Why is Entra ID sending 'Add' Operations instead of 'Replace' Operations in PATCH request for multi-value attributes?

Question

Why is Entra ID sending 'Add' Operations instead of 'Replace' Operations in PATCH request for multi-value attributes?

Test Admin 25

I'm working on updating my application's SCIM endpoints to support Microsoft Entra ID, and I just noticed some strange behavior when a User is being updated, which seems specific to multi-value attributes.

In my Entra ID testing environment, I've set up the User Attribute Mappings to include a custom attribute, and checked the box for Multi-Value?: urn:ietf:params:scim:schemas:extension:greenhouse:2.0:User:department_ids, and am setting the value via an Expression on the User's department field: Split([department], ","). The odd behavior I'm experiencing is this - when I provision a User, and then update the department field on the Entra ID User, and re-provision them, I can see that the PATCH request being sent includes an Add Operation, rather than a Replace, which is what I would have expected. The body of the request looks like this:

{
  "schemas" => ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations" => [
    {
      "op" => "Add",
      "path" => "
urn:ietf:params:scim:schemas:extension:greenhouse:2.0:User:department_ids
",
      "value" => [{ "value" => "1"}]
    }
}

This is causing unexpected behavior, because from the perspective of someone trying to update a User in Entra ID, when they clear out and update the value of the User's department field, it should overwrite any existing value, i.e. trigger a Replace Operation. But instead since this is triggers an Add Operation, the end result is this: when a User in our application already has a value set for this department_ids, we will append that value to the existing value, and so the Entra ID User and the User in our application are out of sync.

How can I change things to trigger a Replace Operation in this case, rather than an Add? Am I mis-configuring this custom multi-value attributes? I have seen some confusing information in the Entra ID docs about custom mult-value attributes not being fully supported. For example from this documentation page:

Custom attributes can't be referential attributes, multi-value, or complex-typed attributes. Custom multi-value and complex-typed extension attributes are currently supported only for applications in the gallery.

Our application is in the Gallery, but is not yet approved for use with SCIM: does this mean this behavior with multi-value custom attributes will change once the application is approved for SCIM?

Finally, I also found two other similar questions (1 and 2), but the answer for 1 didn't apply in my case, and answer for the second was not particularly helpful.

2 answers

Your answer

Answer 1

Danny Zollner 10,821 Microsoft Employee Moderator

As mentioned in the documentation that you quoted, custom multi-valued attributes are not supported. Not supported doesn't always mean "won't work at all" and can sometimes mean that the scenario hasn't been intentionally accounted for in the software design.

You cannot change the current behavior and should avoid using custom multi-valued attributes. Ideally the provisioning service would disallow you from configuring this, but that safeguard/restriction is not in place. If/when we add support for custom multi-valued attributes in the future, additional controls such as whether to use add or replace may be added, in addition to documentation on the behaviors of the provisioning service when interacting with multi-valued attributes.

Test Admin 25 Reputation points

2024-06-12T18:38:39.9+00:00

Hi Danny,

Thanks for the clarification! Can I find any information about what support there will be when my application is approved for use in the Gallery? The quote from the docs I put in my original question does state:

Custom multi-value and complex-typed extension attributes are currently supported only for applications in the gallery.

But doesn't elaborate on exactly what that support entails, and that's what I'm trying to figure out. When my application is approved in the Gallery, and we begin using it, will I be able in any way to change how the PATCH Operations are triggered for multi-value attributes?

Thank you,

Peter
Danny Zollner 10,821 Reputation points Microsoft Employee Moderator

2024-06-12T22:31:54.98+00:00

As someone very closely involved in the gallery integration process, without investigating I couldn't tell you. SCIM allows for simple multi-valued attributes, but the schemas defined in the SCIM specifications have zero of them. This isn't a very common scenario.

I'll ask the engineering team and will respond back if I learn anything.

Potentially sidestepping this problem for you entirely - if you're aiming to end up in the gallery and source this from the Entra ID "department" attribute, which is single-valued I believe, why are you not using the Enterprise User schema's department attribute that is defined in the SCIM spec?
Test Admin 25 Reputation points

2024-06-13T18:03:52.96+00:00

Hi Danny,

Thank you for forwarding the question to the engineering team! Please let me know what their findings are.

A little context about our use case: in our application, Users may be associated with multiple Departments, which is why we would like to support a multi-value attribute for department_ids. We have an existing SCIM implementation which supports this (and other multi-value fields), but the only provider we support currently is Okta, and we're currently in the process of building support for Entra ID. We haven't run into any issues with multi-value attributes in our original implementation w/ Okta - this isn't meant to be a complaint or a "why can't you just do it like them" comment, but just to clarify that we have functionality built on a Schema that employs multi-value attributes like this. And ideally we wouldn't want to change the structure of our Schema, or to have multiple provider-specific Schemas. But that might be what we end up having to do, depending on how Entra ID supports multi-value attributes.

Thanks,

Peter
Òscar Segura 0 Reputation points

2026-02-09T16:08:04.26+00:00
@Danny Zollner thank you for your feedback on this. We were going a bit nuts trying to find documentation to this regard.

SCIM allows for simple multi-valued attributes, but the schemas defined in the SCIM specifications have zero of them. This isn't a very common scenario.

Just focusing with the SCIM specifications, and having the replace operation as a very valid operation that for single valued attributes does exactly the same as the add operation (at a practical sense), it makes anyone wonder how come replace wasn't used instead, provided that multi-valued attributes on the SCIM provider side would not keep previous values (very common, as SCIM allows for custom schemas; the very reason why we can add API attributes to the Attributes list of the advanced options in the Provisioning Mappings).

@William Nieto When you’re updating a multi-value attribute like department_ids, Entra ID uses an “Add” operation instead of a “Replace” operation. This behavior is by design. When you re-provision a user, Entra ID appends the new value to the existing values rather than replacing them entirely.

According Google Search AI Mode (although no supporting documentation was provided), this measure was to prevent deletion of existing data. In other words: the Entra SCIM provisioning client was designed by acknowledging that replace is a completely valid operation (hence they used add instead), and yet, there is no support to for using replace.

To be fair, and you can ask this to all enterprises with a Gallery Application, they are probably working around the add operation on their SCIM Provider for certain multi-valued attributes of their custom SCIM Schema by changing the behaviour to a replace operation when the request from the Entra SCIM client is processed/consumed.

This is in fact what we are studying to do in our SCIM Provider (on per attribute basis), because Entra ID is NOT compliant with the SCIM specifications for multi-valued attributes when it comes to build the request; where the replace operations is a completely valid and necessary operation.

The expression builder, and therefore the expression evaluator used in the mappings, as well, do NOT support multi-valued attributes on the Entra ID side. Regardless on how much work it entails to do some rework to this regard, this should not only be changed to offer real support for multi-valued properties, but also the expression builder and the evaluator, provided that it can return an Array (or multiple values).

You cannot change the current behavior and should avoid using custom multi-valued attributes.

If the Entra ID provisioning-related Microsoft team understood that it is good for Entra's market to widen their lens, it would be possible to change the current behaviour by adding a new flag (url argument) as shown in the documentation below:

Known issues and resolutions with SCIM 2.0 protocol compliance of the Microsoft Entra user provisioning service. Section: Flags to alter the SCIM behavior

A flag that could just say: always use replace for multi-valued API attributes.

Alternatively, and as requested, by the person who initiated the post, in a way of a question of how you would supposedly configure it in per mapping entry, by adding a new column in the mappings table for multi-valued attributes called: Add/Replace, for instance.

Some reflection:

Please observe that the SCIM standard itself offers filters for complex multi-valued attributes such as phones, and addresses. Preserving values as a default measure sounds like creating not-up-to-date data. It might appear as desired default value to many cases, yet not the universal and unique method to build an integration.

The simpler the better also means that integration team members do not need to be constantly testing something that does NOT have clear documentation, such as plain multi-valued attributes. Just give me one simple example of the official documentation, if you may.

When we reach this point, it means that everything else failed. By everything else we mean how we would expect Entra ID Provisioning to work with multi-valued attributes. Then, finally, we reach this point, and the most immediate questions that arise from this are the ones already included in all this thread.

What does that mean?

It means that the documentation was made ambiguous, imprecise or omitting on purpose. In other words, it means that SCIM Entra Provisioning is incomplete on purpose.

Now, what that purpose is is still unclear. A bit more of transparency may save to all of us a lot of headaches, if you understand what I mean.

For the rest, thank you for your attention and support.

Answer 2

Let's address your questions regarding multi-value custom attributes in Microsoft Entra ID.

Behavior of Multi-Value Attributes

When you’re updating a multi-value attribute like department_ids, Entra ID uses an “Add” operation instead of a “Replace” operation. This behavior is by design. When you re-provision a user, Entra ID appends the new value to the existing values rather than replacing them entirely. This is why you’re seeing the unexpected behavior.

Custom Multi-Value Attributes

Custom multi-value attributes are supported in Entra ID, but there are some limitations. According to the Microsoft Entra ID documentation, custom multi-value attributes are currently supported only for applications in the gallery. Since your application is in the gallery but not yet approved for SCIM, this behavior should change once your application is approved for SCIM.

Changing to Replace Operation

To achieve a “Replace” operation for multi-value attributes, you’ll need to handle this logic in your application. Here’s how you can do it:

Retrieve Existing Values: When updating a user’s department_ids, first retrieve the existing values.
Modify the Values: Modify the values as needed to reflect the desired changes.
Send a PATCH Request: Send a PATCH request with the updated values, ensuring the new value replaces the existing ones.

Here’s an example of how you can structure your PATCH request to remove existing values and add the new ones:

jsonCopy code
{

Remember that custom security attributes in Entra ID allow you to define and assign key-value pairs to objects, providing fine-grained access control. For more information on custom security attributes, you can have a look at these links:

Next Steps

Modify your SCIM endpoint to handle the "Remove" operation followed by an "Add" operation as described above.
Review the attribute mappings in Entra ID to ensure they are correctly set up.
Monitor the approval process for your application's SCIM support, as full approval may resolve these limitations.

William Nieto 545 Reputation points

2024-06-08T01:52:23.75+00:00

I wanted to provide you with some additional insights regarding the behavior of multi-value attributes in PATCH requests:

When dealing with multi-value attributes in PATCH requests, Entra ID’s behavior might seem counterintuitive. Instead of using ‘Replace’ operations, it sends ‘Add’ operations. This behavior is due to the way multi-value attributes are handled in SCIM (System for Cross-domain Identity Management).

In SCIM, multi-value attributes are typically represented as arrays. When you send a PATCH request to update a multi-value attribute, Entra ID interprets it as an array modification. If you use a ‘Replace’ operation, it would replace the entire array with the new value, potentially removing existing values. To avoid unintentional data loss, Entra ID uses ‘Add’ operations to append new values to the existing array.

Here’s an example to illustrate this:

Suppose you have a custom multi-value attribute called “Skills” with the following values:

Skills: [“Java”, “Python”]

If you send a PATCH request with a ‘Replace’ operation like this:

jsonCopy code {

Entra ID would interpret this as replacing the entire “Skills” array with [“C#”], resulting in:

Skills: [“C#”]

To preserve existing values, Entra ID uses ‘Add’ operations instead. For the same scenario, an ‘Add’ operation would look like this:

jsonCopy code {

This would result in:

Skills: [“Java”, “Python”, “C#”]

Remember to handle multi-value attributes accordingly in your application’s SCIM endpoints to align with Entra ID’s behavior. If you encounter any issues, consider checking your SCIM implementation and ensure that you’re using the appropriate operations for multi-value attributes.

Share via

Why is Entra ID sending 'Add' Operations instead of 'Replace' Operations in PATCH request for multi-value attributes?

2 answers

Your answer