When utilizing SCIM with an enterprise connection where Azure AD is the Identity Provider, an inactive user in Azure AD should get blocked in Auth0, but the "blocked" field remains false in Auth0 even when the "active" field is false in Azure AD.

• Azure AD Enterprise Connection
• SCIM

This is caused by passing the "active" field as a string in Auth0 instead of a boolean.

This is a known issue in Azure AD, documented in the following Microsoft article:

• Known issues and resolutions with SCIM 2.0 protocol compliance of the Microsoft Entra user provisioning service

To resolve this issue, add a query parameter to the Tenant URL (in Azure AD), as documented in step six of Configure SCIM in Azure AD for OIDC Apps. The query parameter is: aadOptscim062020.

https://{{tenant}}/scim/v2/connections/{{connection_id}}?aadOptscim062020

NOTE: Updating the Tenant URL field in Entra ID (even to add a query parameter, for example, ?aadOptscim062020) can result in a  401 error, which could be caused by the Secret Token being restricted to the old URL. Entra ID intentionally invalidates or ignores the previously saved Secret Token in the background for security reasons.