PATCH /Groups for AzureAD SCIM synchronization fails

Question

Im currently trying to implement the SCIM protocol for synchronizing Users & Groups from AzureAD into my application.

For development I use a MS tutorial and the RFC for SCIM:

• https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups
• https://datatracker.ietf.org/doc/html/rfc7644

For validation of my endpoints I use Microsofts AzureAD SCIM Validator: https://scimvalidator.microsoft.com/

Running the validation I only get one error message: https://i.stack.imgur.com/Ru5KU.png

The belonging Group was created by SCIM Validator using the following request:

POST /scim/Groups 1.1
Host: ngrok-free.app
Content-Type: application/scim+json; charset=utf-8
{
  "displayName": "3TCVOGSGK5K3",
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:Group"
  ]
}

The PATCH request in question is

PATCH /scim/Groups/66f04454-be03-446b-885b-dad2f37568f9 1.1
Host: ngrok-free.app
Content-Type: application/scim+json; charset=utf-8
{
  "Operations": [
    {
      "op": "replace",
      "path": "members[type eq \"untyped\"].value",
      "value": "P781Y6CGE6C6"
    },
    {
      "op": "replace",
      "value": {
        "displayName": "BXCXL6SD5JFM"
      }
    }
  ],
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ]
}

Which gets the following response by my endpoint

Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Date: Thu, 08 Jun 2023 17:51:30 GMT
Pragma: no-cache
Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 0
Transfer-Encoding: chunked
Content-Type: application/scim+json
Expires: 0

{
  "displayName": "BXCXL6SD5JFM",
  "id": "66f04454-be03-446b-885b-dad2f37568f9",
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:Group"
  ]
}

What I do when recieving the request is replacing all members of the group with the one mentioned in the value ("P781Y6CGE6C6").

I dont know what the wanted behavior is for this request - maybe anyone understands it better and can explain it to me?

Best Regards

Answer 1

Did you manually add the expression to the group resource's members attribute? Azure AD's SCIM implementation does not utilize the type sub-attribute on the members attribute.

Azure AD's SCIM implementation shouldn't call replace on the members attribute for groups, and I suspect that the reason it is doing so in this case is because you have edited the attribute path to members[type eq "untyped"].value. Try reverting back to the default set of attributes for groups in the SCIM validator. Having just looked at the SCIM validator while writing this, I only see displayName and externalId listed in the attribute list for the Group resource. Despite members not being listed there, I believe it is still tested.