Let's address your questions regarding multi-value custom attributes in Microsoft Entra ID.
Behavior of Multi-Value Attributes
When you’re updating a multi-value attribute like department_ids
, Entra ID uses an “Add” operation instead of a “Replace” operation. This behavior is by design. When you re-provision a user, Entra ID appends the new value to the existing values rather than replacing them entirely. This is why you’re seeing the unexpected behavior.
Custom Multi-Value Attributes
Custom multi-value attributes are supported in Entra ID, but there are some limitations. According to the Microsoft Entra ID documentation, custom multi-value attributes are currently supported only for applications in the gallery. Since your application is in the gallery but not yet approved for SCIM, this behavior should change once your application is approved for SCIM.
Changing to Replace Operation
To achieve a “Replace” operation for multi-value attributes, you’ll need to handle this logic in your application. Here’s how you can do it:
- Retrieve Existing Values: When updating a user’s
department_ids
, first retrieve the existing values. - Modify the Values: Modify the values as needed to reflect the desired changes.
- Send a PATCH Request: Send a PATCH request with the updated values, ensuring the new value replaces the existing ones.
Here’s an example of how you can structure your PATCH request to remove existing values and add the new ones:
jsonCopy code
{
Remember that custom security attributes in Entra ID allow you to define and assign key-value pairs to objects, providing fine-grained access control. For more information on custom security attributes, you can have a look at these links:
- Custom Security Attributes Overview
- How to Use Custom Security Attributes
- Manage custom security attributes for an application
Next Steps
- Modify your SCIM endpoint to handle the "Remove" operation followed by an "Add" operation as described above.
- Review the attribute mappings in Entra ID to ensure they are correctly set up.
- Monitor the approval process for your application's SCIM support, as full approval may resolve these limitations.