msgraph-sdk-powershell icon indicating copy to clipboard operation
msgraph-sdk-powershell copied to clipboard
verified publisher icon microsoftgraph

Update-MgUser unable to remove CustomSecurityAttribute value from user

Open mariussm opened this issue 1 month ago • 0 comments

Describe the bug

I am trying to remove a customSecurityAttribute from a user, by setting an attribute value to null through the CustomSecurityAttributes parameter of Update-MgUser. However, the body is not sent correctly to Graph, causing the null to never be set.

Expected behavior

The customSecurityAttribute is removed from the user through a patch request with a null value.

How to reproduce

Update-MgUser -userid ce3d945f-fc56-4b19-9891-665ca05a998d -CustomSecurityAttributes @{
    "IssueTokenCSA" = @{
        "@odata.type" = "#microsoft.graph.customSecurityAttributeValue"
        "ssn"         = $null
    }   
}

SDK Version

2.32.0

Latest version known to work for scenario above?

No response

Known Workarounds

Forging the request manually works just fine:

Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/v1.0/users/ce3d945f-fc56-4b19-9891-665ca05a998d" -Body (@{
        "customSecurityAttributes" = @{
            "IssueTokenCSA" = @{
                "@odata.type" = "#microsoft.graph.customSecurityAttributeValue"
                "ssn"         = $null
            }
        }
    } | ConvertTo-Json -Depth 10) -ContentType "application/json"

Debug output

As you can see, the body is missing the ssn = null part.

Click to expand log Update-MgUser -userid ce3d945f-fc56-4b19-9891-665ca05a998d -CustomSecurityAttributes @{ "IssueTokenCSA" = @{ "@odata.type" = "#microsoft.graph.customSecurityAttributeValue" "ssn" = $null } } -Debug

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method: PATCH

Absolute Uri: https://graph.microsoft.com/v1.0/users/ce3d945f-fc56-4b19-9891-665ca05a998d

Headers: FeatureFlag : 00000003 Cache-Control : no-store, no-cache User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.26200; en-150),PowerShell/7.5.4 SdkVersion : graph-powershell/2.32.0 client-request-id : 88290648-0f15-498c-b257-90c5097cb246 Accept-Encoding : gzip,deflate,br

Body: { "customSecurityAttributes": { "IssueTokenCSA": { "@odata.type": "#microsoft.graph.customSecurityAttributeValue" } } }

DEBUG: ============================ HTTP RESPONSE ============================

Status Code: NoContent

Headers: Cache-Control : no-cache Strict-Transport-Security : max-age=31536000 request-id : 3ab5e8b8-9202-4f58-be61-c107ef6572f6 client-request-id : 88290648-0f15-498c-b257-90c5097cb246 x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Norway East","Slice":"E","Ring":"2","ScaleUnit":"001","RoleInstance":"OSL2EPF00000164"}} x-ms-resource-unit : 1 Date : Tue, 18 Nov 2025 10:35:04 GMT

Body:

DEBUG: [CmdletEndProcessing]: - Update-MgUser end processing.

Configuration

No response

Other information

No response

mariussm avatar Nov 18 '25 10:11 mariussm