In the docs SCIM 2.0 Protocol Reference | Okta Developer it says that when updating specific Group membership via SCIM: “In this example, the
members attribute is returned with a null value. Okta doesn’t require the list of users to be returned, but it does require the other details about the Group.”
When removing a user from a group through an custom app integrations created using the AIW, the request is sent as PUT which replaces the entire resource. If the list of members is not returned from the external app in response to the initial GET request, the PUT request after sends an empty members array, essentially deleting all the members from the group in the external app instead of replacing the resource entirely. Including the members in the response to the initial GET request solves this, as the Group resource is being replaced in it’s entirety (as expected of PUT vs PATCH).