Expose a /Groups endpoint supporting GET, POST, PUT, PATCH, and DELETE as specified in RFC 7644 sections 3.3 through 3.6.
Handle PATCH requests with a PatchOp body containing an array of operations; each operation has an op of add, remove, or replace and a path targeting the members attribute.
For add operations on members, append the supplied value array to the existing members list; for remove operations, delete members matching the filter in the path (e.g., members[value eq "user-id"]).
For replace on the members attribute, overwrite the entire members list with the supplied value array — do not merge.
Be aware that Microsoft Entra ID sends non-standard PATCH bodies when modifying group members, sometimes combining add and replace operations in a single request; handle both in your parser.
Return 200 with the updated Group resource or 204 with no body on successful PATCH; return 400 with a SCIM error schema body for malformed operations.
Known gotchas
Microsoft Entra ID is known to send PATCH requests that do not fully conform to RFC 7644 — for example, issuing a replace on members alongside an add in the same PATCH body; test against your actual IdP, not just the spec.
SCIM PATCH is not JSON Patch (RFC 6902); do not implement array indexing or the move operation — SCIM patch uses path filters, not numeric indices.
Some IdPs send a full replace on the members array to add a single member, which can truncate the group if your server treats replace as a delta rather than a full overwrite.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp