1) With the default PowerShell script used to manage AD accounts, when for example a role is unassigned to a user, the corresponding unassignment operation fails.
Create for example a role that assign a "description" value, then assign the role to a user: the AD description attribute of the user is added as expected. When unassigning the role however, the description attribute is not removed.
Looking at the PowerShell update script, this is because it only update non null/empty attributes.
2) By default, the same update script doesn't handle the AD memberof attribute. So when trying to use an assignment to provision a memberof value, it doesn't work.