Skip to content

Update-MgUser unable to remove CustomSecurityAttribute value from user #3444

New issue
New issue
Open
Open
Update-MgUser unable to remove CustomSecurityAttribute value from user#3444
Assignees
ramsessanchez
Labels
Status: Needs Investigationtype:bugA broken experience
@mariussm

Description

@mariussm
mariussm
opened on Nov 18, 2025

Describe the bug

I am trying to remove a customSecurityAttribute from a user, by setting an attribute value to null through the CustomSecurityAttributes parameter of Update-MgUser. However, the body is not sent correctly to Graph, causing the null to never be set.

Expected behavior

The customSecurityAttribute is removed from the user through a patch request with a null value.

How to reproduce

Update-MgUser -userid ce3d945f-fc56-4b19-9891-665ca05a998d -CustomSecurityAttributes @{
    "IssueTokenCSA" = @{
        "@odata.type" = "#microsoft.graph.customSecurityAttributeValue"
        "ssn"         = $null
    }   
}

SDK Version

2.32.0

Latest version known to work for scenario above?

No response

Known Workarounds

Forging the request manually works just fine:

Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/v1.0/users/ce3d945f-fc56-4b19-9891-665ca05a998d" -Body (@{
        "customSecurityAttributes" = @{
            "IssueTokenCSA" = @{
                "@odata.type" = "#microsoft.graph.customSecurityAttributeValue"
                "ssn"         = $null
            }
        }
    } | ConvertTo-Json -Depth 10) -ContentType "application/json"

Debug output

As you can see, the body is missing the ssn = null part.

Click to expand log Update-MgUser -userid ce3d945f-fc56-4b19-9891-665ca05a998d -CustomSecurityAttributes @{ "IssueTokenCSA" = @{ "@odata.type" = "#microsoft.graph.customSecurityAttributeValue" "ssn" = $null } } -Debug

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PATCH

Absolute Uri:
https://graph.microsoft.com/v1.0/users/ce3d945f-fc56-4b19-9891-665ca05a998d

Headers:
FeatureFlag : 00000003
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.26200; en-150),PowerShell/7.5.4
SdkVersion : graph-powershell/2.32.0
client-request-id : 88290648-0f15-498c-b257-90c5097cb246
Accept-Encoding : gzip,deflate,br

Body:
{
"customSecurityAttributes": {
"IssueTokenCSA": {
"@odata.type": "#microsoft.graph.customSecurityAttributeValue"
}
}
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
NoContent

Headers:
Cache-Control : no-cache
Strict-Transport-Security : max-age=31536000
request-id : 3ab5e8b8-9202-4f58-be61-c107ef6572f6
client-request-id : 88290648-0f15-498c-b257-90c5097cb246
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Norway East","Slice":"E","Ring":"2","ScaleUnit":"001","RoleInstance":"OSL2EPF00000164"}}
x-ms-resource-unit : 1
Date : Tue, 18 Nov 2025 10:35:04 GMT

Body:

DEBUG: [CmdletEndProcessing]: - Update-MgUser end processing.

Configuration

No response

Other information

No response

Metadata

Metadata

Assignees

Labels

Status: Needs Investigationtype:bugA broken experience

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions