Interested to see if anyone is using SCIM through Microsoft Entra or what they are doing instead for managing the provisioning / removal of accounts in retool.
We're currently using SCIM alongside SAML SSO. We've enabled the aadOptscim062020 flag to ensure SCIM 2.0 compliance, but are having some issues:
User Updates - only the Active flag is currently enabled for update in retool. If there's an error with the name / then this needs to be updated manually so doesn't remain in sync with entra.
Bug when updating the active flag. Currently the active flag update doesn't function as expected. This has been raised as a bug but means that any removals are not set as inactive in retool.
Group Updates - Any group updates only look to apply when the use logs in.
Thanks for reaching out! It looks like we have a feature request for more update support, so I can post here if that request gets picked up. I can also share an update when the bug you mentioned is fixed.
For 3, can you share a bit more about how this limitation is impacting your team?
For this one you don't get to see the full picture of all the users with their groups until users have logged in. It's also compounded with the bug since they are not getting marked inactive as part of the process and they still have permissions assigned.
I looked into this a bit further, and it looks like MS Entra ID allows you to do something similar as what group push does for Okta, as noted in our SCIM + Okta docs (automatic update group membership).
Without having tested this myself, it appears that you can configure MS Entra ID with SCIM 2.0 and push users / groups automatically. If there is a bug with groups automatically updating when using Microsoft Entra with provisioning enabled, I can request a fix for that too.