User provisioning failing with "Resource [USER] invalid filter" in Azure AD
Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.
Summary
User provisioning is failing with the following error logs in Azure AD:
1
Response Content: {"schemas":["urn:ietf:params:scim:b:messages:2.0:Error"],"status":"400","scimType":"invalidFilter","detail":"Resource [USER] invalid filter"}Diagnosis
You can find your user provisioning logs in Azure AD using their documentation here.
Users are not being provisioned in Atlassian.
Cause
Azure AD is sending a malformed Get Users request to our SCIM API. Per the documentation, the filter parameter can only filter by userName and externalId, not any other value. Since this query is failing, the user provisioning process is being prevented from completing successfully.
Solution
This issue stems from the Azure AD Atlassian Cloud App's user attribute mappings. Only one mapping should have the "Match objects using this attribute" values set to "yes". This mapping should can be mapped to either of the following Atlassian Cloud attributes: "userName" or "externalId".
If you have multiple user attribute mappings with "Match objects using this attribute" set to "yes", then make sure that one is mapped to either of the two values Atlassian Cloud attributes ("userName" or "externalId") and give it a higher precedence. When a Precedence is set, Azure will query the Target/Atlassian User Provisioning directory in order to find a matching value to link the accounts off of; from the Info bubble in Azure:
1
2
3
Matching precedence
Matching rules define how we match source objects with target objects. We will try to find the object in the target using the rule with priority 1, if not found we'll use the rule with priority 2, and so onWas this helpful?