group and recreates it by sending a POST request.
  4. However, Azure AD does not send a PATCH request to restore the group's members.
  5. As a result, the group is recreated but remains empty.
  6. If I manually click "Restart Provisioning" in Azure AD, the memberships are correctly re-added.

Unexpected Behavior:

  • When Azure AD detects that the group is missing in the target app, it correctly recreates the group.
  • However, it does not automatically re-add the members, even though they were previously assigned.
  • If I manually restart provisioning, Azure AD then sends the necessary membership assignments.

Questions:

  • Why does Azure AD recreate the group but not re-add its members in the same provisioning cycle?
  • Is this expected behavior, or is there a way to ensure memberships are restored without requiring a provisioning restart?
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,174 questions
0 comments
Accepted answer
  1. Kancharla Saiteja 460 Reputation points Microsoft Vendor
    2025-02-06T11:28:39.07+00:00

    Hi Amir Dohmosh,

    Hi, thank you for posting your query on Microsoft Q&A. I am Saiteja from Q&A will be assisting you with your query.

    Based on your query, here is my understanding: You have deleted a group in your application and Azure detected in the next cycle and recreated the group but with no users.

    Azure AD groups provisioning has some limitations which are documented in this document. When a group has been deleted the on-demand provision API has a very limited of creating a group and may add up to five members.

    Here are the limitations that might be the reason for the cause of the issue:

    • On-demand provisioning of groups supports updating up to five members at a time. Connectors for cross-tenant synchronization, Workday, and so on. do not support group provisioning and as a result do not support on-demand provisioning of groups.
    • The on-demand provisioning request API can only accept a single group with up to 5 members at a time.
    • On-demand provisioning supports provisioning one user at a time through the Microsoft Entra admin center.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.