There are interpretations and assumptions that the Microsoft Entra SCIM Client makes based on the SCIM specfications that the SCIM component doesn't conform to by default. In an effort to provide compatibility with the Microsoft Entra SCIM Client and the validation tool, a flag is availabe to enable compatiblity. This page details how to enable Microsoft Entra integration compatibility, and what functionality is enabled by doing so.
Enabling Microsoft Entra Compatibility
To enable Microsoft Entra compatibility, set the EnableAzureAdCompatibility flag to true in the ScimServiceProviderConfigOptions passed in when calling AddScimServiceProvider
public void ConfigureServices(IServiceCollection services)
{
services.AddScimServiceProvider(
"/SCIM",
new ScimLicensingOptions("Demo", "eyJTb2xkRm9yIjowLjAsI .... "),
new ScimServiceProviderConfigOptions
{
...
EnableAzureAdCompatibility = true
...
}
);
}
When the SCIM component is set to be compatibile with Microsoft Entra, there are three features enabled.
Accepted PATCH syntax
Microsoft Entra requests include the use of dot notation within property names to indicate property structure. Take the following as an example:
{
"op": "replace",
"value": {
"userName": "ettie@sawayn.us",
"name.honorificPrefix": "Anthony",
"name.honorificSuffix": "Stanford",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber": "G6G00I9RNZ0L",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.displayName": "DAV5Z5JXNJ47"
}
}
The value above is equivalent to the following:
{
"userName": "ettie@sawayn.us",
"name": {
"honorificPrefix": "Anthony",
"honorificSuffix": "Stanford"
}
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"employeeNumber": "G6G00I9RNZ0L",
"manager": {
"displayName": "DAV5Z5JXNJ47"
}
}
}
Accepted ADD operations
If you're using the SCIM component's implementation of IPatchCommandExecutor, after enabling Microsoft Entra compatibility the implementation allows for "Add" commands that include a filter. For example, given the following patch operation:
{
"op": "add",
"path": "phoneNumbers[type eq \"mobile\"].value",
"value": "62-106-7825"
}
For this operation, a new item will be added to the mapped collection of phoneNumbers. The item will have the type property set to "mobile" and the value set to "62-106-7825."
Extension Schema Validation
Extension schema validation is turned off when Microsoft Entra compatibility is enabled. For example, when using the default resource for the in-memory SCIM store
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
services.AddScimServiceProvider("/SCIM", new ScimLicensingOptions("Demo", "eyJTb2xkRm9yIjowLjAsI .... "))
.AddScimDefaultResourcesForInMemoryStore();
}
When the user model is registered, the EnterpriseUser extension schema is also registered. By default, the SCIM components expects that any full representation of a user includes the extension schema and properties. This means that if you intend to enable Microsoft Entra compatibility, you also need to bear in mind that all requests made to the SCIM component will no longer validation the extension schemas if not present in the request.
The example below shows the expectations in both scenarios for when a create request is made to the /Users endpoint.
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
"userName": "bjensen",
"externalId": "bjensen",
"name": {
"formatted": "Ms. Barbara J Jensen III",
"familyName": "Jensen",
"givenName": "Barbara"
},
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"employeeNumber": "DSQR02DDMHBZ",
"department": "AB2CJGNH1764",
"costCenter": "CF9EOQ9JWPW4",
"organization": "QWVM73ADSIYJ",
"division": "RR364K2Z3A93"
}
}
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "bjensen",
"externalId": "bjensen",
"name": {
"formatted": "Ms. Barbara J Jensen III",
"familyName": "Jensen",
"givenName": "Barbara"
}
}
ExternalId uniqueness in the InMemoryScimStore
When Azure AD provisions users and groups, it expects resources to be unique by their ExternalId. The implementation of this uniqueness must be carried out by the store. When the EnableAzureADCompatibility flag is set to true, the InMemoryScimStore implementation will require uniqueness based on the ExternalId property. If you have a custom store implementation, then you too must ensure that uniqueness is also dictated by this property.