Azure Question posted in
The official documentation to get you started can be found here.

Provisioning (SCIM) by Entra/Azure: Why can I not select the "groups" attribute in my attribute mapping?

I need to get a PATCH Users request with the added group in the "groups" attribute (Json) if a User in Entra is added to a group (by editing the Group and adding the user).

First of all, is it even possible to get a PATCH Users request when a User in Entra/Azure AD is added to a Group? I hope so!

In https://datatracker.ietf.org/doc/html/rfc7643#section-4.1 it seems there is a "groups" attribute available for the Users,
but I can not select it in Entra when editing attribute mappings. There is no "groups" attribute available in my "Source attribute" drop down list.

I have the P1 license.

What do I have to do? I’m frustrated… Thank you in advance!

Tags:

2

Answers


  1. 0

    In the same section of RFC 7643 that you linked, in the description of the User resource’s "Groups" attribute, the following explains why Entra provisioning does not allow attempting to update the "Groups" attribute on the User resource.

    Since this attribute has a mutability of
    "readOnly", group membership changes MUST be applied via the
    "Group" Resource (Section 4.2). This attribute has a mutability
    of "readOnly".

    Login or Signup to reply.
  2. 0

    Note that: When using Microsoft Entra for provisioning, you can’t directly choose the "groups" attribute in the user attribute mappings because group provisioning and user provisioning are handled as separate processes.

    • Even though you can assign a user to a group, it’s not necessary to provision the group attributes (like the "groups" attribute) in order to use groups for assignments.
    • When a user is added to a group, Microsoft Entra ID does not automatically send a PATCH request to update the user’s group membership.
    • Group provisioning and deprovisioning are optional features. If these features are enabled, Microsoft Entra ID sends specific messages to manage the group’s lifecycle, but it doesn’t automatically update the user’s group-related attributes.

    As mentioned in this Blog , as this attribute is "readOnly," any changes to group membership must be made through the "Group" Resource.

    Therefore, to manage group memberships, you might need to use separate API calls or configurations, since the "groups" mapping may not be available in your current setup.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search