Azure Ad is sending empty value in the patch api call. I am using below expression in customappsso attribute mapping:
AppRoleAssignmentsComplex([appRoleAssignments])
I am getting patch request as following:
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
"op": "add",
"path": "urn:ietf:params:scim:schemas:extension:custom:2.0:User.Roles",
"value": {}
]
}
I have specified this urn as Multivalue string in customappsso attribute section.
This works fine for create. But for update in patch call, it sends empty if nothing is changed. As per scim specification empty or null Value is not supported in patch.
I am using unboundid scim dependency and PatchRequest class in it in Controller endpoint.
Custom multi-valued attributes and custom complex attributes aren't supported by AAD/Entra Provisioning. The only exception is custom mv/complex attributes added by MS engineering to gallery application provisioning integrations.
Unfortunately, the UI doesn't block adding these types of attributes, even if they won't work properly.
Specifically, for your issue, you shouldn't be using a custom roles attribute - refer to the SCIM schema spec (RFC 7643) and implement the user resource's "roles" attribute that already exists as part of the core user schema. That should resolve your issue. The core user schema's "roles" attribute is the only SCIM attribute that the [appRoleAssignments] source attribute (+ related functions) is intended to map to.