SCIM provisioning with Entra ID failing to sync groups – "Insufficient scope (need get:groups)"

SonarQube Cloud
1

ALM used

Azure DevOps

CI system used

Azure DevOps Pipelines

Languages of the repository

Java, TypeScript and .NET

Description

We configured Enterprise SSO (SAML) and SCIM provisioning between Microsoft Entra ID and SonarCloud.

SSO authentication works correctly and users can log in via the enterprise SSO link.

SCIM provisioning connection tests also succeed on both sides.

However, group synchronization fails during provisioning cycles.

Users are provisioned successfully, but groups fail to sync.

Example groups:

grp_all@xxxxxx.com
grp_corporate_sre_base@xxxxxx.com

These groups already exist in SonarCloud.

Example:

grp_all@xxxxxx.com
Expected members: 269
Current members: 21

image
image1596×493 41.1 KB

image
image917×533 17.6 KB

Error observed

Provisioning logs from Entra ID:

EntrySynchronizationError

Failed to match an entry in the source and target systems
Group 'grp_all@xxxxxx.com'

Resource:
https://auth.sonarcloud.io/scim/v2/connections/<connection-id>/Groups?filter=displayName+eq+"grp_all%40xxxxxx.com"

Response Status Code: 403

Response Content:
{
 "got":["get:users","post:users","put:users","patch:users","delete:users"],
 "need":[{"selection":["get:groups"]}],
 "detail":"Insufficient scope",
 "status":"403"
}

Provisioning job details:

Provisioning interval: 40 minutes
Users in scope: ~290
Current cycle status: Initial sync paused

image
image1898×343 35.6 KB

image
image1912×914 131 KB

Steps to reproduce

  1. Configure SAML SSO between Entra ID and SonarCloud.

  2. Configure SCIM provisioning using the bearer token generated in SonarCloud.

  3. Enable automatic provisioning in Entra ID.

  4. Assign users and groups to the Enterprise Application.

  5. Wait for the provisioning cycle.

Result:

  • Users provision successfully.

  • Groups fail with Insufficient scope.

Potential workaround attempted

We regenerated the SCIM bearer token in:

SonarCloud
Enterprise
SSO & Provisioning
Configure Provisioning

Then updated the token in Entra ID provisioning settings.

The error persists.

Additional question

During the first SSO login, SonarCloud requires email verification with a code.

In our Entra ID tenant, some users are contractors who authenticate in our tenant but do not have a mailbox. Because of this they cannot receive the verification code.

Is it possible to disable the first login email verification for Enterprise SSO users?

If anyone has faced a similar SCIM groups provisioning issue with SonarCloud + Entra ID, any guidance would be appreciated.

image
image299×431 25.9 KB

3

Hello @andressantos10,
Thank you for reaching out, we’re glad to see that you are using SCIM!
SCIM functionality is currently in Beta and only supports deprovisioning. We will be opening the Alpha access to the full provisioning soon. If you’d like to try it out early, feel free to reach out and provide you enterprise ID and I’ll be happy to provide access for you.

4

I send a directly message to include my org in the Alpha test. And I new issue to recreate SSO config “conflict occurred while creating the connection. Please request a new ticket..”

5

Now, I’ve the message error after SSO login

image
image1762×638 34.8 KB

6

Resolved. The email attribute was incorrectly written as user.email. The correct attribute is user.mail.

2 Likes
7

@andressantos10,

Thanks for confirming. One way to catch this early is when you test the connection is the self-service page. You must see the email attribute in the response. If not, this would mean somethign wrong with your attribute mapping.

Also as @nour.zerhouni said, please let us know if would like early access to the full provisioning flow.

Cheers,
Sarath