Hello!
I've been troubleshooting an issue with group membership updates in our SCIM app and am seeing some unexpected behavior from Microsoft Entra. Specifically, I have a group with four members, so I anticipate four separate PATCH requests to the group's endpoint, each with an add
operation for a new member.
However, instead of add
operations, I frequently receive four replace
operations. This causes only one user to be added to the group, as each replace
operation overwrites the members
field with a single new entry. Here’s an example request body:
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "replace",
"path": "members",
"value": [{ "value": "<user_id>" }]
}
]
}
My questions are:
- Why would Entra send
replace
operations for each member instead of add
operations?
- Is this expected behavior, or could it be a known issue with group membership updates?
According to this related Q&A, Entra should not be sending replace
operations in this scenario. Is there a recommended workaround to ensure correct group membership synchronization?