Entra SCIM validator: userName filter fails when our service derives userName from first email
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 45%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Sajina Ali
5
Reputation points
Hi,
We’re validating our SCIM /Users endpoints against the Entra SCIM validator. Our system only supports one email per user and derives userName from email. We currently ignore the incoming userName in POST /Users.
Where the list of emails comes from:
The Entra validator sends a multi-valued emails array during Create User.
What we do:
- Pick the first email from
emails[] - Set both
emailanduserNameto this chosen email. - Ignore any
userNameprovided in the request.
Example – Request from Entra:
POST /scim/v2/Users
Content-Type: application/scim+json
{
"active": true,
"emails": [
{
"type": "other",
"display": "OAVDHVYNEPFU",
"value": "******@ullrichlemke.ca"
},
{
"type": "work",
"display": "WCBXPVGTPGTN",
"value": "******@bogisich.ca"
},
{
"type": "home",
"display": "XXXYWHCWHXVX",
"value": "******@koss.info"
}
],
"name": { "familyName": "Jesus", "givenName": "Rigoberto" },
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "******@schmidtwelch.uk"
}
What we store (after our processing):
{
"id": "12345",
"userName": "******@ullrichlemke.ca", // derived from first email
"email": "******@ullrichlemke.ca",
"active": true,
"name": { "familyName": "Jesus", "givenName": "Rigoberto" }
}
Our Create response (201)
HTTP/1.1 201 Created
Content-Type: application/scim+json
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"id": "12345",
"userName": "******@ullrichlemke.ca",
"active": true,
"name": { "familyName": "Jesus", "givenName": "Rigoberto" },
"emails": [
{ "value": "******@ullrichlemke.ca", "type": "other", "primary": true }
]
}
What Entra does next (filter call):
GET /scim/v2/Users?filter=userName%20eq%20%22gage_ernser%40schmidtwelch.uk%22
Our search response
HTTP/1.1 200 OK
Content-Type: application/scim+json
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults": 0
}
Problem
The validator expects to find the user by the original userName it sent ("******@schmidtwelch.uk"), but our system overwrote it to match the first email ("******@ullrichlemke.ca"). This is by design — in our product, userName is always the user’s email.
Questions for the Entra team/community
- Is there a way to configure the Entra SCIM validator so that:
-
userNameis omitted on create, letting us derive it from email, or - follow-up filters use the returned
userNamefrom our 201 response instead of the originally sent one?
-
- If not, does that mean the only way to pass validation would be to store the provided
userNameexactly as sent, even when it’s different from the chosen email, which would go against our single-email,userName == emaildesign? - Are there best practices for SCIM targets that enforce
userName == emailwhile still integrating with Entra provisioning?
We’re trying to keep our single-email, userName == email rule while passing the validator.
Thanks! Happy to provide more request/response logs if needed.
Microsoft Security | Microsoft Entra | Other
Sign in to answer