I need to get a PATCH Users request with the added group in the "groups" attribute (Json) if a User in Entra is added to a group (by editing the Group and adding the user).

First of all, is it even possible to get a PATCH Users request when a User in Entra/Azure AD is added to a Group? I hope so!

In .1 it seems there is a "groups" attribute available for the Users, but I can not select it in Entra when editing attribute mappings. There is no "groups" attribute available in my "Source attribute" drop down list.

I have the P1 license.

What do I have to do? I'm frustrated... Thank you in advance!

I need to get a PATCH Users request with the added group in the "groups" attribute (Json) if a User in Entra is added to a group (by editing the Group and adding the user).

First of all, is it even possible to get a PATCH Users request when a User in Entra/Azure AD is added to a Group? I hope so!

In https://datatracker.ietf./doc/html/rfc7643#section-4.1 it seems there is a "groups" attribute available for the Users, but I can not select it in Entra when editing attribute mappings. There is no "groups" attribute available in my "Source attribute" drop down list.

I have the P1 license.

What do I have to do? I'm frustrated... Thank you in advance!

• azure
• provisioning
• microsoft-entra-id

• When using Microsoft Entra for provisioning, the "groups" attribute is not directly selectable in the attribute mappings for user provisioning. This is because group provisioning and user provisioning are treated as distinct concepts. While you can assign a user to a group, provisioning the group attributes (like the "groups" attribute) is not required for using groups in assignments. – Rukmini Commented Nov 19, 2024 at 12:18
• As for receiving a PATCH Users request when a user is added to a group, group provisioning and deprovisioning are optional features. If implemented and enabled, Microsoft Entra ID sends specific messages to manage the lifecycle of groups, but it does not automatically trigger a PATCH request for user attributes related to group membership. – Rukmini Commented Nov 19, 2024 at 12:18
• 1 Hence If you want to manage group memberships, you may need to handle this through separate API calls or configurations, as the direct mapping for "groups" may not be available in your current setup. Let me know if this is helpful – Rukmini Commented Nov 19, 2024 at 12:19
• 1 Alright, thank you! – Powerslave Commented Nov 19, 2024 at 14:06

2 Answers 2

In the same section of RFC 7643 that you linked, in the description of the User resource's "Groups" attribute, the following explains why Entra provisioning does not allow attempting to update the "Groups" attribute on the User resource.

Since this attribute has a mutability of "readOnly", group membership changes MUST be applied via the "Group" Resource (Section 4.2). This attribute has a mutability of "readOnly".

Note that: When using Microsoft Entra for provisioning, you can't directly choose the "groups" attribute in the user attribute mappings because group provisioning and user provisioning are handled as separate processes.

• Even though you can assign a user to a group, it's not necessary to provision the group attributes (like the "groups" attribute) in order to use groups for assignments.
• When a user is added to a group, Microsoft Entra ID does not automatically send a PATCH request to update the user's group membership.
• Group provisioning and deprovisioning are optional features. If these features are enabled, Microsoft Entra ID sends specific messages to manage the group's lifecycle, but it doesn’t automatically update the user’s group-related attributes.

As mentioned in this Blog , as this attribute is "readOnly," any changes to group membership must be made through the "Group" Resource.

Therefore, to manage group memberships, you might need to use separate API calls or configurations, since the "groups" mapping may not be available in your current setup.