Auth - Azure SSO SCIM: Once users enable 2FA the unchangeable state of the user account gets removed

[Angelodaniel]

Environment

SaaS (https://sentry.io/)

Steps to Reproduce

1. Enable SSO + SCIM
2. Provision the user from SCIM
3. User enables 2FA

This makes it possible again that the org owner or own user can remove the user account which should not be possible

Expected Result

We would like to enforce 2FA, but can't at the moment as this will likely result in some unwanted behaviour in user management. It is possible to reconnect the user to Sentry, but they will end up without any Team. A Group Sync from AzureAD/EntraID, or removing and adding a user back to the group does not seem to fix this

Actual Result

enabling 2FA removes this restriction from SCIM

Product Area

Settings - Auth

Link

No response

DSN

No response

Version

No response

┆Issue is synchronized with this Jira Improvement by Unito

[getsantry[bot]]

Assigning to @getsentry/support for routing ⏲️

[getsantry[bot]]

Routing to @getsentry/product-owners-settings-auth for triage ⏲️

[leedongwei]

Thanks for the bug report. I'll try to schedule this for the rotational crew to fix.