Doing testing on SCIM implementation with Confluence and Azure AAD, with authentication with OIDC and ran into following issue:
If a SCIM provisioned account is deleted manually from Confluence, Azure does not seem to have a way to figure out that it has been deleted so it will not create the user again on the next provisioning cycle. Is there a way to clear out Azure's "cache" or storage of existing user so that it sees that the user no longer exists in the application it is SCIMing to?
I attempted removing/re adding user to Provisioning/Users and Groups to see if it would pick it up again and it did not. I tried manually creating the user in Confluence with correct name/username/email to see if the link between Azure and the app could be restored and it did not work.
So my question is - is there anyway to support 2 way syncing from Azure AD and an application using SCIM? Is Azure ale to receive requests from the app that a user has been deleted? If not, what steps need to be done to clear out Azure's cache so that the user can be provisioned again via SCIM?
Let me know if you need more details, thanks.
Restarting the provisioning job or using Provisioning on Demand should both force the user to be re-evaluated, at which point AAD Provisioning will do a GET /Users/, get an HTTP 404 response (Not Found), and then try to locate via GET /Users&filter=userName eq [email protected]. If there is no user, it will find 0 matches and create a new one, and if one has been recreated it will locate that and then link the two objects in AAD + the SCIM app and will send any needed updates.
Two way sync - including detecting changes in the target (usually SCIM) system and reacting to them - isn't possible. The main triggers for a user being evaluated by AAD Provisioning are if the job is restarted, if the user has changed in AAD, or if Provisioning on Demand is used. External triggers such as changes in the other system are not possible at this time.