Share via

Question about PATCH or DELETE user in a SCIM implementation

Yann Foret 0 Reputation points
2025-12-04T16:08:16.03+00:00

Hello,

We implemented SCIM endpoints on our SaaS application.

Everything works fine related to adding and updating users through, the provisioning module of an entreprise application.

However, I have a question regarding deletion.

Indeed, we implemented a DELETE endpoint as requested in the SCIM validator.

However, when we remove a user from the entreprise application (by going in "Users ans Group", and removing the affectation of the user on this entreprise application), it seems that we recieve a PATCH endpoint with the "active" property set to False.

What would happen if we add the same user that we removed earlier to the app ?

  • Would it be a PATCH endpoint with active set to True,
  • or a POST endpoint that would totally recreate the user ?

Also, how to trigger the DELETE endpoint ? I never saw this endpoint called.

Thanks in advance for you answer,

Best Regards

Azure App Configuration
Azure App Configuration
An Azure service that provides hosted, universal storage for Azure app configurations.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rukmini 8,600 Reputation points Microsoft External Staff Moderator
    2025-12-04T16:53:31.9066667+00:00

    Hello Yann Foret,

    With Microsoft Entra ID SCIM provisioning, this behavior is entirely expected. Entra does not call the SCIM DELETE endpoint when a user is deleted from the Enterprise Application assignment. Rather, Entra sends a PATCH operation that sets "active": false in order to carry out a soft-delete.

    • In Entra SCIM, this is the typical behavior for user unassignment, and it guarantees that the user object is still accessible for reactivation in the future.

    Entra doesn't send out a new POST request if the same user is subsequently added back to the application. Rather, it reactivates the current SCIM user object by sending another PATCH with "active": true. Unless the user is provided for the first time, a POST is never used to rebuild the user.

    • Only when the Entra user object is permanently removed from Azure AD and the provisioning function "When a user is deleted in Azure AD, delete the user in the target system" is activated in the provisioning settings is the SCIM DELETE endpoint utilized. A DELETE call will never be triggered by a standard unassignment from the app.

    Hence,

    • Unassign user → PATCH active: false
    • User reassignment -> PATCH active:true
    • Only complete deletion of tenant users (with the appropriate configuration enabled) → DELETE.

    If the resolution was helpful, kindly take a moment to accept the answer as a token of appreciation.

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.