Cato Networks Knowledge Base

Users/Groups in Azure AD are Not Getting Provisioned to CMA via SCIM

  • Updated


In this article, we delve into potential issues related to Azure SCIM provisioning, particularly focusing on scenarios where users and/or groups encounter synchronization issues with the CMA, aka, Users/Group in Azure AD are not provisioned into CMA. We explore common issues, their possible causes, and provide insights and recommendations for troubleshooting and resolving these synchronization problems.

For configuration details on how to integrate Azure to the CMA, please refer to SCIM-Provisioning-with-Azure.


Provisioning users/groups to CMA through Azure SCIM


In this section, we will outline a series of steps to help isolate and troubleshoot the issue of users and groups not being synchronized with CMA. Follow these steps within your Azure environment by logging in to before proceeding.

Validate Admin Credentials

This section walks you through how to validate the admin credential configured in Azure by performing a Test Connection.

  • Go to SCIM Application > Provisioning > Admin Credentials. Ensure that the credentials (Tenant URL and Token) for the application are valid. This could be verified by clicking on Test Connection. testconnection.jpg
  • For a successful test, you should see the following test result:
  • If the result is unsuccessful, go to the CMA, and navigate to Access > Directory Services > SCIM to validate the Base URL. It should be the same as the Tenant URL configured in Azure. If you need to generate a new token, be sure to copy it before saving the configuration on the CMA. Once that is done, input the new token in Azure and Test Connection again.

Mandatory Attributes

As described in the prerequisites section of the SCIM Provisioning with Azure article, certain attributes are mandatory and, if missing, will cause provisioning to fail.

  • The below screenshot shows the mandatory fields that are required for a user for provisioning to work. For the user that failed to sync with CMA, verify that these fields are populated. 

Users/Groups not Assigned to Application

Users and groups need to be added to the Cato Provisioning Application before they can be synced into CMA. This section provides a step by step instructions on how to validate this.

  • Go to Enterprise applications > Cato Provisioning Application > User & Groups and verify that the user/group is listed.
  • From the below example, we can see 1 group and 1 user are assigned to the "Cato Networks Provisioning - APJ T1 Lab" application.
  • The user and group (along with members in that group) will be synced to the CMA.
  • To assign a user/group, click on Add user/group, and then select "User and groups" and the right pane will appear for you to select the respective users/group to be added.
    NOTE: Nested groups provisioning are not supported

Scoping Filter in Users/Groups

The scope filter allows you to define the scope or range of resources that should be provisioned or synchronized during the provisioning process. It helps you specify the subset of resources that should be included or excluded based on certain criteria. You can refer to the Microsoft document - Scoping users or groups to be provisioned with scoping filters for more details.

  • Verify if there are any scoping filters configured for users and groups.
  • To do that, go to Enterprise applications > Cato Provisioning Application > Provisioning> Provisioning > Mappings, and select the User or Group mapping. 
  • If it was configured, verify that the Source Object Scope filters include the interesting user/group. Be aware that multiple scoping filters use the OR logic, whereas multiple attributes within a filter use the AND logic. For more details, refer to the Microsoft document - Scoping users or groups to be provisioned with scoping filters.
  • Attempt provisioning on demand for the failing user/group. If the failure is due to the scoping filter, the user/group will be skipped, and Azure will display the possible reasons (see below)

Provisioning On-Demand

Once the necessary changes have been made, you can initiate the provisioning on-demand process to update the user/group with the modified attributes. By provisioning just the modified object, we can achieve further isolation and focus solely on updating the specific changes made. 

  • To do that, go to Azure Active Directory > Enterprise Application > Cato Provisioning Application > Provisioning
  • Click on "Provision on Demand"
  • Enter the name of the object and select the respective user or group
  • Click on Provision (bottom left of screen)
  • The user will be provisioned again and it will display the result on the right pane.

Log Review

If the issue persists even after performing the aforementioned checks, it is advisable to review the provisioning logs. Examining the logs can offer additional insights and help identify the underlying cause of the problem, facilitating further troubleshooting and resolution.

  • Go to Azure Active Directory > Enterprise Application > Cato Provisioning Application > Provisioning
  • Clicked on "Provisioning Logs" for historical view of the provisioning. 
  • Clicking into a specific provision will open up the "Provisioning log details" pane on the right. From the below, we can see that the synchronization for this object was skipped because it was not assigned to the application.


Was this article helpful?

0 out of 0 found this helpful



Please sign in to leave a comment.