SCIM : How to restrict Group type members in Group patch request while provisioning from Azure AD

0
votes

I'm implementing SCIM group provision from Azure AD. But I don't support nested groups. Below is the patch call from Azure AD (When a member is added).

{
"schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
"Operations":[{
    "op":"add",
    "path":"members",
    "value":[{
       "ref":"https://example.com/v2/Users/45",
       "value": "45"
     }]
   }]
}

I'm unable to identify whether the member is of user type or group type resource. Kindly, help me how I can restrict this in the code or is there any way I can restrict it directly from Azure AD to not send the Group type members.

1
azure-active-directoryprovisioningscimscim2

1 Answers

0
votes

From the config of the Azure AD Enterprise App, go to Provisioning -> Mappings -> Provision Azure Active Directory Groups -> Show Advanced Options(bottom of screen) -> Edit attribute list for customappsso

This will bring you to the schema editor UI for AAD's representation of the SCIM app's schema for group objects. On the far right side in the column "Referenced Object Attribute", you'll see there are 2 selected values for the members attribute. Open the dropdown and unselect urn:ietf:params:scim:schemas:core:2.0:Group, then save.

That should work. If it doesn't, please let me know (or for faster turnaround, open a support case from the Azure portal).