Blocked Users in Azure AD are not Blocked in Auth0 when Using SCIM

auth0.knowledge2 · January 15, 2025, 6:31pm

Overview

When utilizing SCIM with an enterprise connection where Azure AD is the Identity Provider, an inactive user in Azure AD should get blocked in Auth0, but the “blocked” field remains false in Auth0 even when the “active” field is false in Azure AD.

Applies To

Azure AD Enterprise Connection
SCIM

Cause

This is caused by having the “active” field passed as a string in Auth0 instead of a boolean type.

This is a known issue in Azure AD, documented in the following Microsoft article:

Known issues and resolutions with SCIM 2.0 protocol compliance of the Microsoft Entra user provisioning service

Solution

To resolve this issue, a query parameter should be added in the Tenant URL (in Azure AD) as documented in step six of Configure SCIM in Azure AD for OIDC Apps. The query parameter is: aadOptscim062020

Topic		Replies	Views
Azure AD with SAML Auth Reject Screen Help connections , saml-enterprise-connection	1	895	June 16, 2023
Azure AD Automatic Provisioning Help auth0 , azure-ad	2	2422	January 9, 2025
Staying in Sync with External Identity Provider Help azure-ad , enterprise-connectio	3	3696	July 17, 2019
Block user via api call Help auth0 , api	4	11251	January 8, 2020
User Management Help user-creation , delete-user , manage-users , user	2	5089	March 2, 2018

Blocked Users in Azure AD are not Blocked in Auth0 when Using SCIM

Overview

Applies To

Cause

Solution

Related topics