Skip to main content

v26.2.11

v26.2.11

Accept Microsoft Entra's non-standard SCIM payload for removing group members

Microsoft Entra deviates from RFC 7644 when removing a single member from a group: instead of a value-path filter (path: members[value eq "<id>"]), it sends op: remove with a bare path: members and the member to remove in a value array. SCIM now interprets this payload as a selective remove of the listed members. Previously the bare path caused every member of the group to be cleared, so any Entra-provisioned group was emptied on a single-user remove event. RFC 7644-compliant payloads (a bare remove with no value, or a value-path filter) are unchanged.

Ory Network

The largest Identity and Access Management network in the world. So you can get back to building your business.

Sign up for free