User provisioning failing with "Resource [USER] invalid filter" in Azure AD

Still need help?

The Atlassian Community is here for you.

Ask the community


Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.

Summary

User provisioning is failing with the following error logs in Azure AD:

Response Content: {"schemas":["urn:ietf:params:scim:b:messages:2.0:Error"],"status":"400","scimType":"invalidFilter","detail":"Resource [USER] invalid filter"}


Diagnosis

  1. You can find your user provisioning logs in Azure AD using their documentation here.
  2. Users are not being provisioned in Atlassian.

Cause

Azure AD is sending a malformed Get Users request to our SCIM API. Per the documentation, the filter parameter can only filter by userName and externalId, not title. Since this query is failing, the user provisioning process is being prevented from completing successfully.

Solution

This issue stems from extra "Matching Precedence" values being set by Azure AD in the Provisioning > User Attribute Mappings. When a Precedence is set, Azure will query the Target/Atlassian User Provisioning directory in order to find a matching value to link the accounts off of; from the Info bubble in Azure:

Matching precedence

Matching rules define how we match source objects with target objects. We will try to find the object in the target using the rule with priority 1, if not found we'll use the rule with priority 2, and so on


If the "Matching precedence" is not locked when you edit or add any other custom attributes, try setting it to 0; if Azure is forcing you to define a non-zero value, you may need to engage with Microsoft Support to help further investigate.


Last modified on Jul 22, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.