Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

How can we improve Azure Active Directory?

← Azure Active Directory

SCIM defects


  1. The Azure AD SCIM client does not follow the SCIM Base URI properly.
    As per, https://tools.ietf.org/html/rfc7644#section-1.3,
    The resource relative paths (e.g. /Users) needs to be appended to the configured Base URI.
    Azure AD is instead appending "/scim/Users" to the URI configured on the Provisioning tab of the app. If my SaaS application requires the tenant ID in the path (e.g. https://bla/scim/tenantID/), this is not possible with Azure's client.


  2. The Azure AD SCIM client doesn't implement a proper OAuth2 client. It simply asks for the OAuth bearer token to be provided in the configuration. This is no good since bearer tokens need to expire for security reasons. The SCIM client should instead implement the OAuth2 client credentials grant or password grant to a configurable OAuth2 token endpoint.


48 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Peter Varga shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
started  ·  AdminAzure AD Team (Product Manager, Microsoft Azure) responded  · 

The first issue is fixed as described here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-provisioning-config-problem-scim-compatibility

OAuth authorization code grant flow is now supported for new apps that want to be added to the Azure AD app gallery. You can request your app be added here – https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-app-gallery-listing

Work to support the code grant as well as client credentials on the non-gallery app is currently in our backlog. It’s intended to be done, but not yet funded.

In the meantime, the 1KB token limitation has been lifted.

Show previous admin responses (2)

15 comments

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • prasuna commented  ·   ·  Flag as inappropriate

    AZURE Post endpoint is getting triggered for a restored user instead of Patch Endpoint. It would be better if the user is restored, the SCIM endpoint to be triggered is Patch.
    Since the identities of the user we maintain in the downstream system is the same with source.
    Considering it as a restored user means, downstream system also would be holding the data unless it is hard deleted.

  • Jens Schwendemann commented  ·   ·  Flag as inappropriate

    Jap, #2 is a showstopper. In my environment I'm trying to integrate with SAP Analytics Cloud. They / SAP (for comprehensible reasons) do not allow long-lived tokens anymore on cloud foundry platform. That, combined with the AAD SCIM client not supporting...
    - authorization code grant configurable authorization / token URLs for gallery apps
    - authorization code grant for non-gallery apps
    - client grant flow at all
    ... leaves us in limbus with our planned integration.

    C'mon folks!

  • Fabrice commented  ·   ·  Flag as inappropriate

    Still no news of the issue #2 ? Or maybe this is simply to motivate the registration of the app in the gallery.

  • Bissat Matthieu commented  ·   ·  Flag as inappropriate

    Hi, on my side issue #2 is problematic as well. Is there any timeline on when the "OAuth authorization code grant" feature will be deployed for non-gallery apps?
    And what about the "OAuth client credentials grant"? The doc says it is in your backlog, any update?
    Thanks,
    Matthieu

  • Charles Tandy commented  ·   ·  Flag as inappropriate

    Is there any update on when we can expect to be able to use code grant flow?
    Having long lasting Bearer tokens is very problematic and introduces security risk.

    I also can't use the bearer tokens from my current OAuth provider because they are too large for the current storage limit: https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-config-problem-storage-limit

    This makes it impossible for me to integrate with Azure without switching OAuth providers.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Is there any update on issue #2? The lack of proper oauth or SAML support makes integrating to Azure AD very problematic at this time.

  • Arindam Laha commented  ·   ·  Flag as inappropriate

    Hi,
    Is there any update on this topic? Azure AD SCIM is not implemented as per the RFC guidelines.

  • B commented  ·   ·  Flag as inappropriate

    How can violating the SCIM2 RFC be a design decision?

    How can it even work with any SCIM2 backend if it is requesting the wrong URIs?

  • Anonymous commented  ·   ·  Flag as inappropriate

    Regarding #1, indeed a very problematic behavior.
    It violates section 3.2 in RFC 7644.
    I am currently discussing this with Microsoft Tek support; their answer up to this point is that it is a by-design behavior...

    shlomi at anchi dot name

Azure Active Directory: Provisioning to Applications

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice