Issue with SCIM Provisioning Retry Behavior for Duplicate Users
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 35%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Sudharsan S
0
Reputation points
We have implemented automatic user provisioning using the SCIM protocol. During the provisioning process, when a POST request is made to create a user who already exists in another Azure AD tenant, our SCIM endpoint returns a 409 Conflict status code. As expected, this indicates a uniqueness constraint violation. To further clarify the nature of the conflict, we also included the scimType attribute with the value "uniqueness" in the response. However, despite this, Entra ID continues to retry the provisioning request at regular intervals, which is not the desired behavior in this scenario. We have attempted several alternative approaches to prevent the retries, including: Returning a 200 OK response. Returning a 400 Bad Request. Returning a 201 Created response with an empty body. Unfortunately, none of these approaches have stopped the retries. Our goal is to prevent Entra ID from retrying the provisioning request when the user already exists in another organization/tenant, as this is a known and non-recoverable condition. Could you please advise on the correct way to handle this scenario so that Entra ID does not continue to retry the request unnecessarily?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} vote
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 89%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Sai Praveen 0 Reputation points2025-10-26T09:00:15.2433333+00:00 In fact, we are observing a similar behaviour.
As our SCIM implementation supports multi-tenancy, we respond back with HTTP Status code 403 Forbidden, with the response body as below when a tenant requests resources of another tenant.
{ "detail": "Access to the resource is forbidden.", "schemas": [ "urn:ietf:params:scim:api:messages:2.0:Error" ], "scimType": "forbidden", "status": "403" }We also tried other status codes like 400, 401 & 409 for other scenarios and we observe that Azure retries.
-
Sai Praveen 0 Reputation points
2025-10-26T09:04:16.15+00:00 @Sudharsan S Did you happen to find a solution for this?
Sign in to comment
Sign in to answer