AppRoleAssignmentsComplex

[magne]

There are several issues here, both with the implementation and documentation:

• How to configure: The main reason to use AppRoleAssignmentsComplex is to support multiple roles. When adding the new roles attribute, it should mention that it needs to be multi-value to support, well, multiple roles.
• You mention that there is a difference between POST and PATCH; that PATCH does not contain type. This is incorrect. The PATCH contains none of the attributes of POST, instead it has the attributes id and displayName. Although the informal description of the Core User in the SCIM specification (RFC-7643 page 25) states that ... no vocabulary or syntax is specified ..., the schema in the same specification (RFC-7643 page 66) explicitly defines 4 attributes (value, display, type, and primary).
• The PATCH value is not valid. Even though the SCIM specification is very vague and ambigous regarding the patch operation, this ought to be quite clear: ... The value MAY be a quoted value, or it may be a JSON object containing the sub-attributes of the complex attribute specified in the operation's "path". ... (RFC-7644 page 36). The PATCH request received from the Azure AD SCIM client (see below) contains a hybrid value (array of complex object with quoted value containing a complex object), and will result in a role with the value attribute set to the quoted value the way I read the spec.

  {
  "schemas": [
  "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ],
  "Operations": [
  {
    "op": "Add",
    "path": "roles",
    "value": [
      {
        "value": "{\"id\":\"18d14569-c3bd-439b-9a66-3a2aee01d14f\",\"displayName\":\"Member\"}"
      }
    ]
  }
  ]
  }

• Since the POST and PATCH operations use different attributes, which attributes should we return for the role in the response so that the Azure AD SCIM client will properly match roles and we don't get PATCH churn?

Is there a timeline for fixing PATCH operations? It's been a year (04/03/2019) since you in the documentation state that ... we are working on ... this behavior. Where can we file issues against the Azure AD SCIM provider?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 83b07a9e-5e16-32ed-265e-32a32998ce37
• Version Independent ID: 09008259-4b53-2925-9679-ecad59cefe41
• Content: Customizing Azure AD attribute mappings
• Content Source: articles/active-directory/app-provisioning/customize-application-attributes.md
• Service: active-directory
• Sub-service: app-provisioning
• GitHub Login: @msmimart
• Microsoft Alias: mimart

[shashishailaj]

@magne Thank you for your feedback . We will have this reviewed and update the thread.

[kenwith]

reassign:kenwith

[jmorlesinsolarwinds]

Do we have any update on this? We're having the same issue.

[fdutron]

Sorry, but any news on this subject ?

[kenwith]

There is a lot of great product feedback in this doc issue. This is an old issue and there have been known RFC compliance issues. A number of the issues have been resolved and there is work to resolve additional issues. For the issues that have been resolved there is documentation available here: https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-config-problem-scim-compatibility#flags-to-alter-the-scim-behavior I made sure to surface the information in this doc issue back to the product team. I will also be updating the referenced article (link above) with the work the product team is currently doing once it is live.

please-close