User provisioning failing with "Resource [USER] invalid filter" in Azure AD

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.


User provisioning is failing with the following error logs in Azure AD:

Response Content: {"schemas":["urn:ietf:params:scim:b:messages:2.0:Error"],"status":"400","scimType":"invalidFilter","detail":"Resource [USER] invalid filter"}


  1. You can find your user provisioning logs in Azure AD using their documentation here.
  2. Users are not being provisioned in Atlassian.


Azure AD is sending a malformed Get Users request to our SCIM API. Per the documentation, the filter parameter can only filter by userName and externalId, not any other value. Since this query is failing, the user provisioning process is being prevented from completing successfully.


This issue stems from the Azure AD Atlassian Cloud App's user attribute mappings. Only one mapping should have the "Match objects using this attribute" values set to "yes". This mapping should can be mapped to either of the following Atlassian Cloud attributes: "userName" or "externalId".

If you have multiple user attribute mappings with "Match objects using this attribute" set to "yes", then make sure that one is mapped to either of the two values Atlassian Cloud attributes ("userName" or "externalId") and give it a higher precedence. When a Precedence is set, Azure will query the Target/Atlassian User Provisioning directory in order to find a matching value to link the accounts off of; from the Info bubble in Azure:

Matching precedence

Matching rules define how we match source objects with target objects. We will try to find the object in the target using the rule with priority 1, if not found we'll use the rule with priority 2, and so on

Last modified on Feb 16, 2022

Was this helpful?

Provide feedback about this article
Powered by Confluence and Scroll Viewport.