This article explains an error that occurs when configuring User Provisioning (also known as System for Cross-domain Identity Management, or SCIM) between Microsoft Entra ID and Auth0.

A synchronization failure happens during subsequent updates or incremental syncs after the initial user provisioning succeeds. Administrators see the following error message in the Entra ID Provisioning Logs:

We are not able to deserialize the resource received from your SCIM endpoint because your SCIM endpoint is not fully compatible with the Azure Active Directory SCIM client.

• Microsoft Entra ID
• Auth0
• User Provisioning
• System for Cross-domain Identity Management (SCIM)
• Manager attribute mapping

The error occurs when the manager attribute mapping is included, leading to a compatibility mismatch in how the manager attribute is structured and returned. The SCIM standard for the enterprise user schema defines the manager as a complex object containing a reference and a value. The Entra ID SCIM client is particularly strict about the formatting of this attribute.

If the SCIM endpoint returns the manager attribute in a format that deviates from the parser's expectations, or if there is a circular reference, the parser fails to deserialize the JavaScript Object Notation (JSON) response. During incremental cycles or updates to the user object, the Entra ID SCIM client performs a GET or PATCH request. The SCIM payload returned by Auth0 fails validation against the Entra ID SCIM parser. As a result, the specific user object enters a quarantine or failed state in Entra ID, and no further updates, such as name changes, email updates, or deactivations, sync for that user.

To restore stable provisioning, remove the manager attribute mapping from the Entra ID configuration.

1. Navigate to the Enterprise Application used for Auth0 provisioning in Microsoft Entra ID.
2. Choose Provisioning > Edit Provisioning > Mappings.
3. Select Provision Azure Active Directory Users.
4. Locate the mapping for the following attribute:

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager

5. Delete the mapping and select Save.
6. Select Restart Provisioning to clear the current state, flush the errors, and allow users to sync successfully without the manager attribute.