Search code examples
azureprovisioningmicrosoft-entra-idscim

SCIM / Entra ID Provisioning: How to remove user attributes in the target system?

GET Users/{Id} returns the following json:

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "16960d38-728d-4865-925c-165caf50708d",
  "externalId": "16960d38-728d-4865-925c-165caf50708d",
  "userName": "[email protected]",
  "name": {
    "givenName": "",
    "familyName": "Foo"
  },
  "active": true
}

When I change the value of the "familyName" or "givenName" attribute in MS Entra, Entra makes a PATCH request with the following body:

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ],
  "Operations": [
    {
      "op": "Add",
      "path": "name.givenName",
      "value": "Bar"
    },
    {
      "op": "Replace",
      "path": "name.familyName",
      "value": "Foo2"
    }
  ]
}

But when I delete the "familyName" or "givenName" attribute in Entra, Entra does NOT send a "Remove" "op".

Why is that? And how can I remove the attribute in my target system then?

Thank you in advance!

Solution

  • Entra's app provisioning service doesn't support removing values from attributes at this time.

    See: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/known-issues?pivots=app-provisioning#null-attribute-cant-be-provisioned