Skip to main content

Documentation Index

Fetch the complete documentation index at: https://help.skillsdb.com/llms.txt

Use this file to discover all available pages before exploring further.

Quick Summary: When SCIM syncs users from Microsoft Entra ID into SkillsDB, several Entra and Stytch limitations affect how email changes, manager assignments, and group deletions propagate. This page documents each limitation and the workaround.

Overview

Microsoft Entra ID’s SCIM implementation has documented limitations that customers using SkillsDB should understand before enabling provisioning. This page covers:
  • How email changes propagate for internal vs. external (guest) users
  • The manager provisioning race condition on the first sync and how to resolve it
  • Why manager unassignments in Entra do not propagate
  • When SkillsDB deactivates users automatically
  • How SkillsDB handles groups that are deleted in Entra
  • How SkillsDB prevents circular management hierarchies
Each section is independent. Read the ones that apply to your scenario.

Prerequisites

Before using this page, make sure you have:
  • Setup requirement: An active SCIM connection between Entra and SkillsDB (see SCIM Setup)
  • Permission level: Microsoft Entra administrator access to diagnose or reconfigure provisioning

Provisioning mapping

The SCIM Setup guide requires mapping externalId to objectId in the Entra provisioning attributes. If you enabled SCIM without completing this mapping, do it now — the correction applies to future sync events and does not require recreating existing users.

Email change behavior

Entra handles email changes differently depending on whether the user is internal or external. SkillsDB follows Entra’s behavior.

Internal users

For users created directly in Entra as user accounts, email changes propagate through SCIM. SkillsDB updates the existing user’s email to match.

External users (guests)

For users invited to Entra as guests, the invitation email cannot be changed. To change an external user’s email, Entra requires removing the guest and re-adding them with the new email. When this happens:
  1. SkillsDB receives a deprovisioning event for the old email and deactivates that user
  2. SkillsDB receives a provisioning event for the new email and creates a new user record
The two records are independent. Historical data (assessments, training, assignments) on the old record is preserved but does not carry over to the new one.

Manager provisioning order

On the first-ever SCIM sync, Entra does not guarantee that managers are provisioned before their direct reports. A direct report may be created in SkillsDB before their manager, in which case the manager cannot be assigned on that event.

How to resolve this

Restart provisioning on the Entra enterprise application after the first sync cycle completes. The restart triggers a full re-sync, which includes manager assignments now that all users exist in SkillsDB. Restart after every initial SCIM configuration, and any time you suspect manager assignments are incomplete.

Option 1: Restart manually

1

Open the application

In the Azure portal, navigate to Enterprise applications > All applications and select your SCIM application.
2

Go to Provisioning

Select Provisioning > Overview.
3

Restart

Select Restart provisioning.

Option 2: Automate the restart

If you want to restart provisioning on a recurring basis, call the Microsoft Graph API.
  1. Find your enterprise app’s service principal ID
  2. List provisioning jobs to get the job ID: 
    GET /servicePrincipals/{servicePrincipalId}/synchronization/jobs
  3. Restart the job: 
    POST https://graph.microsoft.com/v1.0/servicePrincipals/{servicePrincipalId}/synchronization/jobs/{jobId}/restart
Content-Type: application/json

{
  "criteria": {
    "resetScope": "Full"
  }
}
  4. Schedule the call via Azure Logic Apps, Power Automate, an Azure Automation Runbook, GitHub Actions, or an Azure DevOps pipeline.

Manager unassignment

Entra does not propagate null attributes through SCIM. If you remove a user’s manager in Entra without assigning a new one, the manager field becomes null and Entra skips it during the next sync. SkillsDB retains the previous manager assignment until a new, non-null manager is provided. Reassigning a user to a different manager works as expected — the new manager value propagates and SkillsDB updates the record. This is an Entra-side limitation, documented in Microsoft’s Entra ID SCIM documentation:
Entra ID currently can’t provision null attributes. If an attribute is null on the user object, it will be skipped.

Workaround

To remove a manager assignment in SkillsDB when the user will not have a new manager in Entra, have a SkillsDB administrator clear the manager field directly in SkillsDB. The change is local to SkillsDB and is not overwritten by future SCIM events (because Entra continues to send null for that attribute).

User deactivation

SkillsDB soft-deletes a user (sets them inactive without removing their data) when any of the following occurs in Entra:
  • The user is removed from all provisioned SCIM groups
  • The user is disabled in Entra (account enabled set to off)
  • The user is unassigned from the SCIM application
Deactivated users remain in SkillsDB for reporting and audit purposes. Their historical assessments, training records, and assignments are preserved. If the same user is later re-provisioned through SCIM, SkillsDB reactivates the existing record rather than creating a new one.

Ghost group handling

A ghost group is a SCIM group that is deleted in Entra while users are still assigned to it in SkillsDB. SkillsDB handles this automatically:
  • If a user has other active SCIM group memberships, they are removed from the deleted group and their permission level is recalculated based on their remaining groups
  • If the deleted group was the user’s only SCIM group, the user is deactivated (soft-deleted)
  • If the deleted group was a custom SCIM group, any career automations attached to it are cleaned up
The two default groups (SkillsdbGlobalAdmins and SkillsdbFullAccess) cannot be deleted through SCIM — delete events for these groups are ignored.

Circular hierarchy prevention

SCIM can transmit manager assignments that would create a circular management chain — for example, User A manages User B, and later User B is assigned as User A’s manager. SkillsDB detects these cases and skips the manager assignment to prevent a cycle. When a circular assignment is detected:
  • The user’s previous manager (if any) remains in place
  • An event is recorded in the SCIM event log indicating the skipped assignment
  • No error is returned to Entra, so the sync continues for other users
If you see unexpected manager assignments after a sync, check the SCIM Event Log for skipped-assignment events.

Common Questions

If the user is an external (guest) account in Entra, email changes are not supported by Entra — the user must be removed and re-added with the new email. SkillsDB will deactivate the old record and create a new one. For internal users, email changes sync normally; if they are not appearing in SkillsDB, check the SCIM Event Log for errors.
Entra does not send null attributes through SCIM, so removing a manager without assigning a new one does not propagate. To clear the manager in SkillsDB, have an administrator update the user directly in SkillsDB, or assign a new manager in Entra.
SkillsDB ignores delete events for the two default SCIM groups. Users remain in SkillsDB with their current permission levels. Recreate the group in Entra to resume provisioning to it.
Navigate to Settings > SSO & SCIM in SkillsDB. The Last SCIM sync timestamp confirms events are arriving. Use the Active Users count on each default group row to confirm users are assigned. For a detailed event-by-event view, select Event Log.
No. SkillsDB user activation is controlled by the SCIM sync for any user who was provisioned via SCIM. To deactivate a SCIM-provisioned user, disable their account in Entra or remove them from the SCIM application.

SCIM Setup

Configure SCIM provisioning between Entra and SkillsDB.

SCIM Groups and Permissions

How default and custom SCIM groups map to SkillsDB permission levels.

SCIM Event Log

Audit trail for every SCIM event — use this to diagnose sync issues.

SCIM Overview

How SCIM fits into the broader SkillsDB identity model.

Need More Help?

If you run into issues that this page does not cover, reach out to your organization’s SkillsDB administrator or contact SkillsDB Support.