scimgateway 6.2.2 → 6.2.4

package/CHANGELOG.md

@@ -0,0 +1,130 @@
+# Change Log
+
+### v6.2.4
+- **[Improved]** `plugin-entra-id` now support reset users MFA capabilites and user will be forced to re-register MFA.
+
+### v6.2.3
+- **[Improved]** `plugin-entra-id` now includes information on whether a user has registered for MFA (has an MFA-capable method registered).
+
+### v6.2.2
+- **[Improved]** `plugin-entra-id` now supports Entra ID IGA Access Packages. For required API permissions, see Entra ID App Registration
+
+### v6.2.1
+- `HelperRest`: fixed minor log cosmetics introduced in v6.2.0
+
+### v6.2.0
+- **[Fixed]** `HelperRest`: failed on Bun v1.3.14 due to stricter Fetch standards compliance
+- **[Improved]** New `plugin-generic` replaces `plugin-scim`. Uses `endpointMapper` with the new `valueMap` option for group allowlisting and name mapping. Default config uses one-to-one SCIM mapping with plugin-loki as the target endpoint.
+- **[Improved]** `endpointMapper` now supports `valueMap`:
+
+  ```json
+  "map": {
+    "group": {
+      "displayName": {
+        "mapTo": "displayName",
+        "type": "string",
+        "valueMap": {
+          "outboundEndpointGrp1": "inboundScimGrp1",
+          "Employees": "Admins"
+        }
+      }
+    }
+  }
+  ```
+
+  Clients only see and manage the SCIM-named groups (`inboundScimGrp1`, `Admins`), mapped to their endpoint counterparts (`outboundEndpointGrp1`, `Employees`). Useful for allowlisting specific groups or supporting different inbound/outbound names.
+
+### v6.1.20
+- `plugin-entra-id`: roles introduced in v6.1.19 were missing when retrieving a single user
+
+### v6.1.19
+- **[Fixed]** SCIM v2.0 ResourceType endpoint schemas using incorrect id
+- **[Improved]** `GET /Roles` and `GET /Entitlements` endpoint support, with user management via SCIM `roles` and `entitlements` attributes
+- **[Improved]** `plugin-entra-id`: `entitlements` for Entra ID licenses (read-only); `roles` for Permanent and Eligible PIM roles (full management)
+  - PIM Eligible roles: requires `RoleEligibilitySchedule.ReadWrite.All`
+  - PIM Permanent roles: requires `RoleManagement.ReadWrite.Directory`
+  - Remove `map.user.roles` if above conditions are not met
+  - `skipSignInActivity` option (v6.1.17) no longer used; `signInActivity` and PIM role permissions are validated at startup
+
+### v6.1.18
+- `createUser` and `modifyUser` now return the full user object, ensuring returned data reflects what was modified even when the endpoint hasn't internally synced yet
+
+### v6.1.17
+- `plugin-entra-id`: fixed broken `filter=userName eq "user_upn"` introduced in v6.1.11 when using updated config with `map.user.signInActivity`
+- `plugin-entra-id`: new option `endpoint.entity.[baseEntity].skipSignInActivity = true` to exclude `signInActivity` (requires Entra ID Premium + `AuditLog.Read.All`)
+
+### v6.1.16
+- `plugin-entra-id`: `GET /Entitlements` now uses `derivedIncludes` with full recursive expansion
+
+### v6.1.15
+- `plugin-entra-id`: fixed `filter=entitlements pr`
+
+### v6.1.14
+- Support for filter `attribute not pr`
+- Dependencies bump
+
+### v6.1.13
+- `plugin-entra-id`: `signInActivity` attributes are now filterable
+
+### v6.1.12
+- Filter operator `pr` (presence) now forwarded to plugins (previously rejected)
+- `plugin-entra-id`: handles `pr` filter on entitlements
+
+### v6.1.11
+- **[Fixed]** Incorrect schema generation when using `endpointMapper` (regression from v6.1.6)
+- **[Improved]** New `GET /Entitlements` endpoint and `scimgateway.getEntitlements()` method
+- `plugin-entra-id`: user license information via `entitlements`; remove `map.user.signInActivity` if Entra ID Premium is unavailable
+
+### v6.1.10
+- `plugin-entra-id`: group membership now includes nested (transitive) groups (`direct` and `indirect`)
+- Fixed missing Docker files: `config/docker/.dockerignore` and `docker-compose-mssql.yml`
+
+### v6.1.9
+- `createUser`/`createGroup` responses now correctly include the generated ID
+
+### v6.1.8 / v6.1.7
+- Fixed incorrect masking of secrets in request info log messages
+- `plugin-entra-id`: fixed edge case where `createUser` with a manager could fail
+
+### v6.1.6
+- Fixed `plugin-loki` and `plugin-mongodb` returning empty results when using extension schema attributes in search
+- Auth failure due to `readOnly` now returns HTTP 405 instead of 401
+- `postinstall` ensures `"type": "module"` is set in `package.json`
+- `endpointMapper` now generates a custom schema; supports `"x-agent-schema"` for AI MCP tool instructions
+
+### v6.1.5
+- Complex filtering (`and`/`or`) handled by the gateway using the plugin's simple filter logic
+- `modifyGroup` now returns HTTP 204 instead of 200
+- New `/auth` endpoint for validating external authentication
+- `plugin-entra-id`: supports `sw` (startsWith) filter
+
+### v6.1.4
+- Fixed OData paging in `plugin-entra-id` and `helper-rest` — missing users/groups/members in large directories
+- Fixed incomplete group membership when paging not fully iterated
+
+### v6.1.3
+- Azure Relay: improved recovery on failure
+- `plugin-ldap`: improvements for Active Directory and `objectGUID`/`mS-DS-ConsistencyGuid`
+- `modifyGroup`: adding an existing member or removing a non-existent member now returns 200 OK instead of an error
+
+### v6.1.2
+- Fixed SMTP mail failure caused by an updated dependency
+- Fixed `endpointMapper` when `mapTo` contained multiple comma-separated attributes including a multivalued one
+
+### v6.1.1
+- `plugin-ldap`: fixed race condition where `createUser` immediately followed by `readUser` could fail on some systems (e.g. Samba AD)
+- Final info log message now includes full JSON serialization (durationMs, status, requestBody, responseBody, …)
+
+### v6.1.0
+- `tsx` included — SCIM Gateway now runs as ES module (TypeScript) in Node.js: `node --import=tsx ./index.ts`
+- Simplified mandatory plugin initialization using static `import`
+- `index.ts` updated to use static imports
+- Bun binary builds now supported (see Single Binary Deployment)
+
+### v6.0.0 — Major
+- API method response bodies returned as-is (previously wrapped in `{ result: <content> }`) — **clients parsing responses must be updated**
+- New `scimgateway.publicApi()` for unauthenticated `/pub/api` routes
+- `bearerJwtAzure.tenantIdGUID` replaced by `bearerJwt.azureTenantId` — **existing configurations must be updated**
+
+### v5.x — Previous Major Series
+For v5.x change history (Bun/TypeScript migration, Azure Relay, Bulk Operations, SCIM Stream, HelperRest, Docker, email OAuth, and more), see the GitHub commit history.

package/README.md

@@ -76,37 +76,12 @@ SCIM Gateway is a user provisioning bridge built with [Bun](https://bun.sh/) and
     - [Custom Schemas](#custom-schemas)
   - [License](#license)
   - [Change Log](#change-log)
-    - [v6.2.2](#v622)
-    - [v6.2.1](#v621)
-    - [v6.2.0](#v620)
-    - [v6.1.20](#v6120)
-    - [v6.1.19](#v6119)
-    - [v6.1.18](#v6118)
-    - [v6.1.17](#v6117)
-    - [v6.1.16](#v6116)
-    - [v6.1.15](#v6115)
-    - [v6.1.14](#v6114)
-    - [v6.1.13](#v6113)
-    - [v6.1.12](#v6112)
-    - [v6.1.11](#v6111)
-    - [v6.1.10](#v6110)
-    - [v6.1.9](#v619)
-    - [v6.1.8 / v6.1.7](#v618--v617)
-    - [v6.1.6](#v616)
-    - [v6.1.5](#v615)
-    - [v6.1.4](#v614)
-    - [v6.1.3](#v613)
-    - [v6.1.2](#v612)
-    - [v6.1.1](#v611)
-    - [v6.1.0](#v610)
-    - [v6.0.0 — Major](#v600--major)
-    - [v5.x — Previous Major Series](#v5x--previous-major-series)
 
 ---
 
 ## What's New
 
-- **`plugin-entra-id`** now supports Entra ID roles and access packages, in addition to reading licenses.
+- **`plugin-entra-id`** now supports Entra ID roles, access packages and MFA, in addition to reading licenses.
 - **`plugin-generic`** replaces `plugin-scim` — a flexible template using `endpointMapper` with the new `valueMap` option for allowlisting and name mapping e.g., groups
 - **`GET /Roles` and `GET /Entitlements`** endpoint support, with user management via SCIM `roles` and `entitlements` attributes; `plugin-entra-id` uses `entitlements` for Entra ID licenses (read-only) and `roles` for Permanent and Eligible PIM roles (full management)
 - **AI Agent ready** — `x-agent-schema` configuration in `endpointMapper` enables custom schema generation with MCP tool instructions for autonomous provisioning agents
@@ -1077,8 +1052,9 @@ The `baseEntity` parameter enables multi-tenant setups — create multiple endpo
 4. **API permissions → Add → Microsoft Graph → Application permissions:**
    - `Directory.ReadWriteAll`
    - `Organization.ReadWrite.All`
-   - Additional for signInActivity, roles, licenses and access packages:
-     - `AuditLog.Read.All` *(only if using `map.user.signInActivity`; requires Entra ID Premium)*
+   - Additional for signInActivity, MFA, roles, and access packages:
+     - `AuditLog.Read.All` *(sign-in activity; only if using `map.user.signInActivity`; requires Entra ID Premium)*
+     - `UserAuthenticationMethod.ReadWrite.All` *(MFA information and reset; only if using `map.user.mfa`)*
      - `RoleEligibilitySchedule.ReadWrite.Directory` *(PIM Eligible roles; only if using `map.user.roles`)*
      - `RoleManagement.ReadWrite.Directory` *(PIM Permanent roles; only if using `map.user.roles`)*
      - `EntitlementManagement.ReadWrite.All` *(IGA Access Packages; only if using `map.user.entitlements`)*
@@ -1087,7 +1063,7 @@ The `baseEntity` parameter enables multi-tenant setups — create multiple endpo
 
 > For full access to admin users, assign the `Global Administrator` role. The `User Administrator` role has limitations on users with admin roles.
 
-> `signInActivity, roles, licenses and access packages` requires permissions above. Note, `ReadWrite` can be replaced with `Read` if management is not required. **Remove any mapping configuration whose conditions are not met** — Minimum read permissions are validated at startup.
+> Note, if MFA, PIM, and Access Package `management` is not required, `ReadWrite` can be replaced with `Read`. **Remove any mapping configuration whose conditions are not met** — The minimum `Read` permissions are validated at startup.
 
 ### Plugin Configuration
 
@@ -1279,126 +1255,4 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 ---
 
 ## Change Log
-
-### v6.2.2
-- **[Improved]** `plugin-entra-id` now supports Entra ID IGA Access Packages. For required API permissions, see [Entra ID App Registration](#entra-id-app-registration)
-
-### v6.2.1
-- `HelperRest`: fixed minor log cosmetics introduced in v6.2.0
-
-### v6.2.0
-- **[Fixed]** `HelperRest`: failed on Bun v1.3.14 due to stricter Fetch standards compliance
-- **[Improved]** New `plugin-generic` replaces `plugin-scim`. Uses `endpointMapper` with the new `valueMap` option for group allowlisting and name mapping. Default config uses one-to-one SCIM mapping with plugin-loki as the target endpoint.
-- **[Improved]** `endpointMapper` now supports `valueMap`:
-
-  ```json
-  "map": {
-    "group": {
-      "displayName": {
-        "mapTo": "displayName",
-        "type": "string",
-        "valueMap": {
-          "outboundEndpointGrp1": "inboundScimGrp1",
-          "Employees": "Admins"
-        }
-      }
-    }
-  }
-  ```
-
-  Clients only see and manage the SCIM-named groups (`inboundScimGrp1`, `Admins`), mapped to their endpoint counterparts (`outboundEndpointGrp1`, `Employees`). Useful for allowlisting specific groups or supporting different inbound/outbound names.
-
-### v6.1.20
-- `plugin-entra-id`: roles introduced in v6.1.19 were missing when retrieving a single user
-
-### v6.1.19
-- **[Fixed]** SCIM v2.0 ResourceType endpoint schemas using incorrect id
-- **[Improved]** `GET /Roles` and `GET /Entitlements` endpoint support, with user management via SCIM `roles` and `entitlements` attributes
-- **[Improved]** `plugin-entra-id`: `entitlements` for Entra ID licenses (read-only); `roles` for Permanent and Eligible PIM roles (full management)
-  - PIM Eligible roles: requires `RoleEligibilitySchedule.ReadWrite.All`
-  - PIM Permanent roles: requires `RoleManagement.ReadWrite.Directory`
-  - Remove `map.user.roles` if above conditions are not met
-  - `skipSignInActivity` option (v6.1.17) no longer used; `signInActivity` and PIM role permissions are validated at startup
-
-### v6.1.18
-- `createUser` and `modifyUser` now return the full user object, ensuring returned data reflects what was modified even when the endpoint hasn't internally synced yet
-
-### v6.1.17
-- `plugin-entra-id`: fixed broken `filter=userName eq "user_upn"` introduced in v6.1.11 when using updated config with `map.user.signInActivity`
-- `plugin-entra-id`: new option `endpoint.entity.[baseEntity].skipSignInActivity = true` to exclude `signInActivity` (requires Entra ID Premium + `AuditLog.Read.All`)
-
-### v6.1.16
-- `plugin-entra-id`: `GET /Entitlements` now uses `derivedIncludes` with full recursive expansion
-
-### v6.1.15
-- `plugin-entra-id`: fixed `filter=entitlements pr`
-
-### v6.1.14
-- Support for filter `attribute not pr`
-- Dependencies bump
-
-### v6.1.13
-- `plugin-entra-id`: `signInActivity` attributes are now filterable
-
-### v6.1.12
-- Filter operator `pr` (presence) now forwarded to plugins (previously rejected)
-- `plugin-entra-id`: handles `pr` filter on entitlements
-
-### v6.1.11
-- **[Fixed]** Incorrect schema generation when using `endpointMapper` (regression from v6.1.6)
-- **[Improved]** New `GET /Entitlements` endpoint and `scimgateway.getEntitlements()` method
-- `plugin-entra-id`: user license information via `entitlements`; remove `map.user.signInActivity` if Entra ID Premium is unavailable
-
-### v6.1.10
-- `plugin-entra-id`: group membership now includes nested (transitive) groups (`direct` and `indirect`)
-- Fixed missing Docker files: `config/docker/.dockerignore` and `docker-compose-mssql.yml`
-
-### v6.1.9
-- `createUser`/`createGroup` responses now correctly include the generated ID
-
-### v6.1.8 / v6.1.7
-- Fixed incorrect masking of secrets in request info log messages
-- `plugin-entra-id`: fixed edge case where `createUser` with a manager could fail
-
-### v6.1.6
-- Fixed `plugin-loki` and `plugin-mongodb` returning empty results when using extension schema attributes in search
-- Auth failure due to `readOnly` now returns HTTP 405 instead of 401
-- `postinstall` ensures `"type": "module"` is set in `package.json`
-- `endpointMapper` now generates a custom schema; supports `"x-agent-schema"` for AI MCP tool instructions
-
-### v6.1.5
-- Complex filtering (`and`/`or`) handled by the gateway using the plugin's simple filter logic
-- `modifyGroup` now returns HTTP 204 instead of 200
-- New `/auth` endpoint for validating external authentication
-- `plugin-entra-id`: supports `sw` (startsWith) filter
-
-### v6.1.4
-- Fixed OData paging in `plugin-entra-id` and `helper-rest` — missing users/groups/members in large directories
-- Fixed incomplete group membership when paging not fully iterated
-
-### v6.1.3
-- Azure Relay: improved recovery on failure
-- `plugin-ldap`: improvements for Active Directory and `objectGUID`/`mS-DS-ConsistencyGuid`
-- `modifyGroup`: adding an existing member or removing a non-existent member now returns 200 OK instead of an error
-
-### v6.1.2
-- Fixed SMTP mail failure caused by an updated dependency
-- Fixed `endpointMapper` when `mapTo` contained multiple comma-separated attributes including a multivalued one
-
-### v6.1.1
-- `plugin-ldap`: fixed race condition where `createUser` immediately followed by `readUser` could fail on some systems (e.g. Samba AD)
-- Final info log message now includes full JSON serialization (durationMs, status, requestBody, responseBody, …)
-
-### v6.1.0
-- `tsx` included — SCIM Gateway now runs as ES module (TypeScript) in Node.js: `node --import=tsx ./index.ts`
-- Simplified mandatory plugin initialization using static `import`
-- `index.ts` updated to use static imports
-- Bun binary builds now supported (see [Single Binary Deployment](#single-binary-deployment))
-
-### v6.0.0 — Major
-- API method response bodies returned as-is (previously wrapped in `{ result: <content> }`) — **clients parsing responses must be updated**
-- New `scimgateway.publicApi()` for unauthenticated `/pub/api` routes
-- `bearerJwtAzure.tenantIdGUID` replaced by `bearerJwt.azureTenantId` — **existing configurations must be updated**
-
-### v5.x — Previous Major Series
-For v5.x change history (Bun/TypeScript migration, Azure Relay, Bulk Operations, SCIM Stream, HelperRest, Docker, email OAuth, and more), see the [GitHub commit history](https://github.com/jelhub/scimgateway/commits/master/).
+For a detailed history of changes, please see the [Change Log](https://github.com/jelhub/scimgateway/blob/master/CHANGELOG.md).

package/config/plugin-entra-id.json

@@ -171,6 +171,7 @@
           "comment": "This mapping requires Entra ID Premium license and API permissions: 'AuditLog.Read.All'. Remove this mapping if conditions not met",
           "mapTo": "signInActivity",
           "type": "complexObject",
+          "mutability": "readOnly",
           "subAttributes": [
             {
               "name": "lastSignInDateTime",
@@ -189,7 +190,36 @@
             }
           ],
           "x-agent-schema": {
-            "description": "Read-only attribute-object representing Entra ID signInActivity like: lastSignInDateTime, lastSuccessfulSignInDateTime and lastNonInteractiveSignInDateTime. Note: Only availabe for users having P1/P2 licenses. If signInActivity is missing, agent should not consider this to be no sign-in activity for the user.",
+            "description": "Read-only attribute object representing Entra ID signInActivity like: lastSignInDateTime, lastSuccessfulSignInDateTime and lastNonInteractiveSignInDateTime. Note: Only availabe for users having P1/P2 licenses. If signInActivity is missing, agent should not consider this to be no sign-in activity for the user.",
+            "readOnly": true
+          }
+        },
+        "mfa": {
+          "mapTo": "mfa",
+          "type": "complexObject",
+          "mutability": "readOnly",
+          "subAttributes": [
+            {
+              "name": "isMfaCapable",
+              "mutability": "readOnly",
+              "description": "true/false - user has at least one MFA-capable method registered (members only; for guests, methods are in home tenant and enforcement is via Conditional Access).",
+              "type": "boolean"
+            },
+            {
+              "name": "isLegacyEnabled",
+              "mutability": "readOnly",
+              "description": "true/false - legacy per-user MFA is enabled ('perUserMfaState' is 'enabled' or 'enforced'); such users bypass/aren´t fully controlled by standard Conditional Access only design and therefore require special attention.",
+              "type": "boolean"
+            },
+            {
+              "name": "reset",
+              "mutability": "writeOnly",
+              "description": "Set to 'true' will reset users MFA capabilites and user will be forced to re-register MFA.",
+              "type": "boolean"
+            }
+          ],
+        "x-agent-schema": {
+            "description": "Read-only attribute object (except for 'mfa.reset') presenting the user's MFA capabilities. Note: 'mfa.isMfaCapable' does not mean MFA is enabled for the user. Conditional Access policies or using Security Defaults must be verified separately.",
             "readOnly": true
           }
         },

package/lib/helper-rest.ts

@@ -705,8 +705,11 @@ export class HelperRest {
         if (f.status > 399) {
           if (f.status === 429) { // throttle
             const v = f.headers.get('retry-after')
-            if (v) retryAfter = parseInt(v, 10) + 1
-            else retryAfter = 10
+            if (v) {
+              retryAfter = parseInt(v, 10)
+              if (isNaN(retryAfter)) retryAfter = 10
+              retryAfter += 1
+            } else retryAfter = 10
           }
           throw new Error(JSON.stringify(result))
         }
@@ -765,6 +768,12 @@ export class HelperRest {
       if (err.message.includes('ratelimit')) { // have seen throttling not follow standard 429/retry-after, but instead using 500 and error message only
         if (!retryAfter) retryAfter = 60
       }
+
+      if (retryAfter) {
+        this.scimgateway.logDebug(baseEntity, `doRequest ${method} ${path} throttle/ratelimit error - awaiting ${retryAfter} seconds before automatic retry`)
+        await new Promise(resolve => setTimeout(resolve, retryAfter * 1000))
+      }
+
       if (!retryCount) retryCount = 0
       let urlObj
       try { urlObj = new URL(path) } catch (err) { void 0 }
@@ -773,12 +782,6 @@ export class HelperRest {
 
       if (isServiceClient && (err.code === 'ECONNREFUSED' || err.code === 'ENOTFOUND' || err.code === 'ABORT_ERR' || err.code === 'ETIMEDOUT' || statusCode === 504 || oAuthTokeErr || retryAfter)) {
         this.scimgateway.logDebug(baseEntity, `doRequest ${method} ${path} Body = ${JSON.stringify(body)} Error Response = ${err.message}`)
-        if (retryAfter) {
-          this.scimgateway.logDebug(baseEntity, `doRequest ${method} ${path} throttle/ratelimit error - awaiting ${retryAfter} seconds before automatic retry`)
-          await new Promise(resolve => setTimeout(function () {
-            resolve(null)
-          }, retryAfter * 1000))
-        }
         if (retryCount < connectionObj.baseUrls.length) {
           retryCount++
           if (isServiceClient) {
@@ -791,13 +794,13 @@ export class HelperRest {
           const ret = await this.doRequestHandler(baseEntity, method, path, body, ctx, opt, retryCount) // retry
           return ret // problem fixed
         } else {
-          if (statusCode === 404) { // not logged as error e.g. getUser-manager
+          if (statusCode === 404 || ctx?.skipLogAsError) {
             this.scimgateway.logDebug(baseEntity, `doRequest ${method} ${path} Body = ${JSON.stringify(body)} Error Response = ${err.message}`)
           } else this.scimgateway.logError(baseEntity, `doRequest ${method} ${path} Body = ${JSON.stringify(body)} Error Response = ${err.message}`)
           throw err
         }
       } else {
-        if (statusCode === 404) { // not logged as error e.g. getUser-manager
+        if (statusCode === 404 || ctx?.skipLogAsError) { // 404 not logged as error e.g. getUser-manager
           this.scimgateway.logDebug(baseEntity, `doRequest ${method} ${options.url} Body = ${JSON.stringify(body)} Error Response = ${err.message}`)
         } else this.scimgateway.logError(baseEntity, `doRequest ${method} ${options.url} Body = ${JSON.stringify(body)} Error Response = ${err.message}`)
         if (statusCode === 401) delete this._serviceClient[baseEntity]

package/lib/plugin-entra-id.ts

@@ -3,7 +3,7 @@
 //
 // Author:  Jarle Elshaug
 //
-// Purpose: Entra ID provisioning including licenses e.g. O365
+// Purpose: Entra ID user and group provisioning including roles and access packages in addition to retrieving license, MFA and sign-in information
 //
 // Prereq:  Entra ID configuration:
 //          Entra Application key defined (clientsecret). Other options are upload a certificate or configure "Federated Identity Credentials"
@@ -21,14 +21,15 @@
 //        Schema generated according mapping configuration.
 //        Note:
 //          - 'map.user.signInActivity' requires Entra ID Premium license and API permissions 'AuditLog.Read.All'.
+//          - 'map.user.mfa' provides MFA status information and requires API permissions 'UserAuthenticationMethod.Read.All'
 //          - 'map.user.entitlements' relates to Licenses and Access Packages. Access Packages requires API permissions 'EntitlementManagement.ReadWrite.All' 
 //          - 'map.user.roles relates to standard Permanent roles and PIM Permanent and Eligible roles.
 //            PIM is included on tenant having P2 or Governance License and requires following API permissions:
 //            - PIM Eligible roles requires API permissions 'RoleEligiblitySchedule.ReadWrite.All'
 //            - PIM Permanent roles requires API permissions 'RoleManagement.ReadWrite.Directory'
-//          - Remove mapping if conditions not met
+//          - Remove mapping if conditions not met or consider using only 'Read' if no management needed
 //
-// /User                                      SCIM (custom)                       Endpoint (AAD)
+// /User                                      SCIM (custom)                       Endpoint (Entra ID)
 // --------------------------------------------------------------------------------------------
 // User Principal Name                        userName                            userPrincipalName
 // Id                                         id                                  id
@@ -61,9 +62,10 @@
 // Groups                                     groups - virtual readOnly           N/A
 // Roles                                      roles                               roles (roleAssignments/roleEligibilitySchedules) - type=Permanent/Eligiable, value=id, display=role display name
 // Entitlements                               entitlements                        entitlements (assignedLicenses) - type=License, value=skuId and display=user-friendly-license-name / type=AccessPackage, value=AP-id and display=AP-displayName
-// SignInActivity                             signInActivity                      signInActivity (lastSignInDateTime, lastSuccessfulSignInDateTime and lastNonInteractiveSignInDateTime), Note: Requires Entra ID Premium license and API permissions: 'AuditLog.Read.All'. Remove this mapping if conditions not met".
+// SignInActivity                             signInActivity                      signInActivity (lastSignInDateTime, lastSuccessfulSignInDateTime and lastNonInteractiveSignInDateTime)
+// MFA                                        mfa                                 mfa (mfa.isMfaCapable and mfa.isLegacyEnabled)
 //
-// /Group                                     SCIM (custom)                       Endpoint (AAD)
+// /Group                                     SCIM (custom)                       Endpoint (Entra ID)
 // --------------------------------------------------------------------------------------------
 // Name                                       displayName                         displayName
 // Id                                         id                                  id
@@ -122,6 +124,7 @@ for (const key in config.map.user) { // mapAttributesTo = ['id', 'country', 'pre
     let attr = key.split('.')[0]
     // complexArray/complexObject are special
     if (config.map.user[key].mapTo === 'entitlements') attr = 'assignedLicenses'
+    if (config.map.user[key].mapTo === 'mfa') attr = 'perUserMfaState'
     if (config.map.user[key].mapTo === 'roles') continue
 
     if (!userSelectAttributes.includes(attr)) userSelectAttributes.push(attr)
@@ -147,22 +150,32 @@ if (!groupAttributes.includes('members.value')) groupAttributes.push('members.va
   for (const baseEntity in config.entity) {
     try {
       permission[baseEntity] = {}
-      const [signInResult, eligibleResult, permanentScheduleResult, accessPackageResult] = await Promise.allSettled([
+      let probeUserId: string | undefined
+      try {
+        const res = await helper.doRequest(baseEntity, 'GET', '/users?$top=1&$select=id', null, null)
+        probeUserId = res?.body?.value?.[0]?.id
+      } catch (err) { }
+
+      const [signInResult, eligibleResult, permanentScheduleResult, accessPackageResult, mfaResult] = await Promise.allSettled([
         (async () => {
           if (!mapAttributesTo.includes('signInActivity')) throw new Error('skipping signInActivity check')
-          await helper.doRequest(baseEntity, 'GET', '/users?$top=1&$select=id,signInActivity', null, null)
+          await helper.doRequest(baseEntity, 'GET', '/users?$top=1&$select=id,signInActivity', null, { skipLogAsError: true })
         })(),
         (async () => {
           if (!mapAttributesTo.includes('roles')) throw new Error('skipping eligible check')
-          await helper.doRequest(baseEntity, 'GET', '/roleManagement/directory/roleEligibilityScheduleInstances?$top=1', null, null)
+          await helper.doRequest(baseEntity, 'GET', '/roleManagement/directory/roleEligibilityScheduleInstances?$top=1', null, { skipLogAsError: true })
         })(),
         (async () => {
           if (!mapAttributesTo.includes('roles')) throw new Error('skipping permanent schedule check')
-          await helper.doRequest(baseEntity, 'GET', '/roleManagement/directory/roleAssignmentScheduleInstances?$top=1', null, null)
+          await helper.doRequest(baseEntity, 'GET', '/roleManagement/directory/roleAssignmentScheduleInstances?$top=1', null, { skipLogAsError: true })
         })(),
         (async () => {
           if (!mapAttributesTo.includes('entitlements')) throw new Error('skipping access package check')
-          await helper.doRequest(baseEntity, 'GET', '/identityGovernance/entitlementManagement/accessPackages?$top=1&$select=id', null, null)
+          await helper.doRequest(baseEntity, 'GET', '/identityGovernance/entitlementManagement/accessPackages?$top=1&$select=id', null, { skipLogAsError: true })
+        })(),
+        (async () => {
+          if (!mapAttributesTo.includes('mfa') || !probeUserId) throw new Error('skipping mfaMethods check')
+          await helper.doRequest(baseEntity, 'GET', `/users/${probeUserId}/authentication/methods`, null, { skipLogAsError: true })
         })(),
       ])
       if (signInResult.status === 'fulfilled') {
@@ -175,19 +188,25 @@ if (!groupAttributes.includes('members.value')) groupAttributes.push('members.va
         permission[baseEntity].eligible = true
       } else {
         permission[baseEntity].eligible = false
-        if (mapAttributesTo.includes('roles')) scimgateway.logError(baseEntity, `PIM eligible role functionality has been deactivated because it requires either a P2 or Governance license, as well as the API permission 'RoleEligibilitySchedule.ReadWrite.All'`)
+        if (mapAttributesTo.includes('roles')) scimgateway.logError(baseEntity, `PIM eligible role functionality has been deactivated because it requires either a P2 or Governance license, as well as the minimum API permission 'RoleEligibilitySchedule.Read.All'`)
       }
       if (permanentScheduleResult.status === 'fulfilled') {
         permission[baseEntity].permanentSchedule = true
       } else {
         permission[baseEntity].permanentSchedule = false
-        if (mapAttributesTo.includes('roles')) scimgateway.logError(baseEntity, `PIM permanent role functionality has been deactivated because it requires either a P2 or Governance license, as well as the API permission 'RoleManagement.ReadWrite.Directory'`)
+        if (mapAttributesTo.includes('roles')) scimgateway.logError(baseEntity, `PIM permanent role functionality has been deactivated because it requires either a P2 or Governance license, as well as the minimum API permission 'RoleManagement.Read.Directory'`)
       }
       if (accessPackageResult.status === 'fulfilled') {
         permission[baseEntity].accessPackage = true
       } else {
         permission[baseEntity].accessPackage = false
-        if (mapAttributesTo.includes('roles')) scimgateway.logError(baseEntity, `IGA Access Packages functionality has been deactivated because it requires API permission 'EntitlementManagement.ReadWrite.All'`)
+        if (mapAttributesTo.includes('roles')) scimgateway.logError(baseEntity, `IGA Access Packages functionality has been deactivated because it requires minimum API permission 'EntitlementManagement.Read.All'`)
+      }
+      if (mfaResult.status === 'fulfilled') {
+        permission[baseEntity].mfa = true
+      } else {
+        permission[baseEntity].mfa = false
+        if (mapAttributesTo.includes('mfa')) scimgateway.logError(baseEntity, `MFA Methods functionality has been deactivated because it requires API permissions 'UserAuthenticationMethod.Read.All'`)
       }
     } catch (err) {}
   }
@@ -217,7 +236,7 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
     Resources: [],
     totalResults: null,
   }
-  let response: any
+  let response: Record<string, any> = {}
   let selectAttributes: string[] = []
 
   if (attributes.length > 0) {
@@ -227,6 +246,7 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
       if (!attr) continue
       // complexArray/complexObject are special
       if (attribute.startsWith('entitlements')) attr = 'assignedLicenses'
+      if (attribute.startsWith('mfa')) attr = 'perUserMfaState'
       if (attribute.startsWith('roles')) continue
       if (!selectAttributes.includes(attr)) selectAttributes.push(attr)
     }
@@ -289,17 +309,18 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
           if (config.map.user[arr[0]] && ['complexArray', 'complexObject'].includes(config.map.user[arr[0]]?.type)) {
             if (arr[0] === 'roles') {
               if (type && type !== 'Permanent' && type !== 'Eligible') throw new Error(`${action} filter error: when using roles.type, the type must be either 'Permanent' or 'Eligible`)
+              if (!type && obj.operator === 'pr') obj = { attribute: 'roles.type' } // 'filter=roles pr' - precense => filter all objects having roles
               const o = await getUsersByRole(baseEntity, obj, (type) ? decodeURIComponent(type) as 'Permanent' | 'Eligible' : undefined, ctx)
-
               if (!Array.isArray(o) || o.length === 0) return ret
-              const fnArr: { fn: () => Promise<any> }[] = []
+              const fnArr: { fn: () => Promise<any>, index?: number, objArr?: any, key?: string }[] = []
+              response.body = { value: [] }
+              if (!response.body?.value) response.body = { value: [] }
               for (const id of o) {
                 const userPath = `/users/${id}?$select=${selectAttributes.join(',')}`
                 const fn = () => helper.doRequest(baseEntity, 'GET', userPath, null, ctx?.headers ? { headers: ctx?.headers } : undefined)
-                fnArr.push({ fn })
+                fnArr.push({ fn, objArr: response.body.value })
               }
-              response = { body: { value: [] } }
-              await fnCunckExecute(fnArr, response.body.value) // fnCunckExecute results in response.body.value and evaluated later
+              await fnCunckExecute(fnArr) // fnCunckExecute results in response.body.value and evaluated later
               if (response.body.value.length === 0) return ret
             } else if (arr[0] === 'entitlements') { // using entitlements for licenses and access packages
               if (getObj.attribute !== 'entitlements.type' && getObj.and?.attribute !== 'entitlements.type') throw new Error(`${action} filter error: mandatory entitlements.type is missing, examples: entitlements[type eq "xxx"], entitlements[type eq "xxx" and value eq "xxx"], entitlements[type eq "xxx" and display <eq/co/sw> "xxx"]`)
@@ -325,19 +346,20 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
                 }
                 if (typeof o !== 'object' || o === null || Object.keys(o).length === 0) return ret
                 const isAttrsOk = attributes.length > 0 && attributes.length < 3 && (attributes.includes('id') || attributes.includes('displayName'))
-                const fnArr: { fn: () => Promise<any> }[] = []
+                const fnArr: { fn: () => Promise<any>, index?: number, objArr?: any, key?: string }[] = []
+                response.body = { value: [] }
+                if (!response.body?.value) response.body = { value: [] }
                 for (const key in o) {
                   if (isAttrsOk) ret.Resources.push(o[key])
                   else {
                     const userPath = `/users/${key}?$select=${selectAttributes.join(',')}`
                     const fn = () => helper.doRequest(baseEntity, 'GET', userPath, null, ctx?.headers ? { headers: ctx?.headers } : undefined)
-                    fnArr.push({ fn })
+                    fnArr.push({ fn, objArr: response.body.value })
                   }
                 }
                 if (isAttrsOk) return ret
                 else {
-                  response = { body: { value: [] } }
-                  await fnCunckExecute(fnArr, response.body.value) // fnCunckExecute results in response.body.value and evaluated later
+                  await fnCunckExecute(fnArr)
                   if (response.body.value.length === 0) return ret
                 }
               } else throw new Error(`${action} error: entitlements.type must be either "License" or "AccessPackage"`)
@@ -412,31 +434,30 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
     if (!response.body.value) {
       throw new Error(`invalid response: ${JSON.stringify(response)}`)
     }
-    const fnArr: { index: number, fn: () => Promise<any> }[] = []
+    const fnArr: { fn: () => Promise<any>, index?: number, objArr?: any, key?: string }[] = []
     const byValues = await getEntitlementsByValues(baseEntity, ctx)
 
-    // include manager
-    if (!isExpandManager && selectAttributes.includes('manager')) {
-      for (let i = 0; i < response.body.value.length; ++i) {
-        if (!response.body.value[i].id) break
+    for (let i = 0; i < response.body.value.length; ++i) {
+      if (!response.body.value[i].id) break
+
+      // include manager
+      if (!isExpandManager && selectAttributes.includes('manager')) {
         const singleUserPath = `/users/${response.body.value[i].id}/manager?$select=userPrincipalName`
         const fn = () => helper.doRequest(baseEntity, 'GET', singleUserPath, null, ctx?.headers ? { headers: ctx?.headers } : undefined, options)
-        fnArr.push({ index: i, fn })
+        // fnArr.push({ index: i, fn })
+        fnArr.push({ index: i, fn, objArr: response.body.value, key: 'manager' })
       }
-      await fnCunckExecute(fnArr, response.body.value, 'manager')
-    }
 
-    // include groups (before roles)
-    if (attributes.length === 0 || attributes.includes('groups')) {
-      for (let i = 0; i < response.body.value.length; ++i) {
-        if (!response.body.value[i].id) break
+      // include groups (before roles)
+      if (attributes.length === 0 || attributes.includes('groups')) {
         const fn = () => scimgateway.getUserGroups(baseEntity, response.body.value[i].id, ctx?.headers ? { headers: ctx?.headers } : undefined)
-        fnArr.push({ index: i, fn })
+        fnArr.push({ index: i, fn, objArr: response.body.value, key: 'groups' })
       }
-      await fnCunckExecute(fnArr, response.body.value, 'groups')
     }
 
-    // attribute cleanup and mapping
+    if (fnArr.length > 0) await fnCunckExecute(fnArr)
+
+    // attribute mapping and cleanup
     for (let i = 0; i < response.body.value.length; ++i) {
       const obj = response.body.value[i]
       if (obj.manager?.userPrincipalName) {
@@ -445,13 +466,19 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
         else delete obj.manager
       }
 
+      if (obj.perUserMfaState && permission[baseEntity]?.mfa) {
+        const isLegacyEnabled = obj.perUserMfaState === 'enabled' || obj.perUserMfaState === 'enforced'
+        if (!obj.mfa) obj.mfa = {}
+        obj.mfa.isLegacyEnabled = isLegacyEnabled
+      }
+
       if (obj.signInActivity) {
         delete obj.signInActivity.lastSignInRequestId
         delete obj.signInActivity.lastNonInteractiveSignInRequestId
         delete obj.signInActivity.lastSuccessfulSignInRequestId
       }
 
-      // include roles and entitlements
+      // include roles, entitlements and MFA - MFA here and not in above fnArr/fnCunckExecute to reduce throttle noise
       if (obj.id) {
         const roles = async (obj: Record<string, any>): Promise<Record<string, any>[]> => {
           // roles type=Permanent/Eligible
@@ -476,12 +503,26 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
           }
           return result
         }
+        const mfa = async (obj: Record<string, any>): Promise<boolean | undefined> => {
+          // include MFA 'isMfaCapable', which indicates whether the user has registered authentication methods eligible for MFA.
+          if (attributes.length === 0 || attributes.includes('mfa') || attributes.includes('mfa.isMfaCapable')) {
+            if (permission[baseEntity]?.mfa) {
+              return await getUserisMfaCapable(baseEntity, obj.id, ctx?.headers ? { headers: ctx?.headers } : undefined)
+            } else return undefined
+          }
+        }
+
         const arrResolve = await Promise.all([
           roles(obj),
           entitlements(obj),
+          mfa(obj),
         ])
         obj.roles = arrResolve[0]
         obj.entitlements = arrResolve[1]
+        if (arrResolve[2] !== undefined) {
+          if (!obj.mfa) obj.mfa = {}
+          obj.mfa.isMfaCapable = arrResolve[2]
+        }
       }
 
       // map to inbound
@@ -562,7 +603,6 @@ scimgateway.deleteUser = async (baseEntity, id, ctx) => {
   const method = 'DELETE'
   const path = `/Users/${id}`
   const body = null
-
   try {
     await helper.doRequest(baseEntity, method, path, body, ctx)
     return (null)
@@ -570,6 +610,7 @@ scimgateway.deleteUser = async (baseEntity, id, ctx) => {
     throw new Error(`${action} error: ${err.message}`)
   }
 }
+
 // =================================================
 // modifyUser
 // =================================================
@@ -577,10 +618,6 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
   const action = 'modifyUser'
   scimgateway.logDebug(baseEntity, `handling ${action} id=${id} attrObj=${JSON.stringify(attrObj)} passThrough=${ctx ? 'true' : 'false'}`)
 
-  // roles and entitlements only supported for getUsers - readOnly 
-  // if (attrObj.roles) delete attrObj.roles
-  // if (attrObj.entitlements) delete attrObj.entitlements
-
   const [parsedAttrObj]: Record<string, any>[] = scimgateway.endpointMapper('outbound', attrObj, config.map.user) // SCIM/CustomSCIM => endpoint attribute standard
   if (parsedAttrObj instanceof Error) throw (parsedAttrObj) // error object
 
@@ -600,6 +637,18 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
     return undefined
   }
 
+  // MFA Reset
+  if (Object.hasOwn(parsedAttrObj, 'mfa')) {
+    if (parsedAttrObj.mfa.reset === true) {
+      if (!permission[baseEntity]?.mfa || !permission[baseEntity]?.eligible) throw new Error(`${action} error: MFA reset is not supported by the endpoint - missing permissions.`)
+      const currentRoles = await getUserRoles(baseEntity, id, [], true, ctx)
+      const isPrivileged = currentRoles.some(r => isPrivilegedRole(r.value))
+      if (isPrivileged) throw new Error(`${action} error: MFA reset is not allowed for users with high-privilege roles for security reasons.`)
+      await resetUserMfa(baseEntity, id, ctx)
+    }
+    delete parsedAttrObj.mfa
+  }
+
   // Roles
   if (Object.hasOwn(parsedAttrObj, 'roles') && Array.isArray(parsedAttrObj.roles)) {
     const r: Record<string, any>[] = []
@@ -618,7 +667,7 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
       const res: Record<string, any> = { value: el.value, type: el.type }
       if (el.display) res.display = el.display
       if (el.operation === 'delete') {
-        if (el.value === '62e90394-69f5-4237-9190-012177145e10') throw new Error(`${action} error: Removal of the 'Global Administrator' role is not allowed for security reasons.`)
+        if (isPrivilegedRole(el.value)) throw new Error(`${action} error: Removal of high-privilege roles is not allowed for security reasons.`)
         res.operation = el.operation
       }
       r.push(res)
@@ -774,7 +823,7 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
   const profile = () => { // patch
     return new Promise((resolve, reject) => {
       (async () => {
-        if (JSON.stringify(parsedAttrObj) === '{}') return resolve(null)
+        if (Object.keys(parsedAttrObj).length === 0) return resolve(null)
         let res: any
         for (const key in parsedAttrObj) { // if object, the modified Entra ID object must contain all elements, if not they will be cleared e.g. employeeOrgData
           if (typeof parsedAttrObj[key] === 'object') { // get original object and merge
@@ -1682,6 +1731,85 @@ const getUserAccessPackages = async (baseEntity: string, userId: string, include
   return result
 }
 
+const isPrivilegedRole = (roleId: string): boolean => {
+  return [
+    '62e90394-69f5-4237-9190-012177145e10', // Global Administrator
+    'e8611ab8-c189-46e8-94e1-60213ab1f814', // Privileged Role Administrator
+    '7be44c8a-adaf-4e2a-84d6-ab2649e08a13', // Privileged Authentication Administrator
+    'c4e39bd9-1100-46d3-8c65-fb160da0071f', // Authentication Administrator
+  ].includes(roleId)
+}
+
+const isMethodMfaCapable = (odataType: string): boolean => {
+  return [
+    '#microsoft.graph.microsoftAuthenticatorAuthenticationMethod',
+    '#microsoft.graph.passwordlessMicrosoftAuthenticatorAuthenticationMethod',
+    '#microsoft.graph.phoneAuthenticationMethod',
+    '#microsoft.graph.softwareOathAuthenticationMethod',
+    '#microsoft.graph.fido2AuthenticationMethod',
+  ].includes(odataType)
+}
+
+const getAuthMethodCollectionFromODataType = (odataType: string): string => {
+  const map: Record<string, string> = {
+    '#microsoft.graph.microsoftAuthenticatorAuthenticationMethod': 'microsoftAuthenticatorMethods',
+    '#microsoft.graph.passwordlessMicrosoftAuthenticatorAuthenticationMethod': 'microsoftAuthenticatorMethods',
+    '#microsoft.graph.phoneAuthenticationMethod': 'phoneMethods',
+    '#microsoft.graph.softwareOathAuthenticationMethod': 'softwareOathMethods',
+    '#microsoft.graph.fido2AuthenticationMethod': 'fido2Methods',
+    '#microsoft.graph.emailAuthenticationMethod': 'emailMethods',
+    '#microsoft.graph.temporaryAccessPassAuthenticationMethod': 'temporaryAccessPassMethods',
+    '#microsoft.graph.windowsHelloForBusinessAuthenticationMethod': 'windowsHelloForBusinessMethods',
+    '#microsoft.graph.passwordAuthenticationMethod': 'passwordMethods',
+  }
+  const collection = map[odataType]
+  return collection
+}
+
+const getUserisMfaCapable = async (baseEntity: string, userId: string, ctx?: undefined | Record<string, any>): Promise<boolean> => {
+  const action = 'getUserisMfaCapable'
+  const method = 'GET'
+  const body = null
+  const path = `/users/${userId}/authentication/methods`
+  const r = await helper.doRequest(baseEntity, method, path, body, ctx?.headers ? { headers: ctx?.headers } : undefined)
+  if (!r.body?.value) {
+    if (r.body?.id) r.body.value = [r.body]
+    else throw new Error(`${action} error: invalid response: ${JSON.stringify(r)}`)
+  }
+  const methodTypes = r.body.value.map((m: any) => m['@odata.type'])
+  if (methodTypes.length < 1) return false
+  return methodTypes.some(isMethodMfaCapable)
+}
+
+const resetUserMfa = async (baseEntity: string, userId: string, ctx?: undefined | Record<string, any>): Promise<boolean> => {
+  const action = 'resetUserMfa'
+  const method = 'GET'
+  const body = null
+  const path = `/users/${userId}/authentication/methods`
+  const r = await helper.doRequest(baseEntity, method, path, body, ctx?.headers ? { headers: ctx?.headers } : undefined)
+  if (!r.body?.value) {
+    if (r.body?.id) r.body.value = [r.body]
+    else throw new Error(`${action} error: invalid response: ${JSON.stringify(r)}`)
+  }
+  const methods = r.body.value.map((m: any) => { return { 'id': m.id, '@odata.type': m['@odata.type'] } })
+  if (methods.length < 1) return false
+  const fnArr: { fn: () => Promise<any>, index?: number, objArr?: any, key?: string }[] = []
+  for (const m of methods) {
+    if (!isMethodMfaCapable(m['@odata.type'])) continue
+    const methodName = getAuthMethodCollectionFromODataType(m['@odata.type'])
+    if (!methodName) continue
+    const path = `/users/${userId}/authentication/${methodName}/${m.id}`
+    const fn = () => helper.doRequest(baseEntity, 'DELETE', path, null, ctx?.headers ? { headers: ctx?.headers } : undefined)
+    fnArr.push({ fn })
+  }
+  if (fnArr.length === 0) return false
+  // include revoke sessions
+  const fn = () => helper.doRequest(baseEntity, 'POST', `/users/${userId}/invalidateAllRefreshTokens`, null, ctx?.headers ? { headers: ctx?.headers } : undefined)
+  fnArr.push({ fn })
+  await fnCunckExecute(fnArr)
+  return true
+}
+
 /**
 * getUsersByRole returns an array of user IDs having a specific role assigned
 * @param baseEntity 
@@ -1724,23 +1852,24 @@ const getUsersByRole = async (baseEntity: string, getObj: Record<string, any>, t
 
   if (activePrincipals.size === 0) return []
 
-  // 3. Resolve Principals (determine if User or Group)
+  // 3. Resolve principals (determine if user or group)
   const userIds = new Set<string>()
-  const principalsToResolve: { fn: () => Promise<any> }[] = []
+  const fnArrPrincipalObjects: { fn: () => Promise<any>, index?: number, objArr?: any, key?: string }[] = []
+  const principalObjects: any[] = []
   for (const pId of activePrincipals) {
     const path = `/directoryObjects/${pId}`
-    principalsToResolve.push({ fn: () => helper.doRequest(baseEntity, 'GET', path, null, ctx?.headers ? { headers: ctx?.headers } : undefined) })
+    fnArrPrincipalObjects.push({ fn: () => helper.doRequest(baseEntity, 'GET', path, null, ctx?.headers ? { headers: ctx?.headers } : undefined), objArr: principalObjects })
   }
-  const principalObjects: any[] = []
-  await fnCunckExecute(principalsToResolve, principalObjects)
+  if (fnArrPrincipalObjects.length > 0) await fnCunckExecute(fnArrPrincipalObjects)
 
-  // 4. Handle Users directly and fetch transitive members for Groups
-  const groupMembersToFetch: { fn: () => Promise<any> }[] = []
+  // 4. Handle users directly and fetch transitive members for groups
+  const fnArrGroupResults: { fn: () => Promise<any>, index?: number, objArr?: any, key?: string }[] = []
+  const groupResults: any[] = []
   for (const obj of principalObjects) {
     if (!obj || !obj.id) continue
     if (obj['@odata.type'] === '#microsoft.graph.user') userIds.add(obj.id)
     else if (obj['@odata.type'] === '#microsoft.graph.group') {
-      // Use a custom function to fetch all transitive members including paging
+      // fetch all transitive members including paging
       const fetchAllMembers = async (groupId: string) => {
         let members: any[] = []
         let nextPath: string | null = `/groups/${groupId}/transitiveMembers/microsoft.graph.user?$select=id`
@@ -1748,63 +1877,80 @@ const getUsersByRole = async (baseEntity: string, getObj: Record<string, any>, t
           const res = await helper.doRequest(baseEntity, 'GET', nextPath, null, ctx?.headers ? { headers: ctx?.headers } : undefined)
           if (!res.body?.value) break
           members.push(...res.body.value)
-          // extract nextLink and convert to relative path
           nextPath = res.body['@odata.nextLink'] ? res.body['@odata.nextLink'].split('/beta')[1] : null
         }
-        return { body: { value: members } } // Wrap results for fnCunckExecute compatibility
+        return { body: { value: members } }
       }
-      groupMembersToFetch.push({ fn: () => fetchAllMembers(obj.id) })
+      fnArrGroupResults.push({ fn: () => fetchAllMembers(obj.id), objArr: groupResults })
     }
   }
-  const groupResults: any[] = []
-  if (groupMembersToFetch.length > 0) await fnCunckExecute(groupMembersToFetch, groupResults)
+
+  if (fnArrGroupResults.length > 0) await fnCunckExecute(fnArrGroupResults)
   groupResults.forEach((m: any) => m.id && userIds.add(m.id.toLowerCase()))
 
   return Array.from(userIds)
 }
 
 /**
-* fnCunckExecute runs functions asynchronous in chunks
-* @param fnArr array of objects that must include function and optionally index [{fn, index}]. If `index` is included, it represent the index of `objArr` that should be updated with `key` set to the value of the function result.
-* @param objArr optionally array of objects. `objArr[index].key` will be set to function result. If objArr included e.g. empty, but no index and no key, function result will be inserted to objArr.
-* @param key optionally key
-* @returns undefined, but updated objArr if objArr argument is included
+* fnCunckExecute runs array of functions asynchronous in chunks
+* @param fnArr array of objects that must include function and optionally index, objArr and key [{fn, index, objArr, key}]. Function will always be executed. Any optional objArr will be updated according to provided index/key
+* @param fnArr.index optional and represent the index of `objArr` that should be updated with `key` set to the value of the function result
+* @param fnArr.objArr optionally array of objects or a single object that will be updated based on fn result. If index, `objArr[index].key` will be set to function result. If key, but no index, function result will be inserted to objArr[key].
+* @param fnArr.key optionally key
+* @param chunkSize optinally size of chunks used, default 5
+* @returns undefined, but updated objArr if objArr is included
 **/
-const fnCunckExecute = async (fnArr: { index?: number, fn: () => Promise<any> }[], objArr?: Record<string, any>[], key?: string) => {
-  if (!Array.isArray(fnArr)) throw new Error(`fnCunckExecute get ${key} error: fnArr and/or objArr is not array`)
-  if (fnArr.length > 0) {
-    if (typeof fnArr[0] !== 'object' || !fnArr[0].fn) throw new Error(`fnCunckExecute error: fnArr missing fn object(s)`)
-    else if (fnArr[0].index !== undefined && !(objArr || key)) throw new Error(`fnCunckExecute error: missing reponseValue/key`)
-    const chunk = 5
-    do {
-      const arrChunk = fnArr.splice(0, chunk)
-      const results = await Promise.allSettled(arrChunk.map(o => o.fn())) as { status: 'fulfilled' | 'rejected', reason: any, value: any }[] // processing max chunk async              
-      const errors = results.filter(result => result.status === 'rejected').map(result => result.reason.message)
-      if (errors.length > 0) {
-        let errMsg
-        let statusCode
-        try {
-          const res = JSON.parse(errors[0])
-          statusCode = res?.statusCode
-          errMsg = res?.body?.error?.message
-        } catch (err) { errMsg = errors.join(', ') }
-        if (statusCode !== 404) throw new Error(errMsg)
-      }
-      results.forEach((result, idx) => {
-        if (result.status === 'fulfilled') {
-          if (!result.value?.body) return
-          const res = result.value.body
-          if (typeof arrChunk[idx].index === 'number' && objArr && key) {
-            if (res.value) objArr[arrChunk[idx].index][key] = res.value
-            else objArr[arrChunk[idx].index][key] = res // Assign the result to the specific index and key
-          } else if (arrChunk[idx].index === undefined && objArr && key === undefined) { // When index and key are undefined, append to objArr if objArr provided
-            if (Array.isArray(res.value)) objArr.push(...res.value) // If res.value is an array, spread its elements into objArr
-            else objArr.push(res) // Otherwise, push the entire res object
+const fnCunckExecute = async (fnArr: { fn: () => Promise<any>, index?: number, objArr?: Record<string, any>[] | Record<string, any>, key?: string }[], chunkSize?: number) => {
+  if (!Array.isArray(fnArr)) throw new Error(`fnCunckExecute error: fnArr is not array`)
+  if (fnArr.length === 0) return
+  if (typeof fnArr[0] !== 'object' || !fnArr[0].fn) throw new Error(`fnCunckExecute error: fnArr missing fn object(s)`)
+  else if (fnArr[0].index !== undefined && !(fnArr[0].objArr || fnArr[0].key)) throw new Error(`fnCunckExecute error: missing reponseValue/key`)
+  if (!chunkSize || chunkSize < 1) chunkSize = 5
+  do {
+    const arrChunk = fnArr.splice(0, chunkSize)
+    const results = await Promise.allSettled(arrChunk.map(o => o.fn())) as { status: 'fulfilled' | 'rejected', reason: any, value: any }[] // processing max chunk async              
+    const errors = results.filter(result => result.status === 'rejected').map(result => result.reason.message)
+    if (errors.length > 0) {
+      let errMsg
+      let statusCode
+      try {
+        const res = JSON.parse(errors[0])
+        statusCode = res?.statusCode
+        errMsg = res?.body?.error?.message
+      } catch (err) { errMsg = errors.join(', ') }
+      if (statusCode !== 404) throw new Error(errMsg)
+    }
+    results.forEach((result, idx) => {
+      if (result.status === 'fulfilled') {
+        const objArr: any = arrChunk[idx].objArr
+        const key = arrChunk[idx].key
+        const index = arrChunk[idx].index
+        if (result.value === undefined) return
+        const res: any = result.value.body || result.value
+        const val = (res && res.value !== undefined) ? res.value : res
+        if (typeof index === 'number' && objArr && key) {
+          const keyArr = key.split('.')
+          if (keyArr.length > 2) throw new Error(`fnCunckExecute error: key ${key} can not be more than 2 levels deep`)
+          if (keyArr.length === 2 && !objArr[index][keyArr[0]]) objArr[index][keyArr[0]] = {}
+          if (keyArr.length === 1) objArr[index][keyArr[0]] = val
+          else objArr[index][keyArr[0]][keyArr[1]] = val
+        } else if (index === undefined && objArr) {
+          if (key === undefined) { // When index and key are undefined, append to objArr if objArr provided
+            if (Array.isArray(objArr)) {
+              if (Array.isArray(res.value)) objArr.push(...res.value) // If res.value is an array, spread its elements into objArr
+              else objArr.push(res) // Otherwise, push the entire res object
+            }
+          } else {
+            const keyArr = key.split('.')
+            if (keyArr.length > 2) throw new Error(`fnCunckExecute error: key ${key} can not be more than 2 levels deep`)
+            if (keyArr.length === 2 && !objArr[keyArr[0]]) objArr[keyArr[0]] = {}
+            if (keyArr.length === 1) objArr[keyArr[0]] = val
+            else objArr[keyArr[0]][keyArr[1]] = val
           }
         }
-      })
-    } while (fnArr.length > 0)
-  }
+      }
+    })
+  } while (fnArr.length > 0)
 }
 
 //

package/lib/scimgateway.ts

@@ -945,7 +945,7 @@ export class ScimGateway {
                   description: item.description ?? '',
                   required: (item.mapTo === 'userName') ? true : false,
                   caseExact: false,
-                  mutability: 'readWrite',
+                  mutability: item.mutability ?? 'readWrite',
                   returned: 'default',
                   uniqueness: (item.mapTo === 'userName') ? 'server' : 'none',
                 }
@@ -2261,6 +2261,7 @@ export class ScimGateway {
           if (res?.Resources && Array.isArray(res.Resources) && res.Resources.length === 1) {
             // we might have endpoint like Entra ID that hasn’t caught up yet due to internal sync
             // ensure returned object reflects changes by doing a merge with patch payload (convertedScim) 
+            if (finalScimdata?.mfa) delete finalScimdata.mfa // writeOnly mfa.reset
             res.Resources[0] = this.patchObj(res.Resources[0], finalScimdata) // merge
             if (res.Resources[0].password) delete res.Resources[0].password
           }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "6.2.2",
+  "version": "6.2.4",
   "type": "module",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",