PATCH request with operator "Remove" not getting sent when removing a member from a group

Question

I am looking into Azure AD SCIM Provisioning and I have a question I am hoping I could get some help on. My use case is as follows

1. I created a Group in Azure AD and added "John Smith" and "Jane Smith" as members to it.
2. I went over to my Non-Gallery application added the Group created above to my application and triggered an On-Demand provisioning.
3. Both "John Smith" and "Jane Smith" were successfully created in my local database.
4. I removed "John Smith" from my group and triggered an On-Demand provisioning again.
5. My expectation was that the following PATCH request would be sent by Azure Ad

"Operations": [
{
  "op": "Remove",
  "path": "members",
  "value": "john-smith-id"
}
]

but instead Azure AD sends a PATCH request to /Users with the following body

"schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "Add",
            "path": "displayName",
            "value": "John Smith"
        }
    ]

and another PATCH request to /Groups with the following body

"schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "Add",
            "path": "externalId",
            "value": "some-guid"
        }
    ]

Is this correct? I feel like I am messing something up when removing the member from the Group which isn't triggering the desired PATCH request

Answer 1

After step #4, I would recommend checking if the user has successfully been removed from the group.

Also, make sure that you're using the right rule ID in the on-demand provisioning request. One easy way to do this is to try through the UI and look at the network traffic ctrl+shift+i

The rule ID can be found in the schema.