Troubleshooting SCIM

Table of Contents

 

Introduction

Read this article if you experience issues with automated user provisioning via SCIM API. 

Before you continue reading this article, please read the introduction article for the prerequisites, limitations, and requirements.

 

Test connection failed

When testing the connection during the initial SCIM setup (see configuration step 13), the Microsoft Entra ID (previously called Azure AD) SCIM Client will try to connect using the provided URL and access token and will report the result with a notification. 

If you received an error when testing the connection, check if the key is valid and/or make sure SCIM is enabled from the workspace admin settings page. Then, try again.

Back to top

 

About deleted users and/or groups

As mentioned in Automated user provisioning via SCIM API:

  • If you hard delete a user in Microsoft Entra ID, this user will also be permanently deleted in Workspace.
  • If you soft delete a user in Microsoft Entra ID, this user will be displayed in the deleted user list in Workspace.
  • Deleted groups from the SCIM client user scope must be manually deleted in Workspace (or permanently deleted from your Microsoft Entra ID).

Our recommendation is to manage users and/or groups from Microsoft Entra ID. If you need to do this from Workspace, you need to stop the sync first from the User provisioning page.

Back to top

 

User not deleted from workspace

When a user is not deleted from the workspace by the SCIM provisioning, you can manually delete the user as a workaround. Follow the steps below to do this:

The steps below should only be applied as a workaround in situations where users are not deleted by SCIM when they should. Do not use these steps by default, as this may cause issues with the SCIM sync.
  1. Go to the SCIM application in Microsoft Entra ID, navigate to Provisioning and click Stop provisioning
  2. Log in to the workspace as admin, navigate to Settings > Users & groups > User provisioning
  3. Uncheck Enable sync using SCIM and click Done in the top left
  4. Go to User management and delete the user from the workspace
  5. Return to User provisioning and check Enable sync using SCIM again, click Done in the top left
  6. Go back to the SCIM application's Provisioning page in Microsoft Entra ID and click Start provisioning to start SCIM again

Back to top

 

Error 500

Error500SCIM.png

This error may occur when you first activate SCIM, and a user has a different UPN in Azure AD than in Workspace. In this case, you will need to manually delete the user from Workspace before syncing the user again. To do so, follow these steps:

  1. Go to the SCIM Enterprise application in Microsoft Entra ID and temporarily stop the sync.
  2. Log in to the Workspace as an admin and navigate to Settings > Users & groups > User provisioning.
  3. Remove the "Enable sync using SCIM" checkmark and click "Done".
  4. Go to User management.
  5. Select the user and click "Delete".
  6. Go to Deleted users.
  7. Select the user and delete the account permanently from Workspace.
  8. Go back to User provisioning.
  9. Enable the "Enable sync using SCIM" checkmark again and click "Done".
  10. In Microsoft Entra ID, start the SCIM Enterprise application again.
  11. Click "Provision on demand".
  12. Enter the user's name and click "Provision".
  13. The user should now be added to the Workspace again with the correct information.

Back to top

 

User scope issue (workaround)

Follow the instructions (workaround) below if:
  • You are not able to limit the scope of users and/or groups that you want to sync to Workspace 365, due to an error message in Microsoft Entra ID: "We encountered an error while updating provisioning configuration"
  • After changing the user scope from 'all' to 'assigned', selected users and/or groups are not being removed from Workspace as expected.

Step 1. Stop automated user provisioning via SCIM

  1. Go the SCIM enterprise application in Microsoft Entra ID.
  2. Navigate to the Provisioning tab.
  3. Click Stop provisioning.


Step 2. Change the user provisioning method to Azure AD sync

  1. In Workspace, go to Users & groups.
  2. Select User provisioning.
  3. Change the user provisioning method to Azure Active Directory (AD) sync.
  4. Click Done.
  5. A dialogue will pop up. Copy the API key. This key will only be displayed once.


Step 3. Configure the Azure AD synctool to sync only selected groups and/or domains to Workspace

If you haven't used the Azure AD synctool before, click here for instructions. And if so, you do not need to clear the cache.

    1. In the Azure AD synctool configuration UI, paste API key under Sync API authentication token collected from step 2.5. 
    2. Click Save.
    3. Clear the synctool's cache. For further instructions about clearing the cache, click here.
    4. Make sure to disable domain- and group filtering by unchecking these filtering options.
    5. Start the synctool's Windows service to start a full sync and wait for it to complete.
    6. After the sync is complete, you may enable group-/domain filtering.
    7. Start the sync. Now, only selected groups and/or domains will be synced to Workspace. 
    8. You may now stop the synctool's Windows service when the sync it complete.


Step 4. Switch back to automated user provisioning via SCIM

    1. From the Workspace settings page, change the provisioning method back to Automated user provisioning (SCIM).
    2. Click Done.
    3. A dialogue will pop up. Copy the API key. This key will only be displayed once.


Step 5. Start user provisioning via SCIM

    1. In azure, go back to the Provisioning tab from the SCIM enterprise application.
    2. Select Edit provisioning
    3. Open Admin credentials.
    4. Paste the API key you copied from step 4.3 under Secret token.
    5. Change the scope from 'all' to 'assigned' users and groups under settings
    6. Click Save.
    7. Go back to the Users and groups tab.
    8. From here, you need to make sure to sync the same users and groups to workspace as in step 3.6.
    9. Click Start provisioning from the Provisioning tab. 

You now have successfully limited the scope of users and/or groups you sync to Workspace 365. From now on, you can add or remove users and/or groups from the SCIM user scope.

Back to top

 

Regenerate API key (secret token)

If you need to regenerate the SCIM API key, follow these steps:

  1. In Workspace, go to the admin settings page.
  2. Go to Users & groups.
  3. Select User provisioning.
  4. Click Regenerate to create a new SCIM API key. 
  5. Confirm by clicking Regenerate.

    regenretae_confirm.png

  6. Copy the newly generated API key. This key will only be displayed once. Make sure to save/note down this key. 
  7. In Azure, go to the SCIM enterprise application.
  8. Select the Provisioning tab.
  9. Click Edit provisioning
  10. Open Admin credentials.
  11. Under Secret token, fill in the API key you copied from step 6.
  12. You may Test connection.
  13. Click Save after the connection was successfully tested.

    secret_token.png

Back to top