This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 50%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EML%3C/text%3E%3C/svg%3E)
With Azure Inbound Provisioning I need the ability remove an attribute's value when it is removed from the source of truth. The best I can do is flow a single character value--in this case a space. I can't flow an empty string that would leave an attribute with no value.
RFC 7644, "System for Cross-domain Identity Management: Protocol," provides for removal of an attribute value (see section 3.5.2.2, Remove Operation). Is this supported by Inbound Provisioning? If it is, how do I trigger? If not, is this a planned feature?
There doesn't seem to be a way of clearing an attribute value or flowing a NULL in the published reference at https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/functions-for-customizing-application-data .
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
This isn't possible right now with the AAD Provisioning platform either inbound or outbound to the best of my knowledge. It's been requested before, but I am not aware of any immediate plans for this or any shareable ETA.
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
James, this has been an on-going challenge for many months. This is particularly frustrating because Entra Provisioning claims to be SCIM 2.0 compliant but clearly has a gap. Are there any plans to close this gap?
Hi Michael,
To clarify, the SCIM 2.0 standard does not state any requirements for clients (Entra Provisioning, in this case) to support specific behaviors such as flowing a null/empty value. From the angle of a SCIM client, the standard defines how various requests can be structured syntactically as part of the protocol, but in the majority of cases does not go beyond that.
The issue you are describing is not an issue of compliance with the SCIM standard, but rather a limitation that exists in the Entra Provisioning service. This is documented here, for reference: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/known-issues?pivots=app-provisioning#null-attribute-cant-be-provisioned
Clarification aside, this is something we've seen numerous customers ask for over the years. It isn't as simple as enabling the ability to flow a null value, however, as merely turning that on introduces significant risk to customers in the event of a data issue in Entra due to an unrelated incident on their end, or merely from a misconfiguration of provisioning mappings. That risk is that a mapping misconfiguration or source data issue may lead to unintended and possibly irreversible deletion of data in the downstream SCIM app. Given that risk, adding this functionality on our side requires additional investments in safety features similar to the "Accidental Deletions" threshold that was added to prevent object deletions in Entra Provisioning.
I don't directly manage the roadmap for Entra Provisioning features, so I'll also share a link to this post with a colleague of mine who does have that honor in case they have anything else to add here.
I wanted to check in and see if you had a chance to review @Danny Zollner 's comment?
If you have any other questions, please let us know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Danny, I'm just spitballing here but would it make sense if we can send a 'tokenized' value, such as "delete:attributename" to signal it is an intentional delete and not directly flowing a Null value?
Another example, we needed to set the msExchHideFromAddressLists attribute to True when a user is terminated. Unfortunately, the triggered a False to flow to everyone else, even though proper LDAP accepts a missing attribute (an attribute without a value should not exist and a Boolean should either be set or not set; false introduces a third value).
A few things:
Danny,
My bad for introducing the boolean attribute and going on and on about this. I see the disclaimer, "Microsoft Entra ID currently can't provision null attributes. If an attribute is null on the user object, it will be skipped." This limitation is unfortunate as it will require an external automation/script to resolve. While Entra Provisioning won't trigger on a null attribute, I can always set up a rule based on compound attributes. In this case, I am looking to clear an End Date should the person return. This can be reliably triggered when a user goes from Inactive to Active. To clear other attributes, it may require a full synchronization, similar to MIIS/FIM/MIM.
I'll mark this as answered (even though I don't like the answer),
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 45%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBR%3C/text%3E%3C/svg%3E)
HI All, I have a similar related request, in our inbound configuration we're using a custom attribute in the HR source to set the Account Expiry, when an employee transfers from Contract to Permanent the Custom attribute is no longer passed to the provisioning service. I have attempted to work around this with the Switch expression and even basic IsPresent expression however, although set to "Always" on the mapping the expression is never parsed and thus the "default" value is not written to the AD object.