Thanks for your patience here.
In short - I think what you wrote above is a reasonable interpretation of what should be expected here. This part of the SCIM spec feels a bit tricky no matter how you look at it, but there are certain parts of the SCIM spec (RFC7644 3.5.2.1) tied to the Patch Add operation that are relevant here:
- If the target location does not exist, the attribute and value are added.
- If the target location specifies an attribute that does not exist (has no value), the attribute is added with the new value.
When interpreting what those mean - you then end up trying to define "target location", which doesn't have a strict definition inside of any of RFCs 7642/43/44. This in turn may be where the trouble is - if "target location" is considered to be emails[type eq "work"].value - if the location does not exist, then the attribute(emails[type eq "work"]) is added, and the value (of the "value" sub-attribute) is added.
What Azure AD's SCIM client should do here is still being investigated, but any changes won't materialize for at least a few quarters. Regardless of whether the spec supports the way our client does this, there's a simpler and more widely compatible solution to achieve the same goal. For the time being, what Azure AD's SCIM client expects is a patch add on a filtered path - such as emails[type eq "work"].value - should add values to both the "type" (if no value of "emails" already exists with a type sub-value of "work") and the "value" sub-values.