Unexpected SCIM Group Membership Updates in Azure: Receiving Replace Operations Instead of Add

Question

Unexpected SCIM Group Membership Updates in Azure: Receiving Replace Operations Instead of Add

Peter Seely 20

Hello!

I've been troubleshooting an issue with group membership updates in our SCIM app and am seeing some unexpected behavior from Microsoft Entra. Specifically, I have a group with four members, so I anticipate four separate PATCH requests to the group's endpoint, each with an add operation for a new member.

However, instead of add operations, I frequently receive four replace operations. This causes only one user to be added to the group, as each replace operation overwrites the members field with a single new entry. Here’s an example request body:

{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [
    {
      "op": "replace",
      "path": "members",
      "value": [{ "value": "<user_id>" }]
    }
  ]
}

My questions are:

Why would Entra send replace operations for each member instead of add operations?
Is this expected behavior, or could it be a known issue with group membership updates?

According to this related Q&A, Entra should not be sending replace operations in this scenario. Is there a recommended workaround to ensure correct group membership synchronization?

Answer accepted by question author

1 additional answer

Your answer

Answer 1

Givary-MSFT 35,771 Microsoft Employee Moderator

@Peter Seely Thank you for reaching out to us, As per our documentation - https://learn.microsoft.com/en-us/entra/identity/app-provisioning/use-scim-to-provision-users-and-groups#update-group-add-members:~:text=204%20No%20Content-,Update%20Group%20%5BAdd%20Members%5D,-Request

above mentioned behavior seems to be incorrect, would appreciate for further investigation, would recommend to open a support ticket with us.

Let me know if you have any further questions, feel free to post back.

Peter Seely 20 Reputation points

2024-11-15T19:03:11.8+00:00
Hi! Thanks for your response.

I believe I’ve identified the issue: Entra sends replace operations instead of add if the GET response for the group includes the members field.

Since members was included in excludedAttributes, it shouldn’t have been returned, which would have avoided the issue. That said, the developer experience could be improved by either:

Surfacing this as an error, or

Handling unexpected additional information more robustly.
Givary-MSFT 35,771 Reputation points Microsoft Employee Moderator

2024-11-18T12:36:21.3233333+00:00

@Peter Seely Thanks for the update and steps you followed to resolve this issue. Also, thank you for the feedback related to the product improvement.

You can share your product feedback over https://feedback.azure.com which is closely monitored by our product team.

Let me know if you have any further questions, feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
Juraj Žovinec 0 Reputation points

2025-08-12T12:37:30.01+00:00

Givary-MSFT Do you have an access to developers' backlog and can you please double check whether this technical issue got addressed by dev-team ?

I think this has been fixed in the last couple of months as I am unable to replicate this behavior (multiple "replace" operations with one user instead of the "add" operation).

Answer 2

Peter Seely 20

I’ve identified the issue: Entra sends replace operations instead of add if the GET response for the group includes the members field. Since Entra includes members in the excludedAttributes argument for the GET request, it should not be returned, and the issue is thus resolved.

In short, respecting the attributes and excludedAttributes arguments for SCIM groups GET requests, as described in the RFC 7644 solved the issue for me.

Share via

Unexpected SCIM Group Membership Updates in Azure: Receiving Replace Operations Instead of Add

1 additional answer

Your answer