Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Azure SCIM Patch behavior when using AssertiveAppRoleAssignmentsComplex
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 4%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHP%3C/text%3E%3C/svg%3E)
Huy Phan
5
Reputation points
I have an Enterprise Application which enable provisioning and I need multiple roles can be configure. I follow this guide https://learn.microsoft.com/en-us/entra/identity/app-provisioning/customize-application-attributes#provisioning-a-role-to-a-scim-app and using AssertiveAppRoleAssignmentsComplex.
My application configure customappsso User Attributes as follow:
- Name: roles
- Type: string
- Multi-value: checked (true)
But currently I have an issue when provision as that when a GET request come and my application already response with
# GET /Users/******@example.onmicrosoft.com
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"id": "******@example.onmicrosoft.com",
"userName": "******@.onmicrosoft.com",
"active": true,
"roles": [
{
"value": "User.Jenkins",
"displayName": "User.Jenkins"
}
]
}
However, Azure still send a PATCH request
# PATCH when just one app role assigned
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "Add",
"path": "roles",
"value": [
{
"value": "{\"id\":\"30c0b75b-45c4-41a5-b8cc-eeed272018fa\",\"value\":\"User.Jenkins\",\"displayName\":\"User.Jenkins\"}"
}
]
}
]
}
# PATCH when two app roles assigned
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "Add",
"path": "roles",
"value": [
{
"value": "{\"id\":\"30c0b75b-45c4-41a5-b8cc-eeed272018fa\",\"value\":\"User.Jenkins\",\"displayName\":\"User.Jenkins\"}"
},
{
"value": "{\"id\":\"f0d3f072-5ecd-4494-ab7d-a4e9699fb063\",\"value\":\"User.JFrog\",\"displayName\":\"User.JFrog\"}"
}
]
}
]
}
Am I return a wrong response structure for GET request?
Best regards, Huy
Microsoft Security | Microsoft Entra | Microsoft Entra ID
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2025-04-10T10:37:15.2533333+00:00 Hello @Huy Phan,
I understand the issue you're facing: Azure is sending unnecessary PATCH requests to add roles even though they are already assigned to the user. This can be caused by how the GET response is structured or how the PATCH request is handled.
Ensure your GET request returns roles with
id,value, anddisplayNamefor each role, matching the SCIM standard. For example:"roles": [ { "id": "xxx", "value": "User.Jenkins", "displayName": "User.Jenkins" } ]Before sending the PATCH request, verify whether the role is already assigned to the user. If the role is already present, avoid sending
Addoperations.To resolve this, ensure that your application correctly handles the PATCH requests by checking existing roles and replacing them as needed, rather than simply adding new ones. This behavior is crucial for maintaining the integrity of role assignments in your application.
Let me if any further queries - feel free to reach out!
-
Anonymous
2025-04-11T00:48:30.74+00:00 Hello @Huy Phan, We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
-
Anonymous
2025-04-14T03:54:53.16+00:00 Hello @Huy Phan, We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
-
Huy Phan 5 Reputation points
2025-04-21T03:27:46.65+00:00 Hi @Rukmini
Sorry for late response as I just back from vacations. The issues is that even if I have the ID in with the GET with correct SCIM structure you mention
"roles": [ { "id": "xxx", "value": "User.Jenkins", "displayName": "User.Jenkins" } ]However, Azure still send me a PATCh request as above which it thinks I still do not have those roles.
I also made a test with roles attribute is not a multi value then it works as expected which are:
- If I have a GET already then no PATCH will be sent
- If I update the RoleAssignment then PATCH with Replace is sent
-
Anonymous
2025-04-21T03:48:30.87+00:00 @Huy Phan, The issue arises because Azure expects each role in the GET response as a stringified JSON object under the
valuefield whenrolesis marked as multi-valued. Returning roles as proper JSON objects causes Azure to think they’re missing, hence the redundant PATCH. Whenmulti-valuedis set to false, Azure compares the actual object and behaves correctly. To fix it, format each role as a string in thevaluefield exactly matching Azure’s PATCH format. -
Anonymous
2025-04-22T06:17:41.0466667+00:00 @Huy Phan, We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
-
Huy Phan 5 Reputation points
2025-04-22T07:35:57.15+00:00 Hi @Rukmini , I also try like you suggested.
"roles": [ { "id": "xxx", "value": "{\"id\":\"xxx\",\"value\":\"User.Jenkins\",\"displayName\":\"User.Jenkins\"}", "displayName": "User.Jenkins" } ]I also try to response the GET as:
- Role as JSON stringified for value (Stringified string include or exclude ID).
- roles is an array of string which is JSON stringified
Azure still sent a PATCH request request for add those missing value
{ "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ], "Operations": [ { "op": "Add", "path": "roles", "value": [ { "value": "{\"id\":\"6a1afbc7-e867-4f82-81be-7d4e0fc4ea89\",\"value\":\"User.Jenkin\",\"displayName\":\"Usser.Jenkin\"}" } ] } ] }As there's not much progress and I have other tasks as well so it might take a while for me to retest these.
-
Anonymous
2025-04-22T09:00:02.9633333+00:00 @Huy Phan,
To stop Azure from sending redundant PATCH requests, your SCIM
GET /Usersresponse must return roles as proper JSON objects, not stringified values:"roles": [ { "id": "6a1afbc7-e867-4f82-81be-7d4e0fc4ea89", "value": "User.Jenkins", "displayName": "User.Jenkins" } ]Do not wrap
valuein a JSON string — return it as a plain string inside a complex object. Make sureid,value, anddisplayNameexactly match what Azure sends in the PATCH. Take your time and feel free to reach out to us if any further query! -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 42%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECZ%3C/text%3E%3C/svg%3E)
Cedric Zimmermann 10 Reputation points2025-09-16T07:50:46.17+00:00 Hello @Anonymous !
I am facing the exact same issue as described above. I have the exact same setup with the roles attribute defined as a multi-valued string. The roles attribute mapping set to
AssertiveAppRoleAssignmentsComplex([appRoleAssignments]):
I tried all your suggestions above with no luck:
- Returning the role as JSON with
value,display,primaryandtype - Changing
displaytodisplayNameto match Entra format - Removing extra properties and add the
idto match exactly what we get in the PATCH payload - Stringifying the JSON objects combinations described above and put it as
valueas suggested to match exactly what we get from Entra (in the PATCH)
It looks like no matter what I do, Entra keeps on patching the roles.
I'm testing all this in in the 'Provision on demand' section, here is what we can see from the details:
1. Import user:
2. Determine if user is in scope: Yes
3. Match user between source and target system:
Here we return therolesas part of the GET request, for instance (it's one of our tries):"roles": [ { "id": "18d14569-c3bd-439b-9a66-3a2aee01d14f", "value": "individual", "displayName": "sym-individual" }, { "id": "e38ff864-1503-4e65-b69a-4100681cd336", "value": "teams", "displayName": "sym-teams" } ]It results in the following data on entra side:
We can see the roles are properly assigned to the role value returned in the GET request, and yet..
4. Perform action
Old valueis empty and in the patch we get the two roles as we see here in the New value section:{ "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ], "Operations": [ { "op": "Add", "path": "roles", "value": [ { "value": "{\"id\":\"e38ff864-1503-4e65-b69a-4100681cd336\",\"value\":\"teams\",\"displayName\":\"sym-teams\"}" }, { "value": "{\"id\":\"18d14569-c3bd-439b-9a66-3a2aee01d14f\",\"value\":\"individual\",\"displayName\":\"sym-individual\"}" } ] } ] }It seems the mismatch lies in how
rolesare mapped toappRoleAssignments.Any suggestions on how to fix this behavior?
Best regards,
Cedric Zimmermann. - Returning the role as JSON with
Sign in to comment
Sign in to answer