Delinea Platform

Current

Heading link
copied to clipboard

Supported SCIM Endpoints

The following table lists the SCIM 2.0 endpoints that the Microsoft Entra provisioning service and the Delinea SCIM Cloud Connector support. You can use this reference information when troubleshooting provisioning issues.

User Endpoints (`/Users`)

HTTP Method	Endpoint	Description
POST	`/Users`	Create a user. Microsoft Entra ID sends a JSON payload with user attributes (`userName`, `name`, `emails`, `active`, `externalId`) to create a new user.
GET	`/Users/{id}`	Get a user by ID. Retrieve a specific user by their SCIM `id`. Microsoft Entra ID uses this to confirm that a user exists and to read the user’s current attribute values.
GET	`/Users?filter=userName eq "value"`	Query a user by username. Microsoft Entra ID Entra queries users by `userName` or `emails[type eq "work"]`.value to check if a user already exists before creating. Only eq and and filter operators are used.
GET	`/Users?filter=externalId eq "value"`	Query a user by `externalId`. Microsoft Entra ID can also query by `externalId` to match users.
PATCH	`/Users/{id}`	Update a user’s attributes (multi-valued properties). Microsoft Entra ID sends a JSON PATCH (`PatchOp`) to update attributes like `emails`, `name.familyName`, `phoneNumbers`. `Operations` specifies the update operation: `Replace`, `Add`, or `Remove`.
PATCH	`/Users/{id}` (`active` = `false`)	Disable (soft-delete) a user. When a user is unassigned from the application or soft-deleted in Microsoft Entra ID, a PATCH sets `active` to `false`.
DELETE	`/Users/{id}`	Delete a (hard-delete) user. When a user is permanently deleted from Microsoft Entra Entra (30 days after a soft-delete), a DELETE request is sent.

Group Endpoints (`/Groups`)

HTTP Method	Endpoint	Description
POST	`/Groups`	Create a group. Microsoft Entra ID sends a JSON payload with `displayName` and optionally members to create a new group.
GET	`/Groups/{id}?excludedAttributes=members`	Get a group by ID. Retrieve a group by SCIM `id`. Microsoft Entra ID requests groups excluding the `members` attribute to avoid large payloads.
GET	`/Groups?filter=displayName eq "value"`	Query a group by `displayName`. Microsoft Entra ID queries groups by `displayName` to check existence. Groups must have unique `displayName` values to work correctly with Microsoft Entra ID.
GET	`/Groups?filter=externalId eq "value"`	Query a group by `externalId`. Microsoft Entra ID can also match groups by `externalId`.
PATCH	`/Groups/{id}`	Update a group (non-member attributes). Microsoft Entra ID sends a JSON PATCH to update group attributes like `displayName`.
PATCH	`/Groups/{id}`	Add members to a group. Microsoft Entra ID sends a PATCH with `Add` operation on the `members` path, providing user `value` (SCIM ID) to add.
PATCH	`/Groups/{id}` (Remove members)	Remove members from a group. Microsoft Entra ID sends a PATCH with `Remove` operation on members`[value eq "{userId}"]` to remove a specific member.
DELETE	`/Groups/{id}`	Delete a group. Permanently removes the group. A DELETE request is sent when a group is unassigned from the SCIM app in Microsoft Entra ID.

In this Article