fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

[Bug]: SCIM (Microsoft Entra ID) group reconciliation deletes manually assigned Group roles

Open ConnorsApps opened this issue 1 month ago • 1 comments

What happened?

We use FusionAuth as a SCIM provisioning server and Microsoft Entra ID as the SCIM client. Entra provisions users and groups successfully, and memberships remain correct. However, if we manually assign Application Roles to a SCIM-managed Group in FusionAuth, the next Entra provisioning cycle (group update/reconcile) removes those roles from the Group.

FusionAuth tenant SCIM lambdas are the defaults. 

Expected behavior

Manually assigned Group application roles remain intact after Entra provisioning updates.

Actual behavior

After Entra provisioning updates the Group, the Group’s assigned Application Roles are removed.

Steps to reproduce

  1. Configure FusionAuth SCIM with Microsoft Entra ID Entra provisions users/groups as expected. 
  2. Let Entra create a Group in FusionAuth.
  3. In FusionAuth UI, manually assign one or more Application Roles to that Group.
  4. Trigger Entra provisioning again (either a scheduled cycle or by forcing provisioning / updating the group in Entra).
  5. Observe the Group in FusionAuth: Application Roles are gone, group still exists, and the user memberships are still correct.

Version

1.61.2

Affects Versions

No response

Alternatives / Workarounds

No response

ConnorsApps avatar Dec 16 '25 16:12 ConnorsApps

@ConnorsApps I have not dived deep into this (yet), but I wonder if the same thing that happens to users (and fixed) is happening to groups...

  • https://github.com/FusionAuth/fusionauth-issues/issues/3064

jobannon avatar Dec 19 '25 00:12 jobannon