azureprovisioningmicrosoft-entra-id

Provisioning (SCIM) by Entra/Azure: Why can I not select the "groups" attribute in my attribute mapping?


I need to get a PATCH Users request with the added group in the "groups" attribute (Json) if a User in Entra is added to a group (by editing the Group and adding the user).

First of all, is it even possible to get a PATCH Users request when a User in Entra/Azure AD is added to a Group? I hope so!

In https://datatracker.ietf.org/doc/html/rfc7643#section-4.1 it seems there is a "groups" attribute available for the Users, but I can not select it in Entra when editing attribute mappings. There is no "groups" attribute available in my "Source attribute" drop down list.

I have the P1 license.

What do I have to do? I'm frustrated... Thank you in advance!


Solution

  • Note that: When using Microsoft Entra for provisioning, you can't directly choose the "groups" attribute in the user attribute mappings because group provisioning and user provisioning are handled as separate processes.

    As mentioned in this Blog , as this attribute is "readOnly," any changes to group membership must be made through the "Group" Resource.

    Therefore, to manage group memberships, you might need to use separate API calls or configurations, since the "groups" mapping may not be available in your current setup.