Describe the bug
I am trying to remove a customSecurityAttribute from a user, by setting an attribute value to null through the CustomSecurityAttributes parameter of Update-MgUser. However, the body is not sent correctly to Graph, causing the null to never be set.
Expected behavior
The customSecurityAttribute is removed from the user through a patch request with a null value.
How to reproduce
Update-MgUser -userid ce3d945f-fc56-4b19-9891-665ca05a998d -CustomSecurityAttributes @{
"IssueTokenCSA" = @{
"@odata.type" = "#microsoft.graph.customSecurityAttributeValue"
"ssn" = $null
}
}SDK Version
2.32.0
Latest version known to work for scenario above?
No response
Known Workarounds
Forging the request manually works just fine:
Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/v1.0/users/ce3d945f-fc56-4b19-9891-665ca05a998d" -Body (@{
"customSecurityAttributes" = @{
"IssueTokenCSA" = @{
"@odata.type" = "#microsoft.graph.customSecurityAttributeValue"
"ssn" = $null
}
}
} | ConvertTo-Json -Depth 10) -ContentType "application/json"Debug output
As you can see, the body is missing the ssn = null part.
Click to expand log
Update-MgUser -userid ce3d945f-fc56-4b19-9891-665ca05a998d -CustomSecurityAttributes @{
"IssueTokenCSA" = @{
"@odata.type" = "#microsoft.graph.customSecurityAttributeValue"
"ssn" = $null
}
} -Debug
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
PATCH
Absolute Uri:
https://graph.microsoft.com/v1.0/users/ce3d945f-fc56-4b19-9891-665ca05a998d
Headers:
FeatureFlag : 00000003
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.26200; en-150),PowerShell/7.5.4
SdkVersion : graph-powershell/2.32.0
client-request-id : 88290648-0f15-498c-b257-90c5097cb246
Accept-Encoding : gzip,deflate,br
Body:
{
"customSecurityAttributes": {
"IssueTokenCSA": {
"@odata.type": "#microsoft.graph.customSecurityAttributeValue"
}
}
}
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
NoContent
Headers:
Cache-Control : no-cache
Strict-Transport-Security : max-age=31536000
request-id : 3ab5e8b8-9202-4f58-be61-c107ef6572f6
client-request-id : 88290648-0f15-498c-b257-90c5097cb246
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Norway East","Slice":"E","Ring":"2","ScaleUnit":"001","RoleInstance":"OSL2EPF00000164"}}
x-ms-resource-unit : 1
Date : Tue, 18 Nov 2025 10:35:04 GMT
Body:
DEBUG: [CmdletEndProcessing]: - Update-MgUser end processing.
Configuration
No response
Other information
No response
Describe the bug
I am trying to remove a customSecurityAttribute from a user, by setting an attribute value to null through the CustomSecurityAttributes parameter of Update-MgUser. However, the body is not sent correctly to Graph, causing the null to never be set.
Expected behavior
The customSecurityAttribute is removed from the user through a patch request with a null value.
How to reproduce
SDK Version
2.32.0
Latest version known to work for scenario above?
No response
Known Workarounds
Forging the request manually works just fine:
Debug output
As you can see, the body is missing the ssn = null part.
Click to expand log
Update-MgUser -userid ce3d945f-fc56-4b19-9891-665ca05a998d -CustomSecurityAttributes @{ "IssueTokenCSA" = @{ "@odata.type" = "#microsoft.graph.customSecurityAttributeValue" "ssn" = $null } } -DebugDEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
PATCH
Absolute Uri:
https://graph.microsoft.com/v1.0/users/ce3d945f-fc56-4b19-9891-665ca05a998d
Headers:
FeatureFlag : 00000003
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.26200; en-150),PowerShell/7.5.4
SdkVersion : graph-powershell/2.32.0
client-request-id : 88290648-0f15-498c-b257-90c5097cb246
Accept-Encoding : gzip,deflate,br
Body:
{
"customSecurityAttributes": {
"IssueTokenCSA": {
"@odata.type": "#microsoft.graph.customSecurityAttributeValue"
}
}
}
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
NoContent
Headers:
Cache-Control : no-cache
Strict-Transport-Security : max-age=31536000
request-id : 3ab5e8b8-9202-4f58-be61-c107ef6572f6
client-request-id : 88290648-0f15-498c-b257-90c5097cb246
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Norway East","Slice":"E","Ring":"2","ScaleUnit":"001","RoleInstance":"OSL2EPF00000164"}}
x-ms-resource-unit : 1
Date : Tue, 18 Nov 2025 10:35:04 GMT
Body:
DEBUG: [CmdletEndProcessing]: - Update-MgUser end processing.
Configuration
No response
Other information
No response