Summary
Some provisioning requests from Azure Active Directory (AAD) may fail due to a conflict between the SCIM SDK used by Dremio and the requests coming from AAD, which are not all SCIM-compliant. This article provides a solution to fix the issue.
Reported Issue
Provisioning requests from AAD are not working as expected.
Relevant Versions
Dremio Cloud
Troubleshooting Steps
Add additional content.
Cause
The SCIM SDK used by Dremio and the requests from AAD are not fully compatible with the SCIM 2.0 standard.
Steps to Resolve
- Add the query parameter "aadOptscim062020" to the Tenant URL to fix the Microsoft SCIM 2.0 compliance issue. For example:
https://scim.dremio.cloud/scim/v2/?aadOptscim062020 - If you have already configured the SCIM app with Microsoft Entra ID and are experiencing failures in SCIM syncing for specific behaviors (disabling users, adding single-value string attributes, replacing multiple attributes, or removing group members), you need to delete the existing customappsso job and create a new SCIM job. Follow the section "Upgrading from the older customappsso job to the SCIM job" in the Microsoft documentation: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/application-provisioning-config-problem-scim-compatibility#upgrading-from-the-older-customappsso-job-to-the-scim-job.
Additional Resources
This issue is tracked internally as DX-64492.