Articles on: Login

Why doesn’t automatic user provisioning from Entra ID add new users to production groups?

Usually, the reason lies in Entra ID provisioning settings (group scoping and attribute mappings).


Before contacting support, ask your Entra/Azure AD administrator to check at least the following:


Verify that the correct users and groups are being provisioned

  • Make sure Enterprise Application–level user assignments are correct: production users/production groups must be assigned to the Granite application in Entra ID, and provisioning is not limited to only test users.
  • Remove accounts from provisioning groups that should not be provisioned (otherwise Entra will try to provision unwanted accounts as well, and the logs will fill with errors).

Check the email address and other required user attributes

  • The Granite SCIM interface requires the attribute "emails". If it is missing, provisioning fails and errors appear in the Entra ID provisioning logs, for example:
    • "Required property missing: emails" or
    • ErrorCode: SystemForCrossDomainIdentityManagementServiceIncompatible
  • In the Entra portal, ensure SCIM attribute mappings:
    • that "emails" is included in the SCIM mapping
    • that it is populated from Entra ID user objects (not empty for any provisioned user)
    • that all other required attributes are included and have values for users

/

Check provisioning logs in the Entra portal

  • Open the Entra ID provisioning logs for the Granite application and look for:
    • entries with "Required property missing: emails" or other SCIM errors (e.g., HTTP 400 BadRequest)
    • possible error codes such as SystemForCrossDomainIdentityManagementServiceIncompatible
  • If errors are present, first fix the attribute mappings and group memberships, then let provisioning retry.



If:

  • production users are definitely assigned to the Granite application in Entra ID
  • "emails" and other required attributes are included in SCIM mapping and have values for all provisioned users
  • there are no longer clear Entra/SCIM mapping errors in the provisioning logs

but new users still do not appear in Granite production groups, contact Granite support and include:

  • screenshots of Entra ID provisioning settings and attribute mappings
  • sample rows from provisioning logs (successful and/or failed user)


Note: We do not have access to the customer’s Entra/Azure AD tenant, so the checks and any necessary corrections mentioned above must be performed by the organization’s Entra ID administrator.

Updated on: 16/06/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!