Share via

Provisioning failure for enterprise application (Entra ID-AWS SSO

Hema Seshadri 0 Reputation points
2025-07-21T20:58:26.7666667+00:00

I am trying to provision a new user from Microsoft Entra ID to the AWS SSO application through Enterprise application webpage. I did initiate the on-demand provisioning through a user with global admin privilege but still get the below error:
Error code

SystemForCrossDomainIdentityManagementCredentialValidationFailure

Error message

While attempting to validate our authorization to access your application, we received this unexpected response: Received response from Web resource. Resource: https://scim.us-east-1.amazonaws.com/f3v1198be1e-0695-40eb-a33d-af2db144301e/scim/v2/Users?filter=userName+eq+"be5a1204-e5c5-41a4-8eae-7b3689df53fb" Operation: GET Response Status Code: Unauthorized Response Headers: Connection: keep-alive x-amzn-RequestId: 1ef5097e-e221-4089-8456-da4ba850c41a x-amzn-ErrorType: UnauthorizedException Date: Mon, 21 Jul 2025 20:37:33 GMT Response Content:

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Raja Pothuraju 29,560 Reputation points Microsoft External Staff Moderator
    2025-07-21T22:59:00.79+00:00

    Hello Hema Seshadri,

    When the token used to establish a SCIM connection with an application in Microsoft Entra ID expires or becomes invalid, Entra automatically places the application's provisioning status into Quarantine. The associated error message will display as "SystemForCrossDomainIdentityManagementCredentialValidationFailure."

    To resolve this, the admin must:

    • Generate a new token from the target application.
    • Update the token in the Entra provisioning configuration.
    • Perform a test connection to ensure validity.
    • Save the configuration once the test is successful.
    • Restart the provisioning job.

    Upon restart, the provisioning job will skip users that have already been provisioned and will only process new or changed objects.

    To view the admin credential page, please follow the steps below:

    1. Navigate to https://portal.azure.com
    2. Go to Microsoft Entra ID
    3. Select Enterprise Applications
    4. Choose your application
    5. Click on Update Credentials

    Once there, kindly confirm that your token is valid. After validating the token, please proceed to test the connection:

    • If the test is successful, no further action is required.
    • If the test is unsuccessful, we recommend reaching out to the AWS application team to verify the token’s validity.
    • If the token is invalid, they should provide you with a new valid token to enable a successful connection test.

    Screenshot of Admin Credentials dialog box.

    Once the token is validated and the connection test passes, the service should automatically be lifted from quarantine.

    What is your SCIM server's response there? It is likely the source of the problem.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.