BUG: API-driven provisioning to Microsoft Entra ID not filling Email Attribute

Question

When creating a new user, the mail attribute is populated in the SCIM bundle and the Provisioning Logs show the email address is being received and sent to Entra ID as part of the initial set of attributes. However, when the user is created, the mail address is not populated. This is not a UI error as subsequent query via Graph shows mail is not present.

According to https://learn.microsoft.com/en-us/entra/identity/app-provisioning/hr-user-update-issues , The provisioning connector to Microsoft Entra supports setting the mail attribute only during user creation (see below). We are submitting the mail address during user creation.

Troubleshooting	Details
Issue	You configured mail attribute provisioning from your HR system to Microsoft Entra ID. Any update to the mail attribute isn't working even though the provisioning logs display a record for the mail attribute.
Issue	You configured mail attribute provisioning from your HR system to Microsoft Entra ID. Any update to the mail attribute isn't working even though the provisioning logs display a record for the mail attribute.
Cause	The provisioning connector to Microsoft Entra supports setting the mail attribute only during user creation. Once the user is created, the connector doesn't support updating the email address.
Resolution	To update the mail attribute for existing users, consider using Exchange Online portal or PowerShell.

Here is a redacted snippet from the provisioning log details showing the value is populated

Similarly, the audit logs show the value is being exported"

Here is the provisioned user in Entra

We have two tenants and this bug is repeatable in both.

Here are additional Provisioning log details associated with the user shown above.

Change ID

44e78c42-43b0-49eb-a0c6-082847c53611/cd6947ff-a4e1-45ad-8f0c-bf92eb4f7a9e

Job ID

API2AAD.c96b8c3d5ffd4888817d0b0e22f4ea09.bf25fecd-b117-4979-9a3f-a42e633e202b

Application Object Id

7facd885-d36d-48d8-8020-157de6989bd8

Application Name

API-driven provisioning to Microsoft Entra ID

Cycle ID

f5ad1d31-b3fd-4bbe-865e-d5eebd1d7cd0

Michael Liben

Answer 1

Hello @Liben, Michael

Thank you for posting your query on Microsoft Q&A.

As I understand you have query on API-driven provisioning to Microsoft Entra ID not filling Email Attribute.

To populate a personal email address, please ensure that it is entered in the "Other Emails" attribute of the user profile.

Please refer to the screenshot below for guidance.

How this can be achieved is via configuring attribute mappings like below:

The "mail" attribute cannot be modified via the inbound provisioning API or any of our inbound HR provisioning integrations.

This attribute is tied to the M365 license. When an M365 license is assigned to a user through a dynamic group or lifecycle workflow, a mailbox is automatically provisioned for the user, and the assigned UPN value is set in the "mail" attribute.

If you are looking to configure a personal email address in the user profile, please use the "otherMails" attribute instead.

For further clarification on how the "mail" attribute is calculated and why a license is required, please refer to the article linked below.

https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/user-prov-sync/proxyaddresses-attribute-populate

I hope this clarifies things. Please contact us if you have any additional questions.

If this answers your query, do click Accept Answer and Yes for "Was this answer helpful". And, if you have any further query do let us know.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best regards,
Sakshi Devkante