User email change (Managed by Microsoft AD SCIM)

Hi Team,

We are facing an issue that a user who had

• I have SonarQube integrated with Microsoft Entra ID (Azure AD) using SCIM provisioning. I’m experiencing an issue where a user cannot access SonarQube after their email address (UserPrincipalName) was changed in Azure AD.

  Environment:

  • SonarQube version: [v2025.6]

  • Authentication: SAML + SCIM with Azure AD

  • SCIM attribute mappings:

    • SAML user login attribute* http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    • SAML user name attribute* http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

  Problem:

  1. User had access to SonarQube with email: olduser@domain.com

  2. UserPrincipalName was changed in Azure AD to: newuser@domain.com

  3. User was removed from the Azure AD access package and re-added

  4. When reprovisioned, Azure AD sends the old email address (olduser@domain.com) instead of the new one

  5. The user cannot authenticate with their new email

  What I’ve tried:

  • Removing and re-adding the user to the access package in Azure AD

  • Forcing provisioning sync in Azure AD

  • Attempting to deactivate the user in SonarQube UI (no deactivate option appears for SCIM-managed users)

  • Verifying the attribute mappings are correct

Any suggestions on how to solve the problem?

@denis.troller @ganncamp @Colin

Hi,

Per the FAQ do not @ people not already involved in your thread. It does not push you up their priority list. Just the opposite, in fact.

Regarding your question, it seems that the problem lies in what Azure is sending

Since Azure is sending a bad email, SonarQube gets a login request from a user it doesn’t recognize and rightly rejects it. You should probably talk to your Azure admins.

 
HTH,
Ann