How do I clear an attribute value using in AD via the "API-driven Inbound User Provisioning to On-premise AD"-endpoint

Wouter Landuyt 5 Reputation points
2023-11-16T18:13:24.98+00:00

Hello,

I have setup API-driven Inbound User Provisioning to On-premise AD using the enterprise application endpoint to provision and sync attribute updates to AD users. Attribute updates are working perfectly, but I can't seem to clear or remove attribute values from AD. I've tried sending null, "" and " " to the endpoint, but none are imported/detected as a change for the attribute (missing from the first Import http://.../DynamicElement from API-step in the logs). Making me think it might not be a feature yet?

Couldn't find any documentation on it besides a similar question on "SAP SuccessFactors to Active Directory user provisioning" (https://learn.microsoft.com/en-us/answers/questions/1191954/how-do-i-clear-an-attribute-value-using-expression).

Thanks in advance.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,783 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,278 questions
{count} vote

1 answer

Sort by: Most helpful
  1. Carlos Solís Salazar 17,871 Reputation points
    2023-11-17T18:42:55.2266667+00:00

    Thank you for sharing your experience regarding the challenge of clearing an attribute value in Azure Active Directory (AD) via PowerShell. It seems like you've already tried several methods, including sending empty strings or null values, without success.

    Indeed, in some cases, setting an attribute to a null or empty value does not clear it in Azure AD. This behavior can be due to the specific nature of certain attributes or limitations within Azure AD's PowerShell implementation.

    As a workaround, you might consider using the Set-AzureADUser cmdlet with a specific approach. For string attributes, sometimes setting them to a single space (" ") instead of an empty string or null can effectively clear them. Here’s a generic example:

    Set-AzureADUser -ObjectId <UserObjectId> -<AttributeName> " "
    

    Replace <UserObjectId> with the user's Object ID and <AttributeName> with the name of the attribute you want to clear.

    Please note that this method may not work for all attributes, and its effectiveness can depend on the specific schema of the Azure AD tenant.

    For a more in-depth understanding and potential alternative solutions, I recommend reviewing the Azure AD PowerShell documentation.

    If this approach does not resolve the issue, it might be beneficial to raise a support ticket with Microsoft Azure support for further assistance, as this could be a limitation or a specific issue with your Azure AD environment.

    I hope this helps, and I'm here for any further questions or guidance!

    Accept the answer if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.