![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 52%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHD%3C/text%3E%3C/svg%3E)
Azure App Configuration
An Azure service that provides hosted, universal storage for Azure app configurations.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPC%3C/text%3E%3C/svg%3E)
Hi Hoopla,
Thank you for posting your query on Microsoft Q&A.
The issue where custom attributes in Azure SCIM provisioning do not appear on the initial user creation event but do appear during update events is a recognized behavior in Microsoft Entra ID provisioning.
- During the initial SCIM user creation (POST operation), the provisioning service often sends only core mandatory attributes.
- Custom attributes configured with FlowAlways mapping may not be included in this initial creation payload.
- These custom attributes are sent in subsequent update (PATCH) operations, such as when using on-demand provisioning to force a sync.
- This behavior is due to how the Microsoft Entra provisioning service optimizes initial create operations.
Steps to Troubleshoot and Mitigate:
- Verify Attribute Mapping and Schema Extension: Ensure your custom attributes use the correct SCIM schema URNs, typically in the format: urn:ietf:params:scim:schemas:extension:<CustomExtensionName>:2.0:User:<CustomAttribute> Confirm these are properly added in Azure provisioning and correspond accurately in your target application’s SCIM schema.
- Set Attribute Flow to FlowAlways: In the Azure portal, for each custom attribute mapping, set the flow behavior to FlowAlways to try sending attributes on each provisioning cycle.
- Trigger Provisioning On-Demand: Use the Azure portal’s on-demand provisioning feature to manually start a sync cycle, which triggers updates and sends the custom attributes.
- Check Provisioning Logs: Review provisioning logs in Azure for any errors or attribute filtering related to custom attributes that might prevent sending.
- Update Schema if Needed: If your target app rejects or errors on certain URNs, adjust the schema or mapping to ensure compatibility.
Known Limitations:
- Custom attributes might not be sent during initial user creation by design in current Microsoft Entra provisioning service behavior.
- This is not a preview limitation but a current state that may improve with future updates.
References:
- Customize Microsoft Entra attribute mappingslearn.microsoft
- Extend API-driven provisioning to sync custom attributeslearn.microsoft
- Known issues for provisioning in Microsoft Entra IDlearn.microsoft
Please click "Accept as Answer" if this resolves your issue. This will help others with similar questions find the solution.