Problem
When using Azure Active Directory (AAD) as an Identity Provider, if you try to reactivate a user via the default account and workspace-level API, you receive an empty response or stack trace, and the user remains inactive.
{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"class java.lang.String cannot be cast to class java.lang.Boolean (java.lang.String and java.lang.Boolean are in module java.base of loader 'bootstrap')","status":"500"}
Cause
With the AAD account SCIM connector, if any users are removed at the account level, the user status will be updated to inactive in all workspaces.
Solution
To reactivate a user using a default account API call, activate them first at the account level, then the workspace level.
Account-level activation
curl --request PATCH \
'https://accounts.cloud.databricks.com/api/2.0/accounts/<accountId>/scim/v2/Users/<userId>' \
--header 'Accept: application/scim+json' \
--header 'Authorization: Bearer <account SCIM Token>' \
--header 'Content-Type: application/json' \
--data-raw '{
"schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ],
"Operations": [ {
"op": "replace",
"path": "active",
"value": [ { "value": "true" } ]
} ]
}
Workspace-level SCIM activation
curl --request PATCH \
"https://<workspace URL>/api/2.0/account/scim/v2/Users/<UserId>" \
--header 'Accept: application/scim+json' \
--header 'Authorization: Bearer <account+workspace admin PAT>\
--header 'Content-Type: application/json' \
--data-raw '{
"schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ],
"Operations": [ {
"op": "replace",
"path": "active",
"value": [ { "value": "true" } ]
} ]
}'