Custom security attributes are used to extend the default set of attributes associated with user and group objects. These custom attributes enable you to store additional information about users and groups, which can be used for various purposes, such as access control, reporting, and compliance.
Custom security attributes in Azure AD can be useful in scenarios where you need to store specific information unique to your organization or applications. For example, you might want to add attributes like “Cost Center” “Employee hire date,” “Hourly Salary,” “Weekly Salary,” or any other custom information relevant to your business processes.
Custom security attributes are available in your Azure AD tenant. It supports different data type for values like String, Boolean and Integer. It could be single valued or multi-valued attribute. You can also pre-define a value to an attribute so that there are less chances for errors when assigning the attribute to any Azure AD user.
Azure AD users, Azure AD enterprise applications (Service Principals) and Managed Identities currently support custom security attributes. At the time of writing this blog post, this feature is currently in preview. Therefore, a lot of improvement and new features can be added till it goes to General availabilty (GA).
Before we dive in to create a Custom security attribute, we need to understand which permissions would be required to create security attribute set and how to manage it. You would require either Azure AD premium P1 or P2 license for using custom security attributes.
Which permissions are required to manage Custom security attributes
To manage custom security attributes in Azure AD, you would require Attribute Definition Administrator or Attribute Assignment Administrator roles. By default, Global Administrator and any other administrator role do not have permission to read, define or assign custom security attribute.
A Global administrator can assign Attribute Definition Administrator or Attribute Assignment Administrator roles to a user who would be managing custom security attributes who could be another Global Administraor as well.
- Attribute Definition Administrator – Manage all aspects of attribute sets and Manage all aspects of custom security attribute definitions
- Attribute Assignment Administrator – Read attribute sets, Read custom security attribute definitions
Read and update custom security attribute keys and values for users and service principals.
To check or assign the roles, you can follow below steps:
- Login on Microsoft Azure Portal.
- Search for Azure AD roles and Administrators.
- Search for below highlighted roles.
- As you can see in below screenshot Attribute Assignment Administrator and Attribute Definition Administrator roles are available for assignment.
- Click on each role and then click on + Add assignments and select the user to assign this role to the user.
Where to find Custom Security attributes on Entra admin center
You can find Custom security attribute from Microsoft Entra admin center > Protection > Custom security attributes.
As you can see from below screenshot, there are 3 steps to creating and managing Custom security attributes.
- Check permissions – Make sure that you are either assigned Attribute Assignment Administrator or Attribute Definition Administrator role.
- Add attribute sets – Create an attribute set which is like a group which contains custom security attributes.
- Manage attribute sets – Control on who can assign or define custom security attributes when its operational.
Add Custom security attribute set in Azure AD
First step is to create an attribute set. Provided that you already have Attribute Assignment Administrator or Attribute Definition Administrator role. You would be able to see Add attribute set button to create an attribute set.
Add an attribute set to group and manage related custom security attributes. All custom security attributes must be a part of an attribute set.
- Login on Microsoft Entra admin center > Protection > Custom security attributes.
- Click on “Add attribute set” to create a New attribute set.
For New attribute set, please provide below values:
- Attribute set name – This is a mandatory field where you need to specify the name of the Attribute set. This can be of maximum 32 characters.
- Description – Provide a useful description of the attribute set.
- Maximum number of attributes – Maximum number of attributes for the attribute set. Maximum value can be set to 500.
My requirement is to apply a CostCenter attribute which is a different value as per multiple organizations operating under the same tenant. Therefore, I would be grouping all other organizations in CostCenter attribute set. It will make more sense when we create Attributes and its values in the next sections of the blog post.
As you can see from below screenshot, CostCenter attribute set has been created. Click on it to open and define attributes.
After you open an Attribute set, If there are no attributes defined then you will find a button to Add attribute. You can also click on + Add attribute to create it.
When you will create a New attribute, you will need to provide below values:
- Attribute name: Provide the name of the attribute which can be of maximum 32 characters.
- Description: Provide a useful description of this attribute.
- Data type: Depending upon the data, you can select a data type from either String, Boolean or Integer types.
- Allow multiple values to be assigned: Select No if you are going to provide only a single value to this attribute.
- Only allow predefined values to be assigned: Select Yes to only allow pre-defined values to be assigned.
- Predefined values: Click on + Add value and provide pre-define values. You can add up to 100 predefined values.
Add another attribute to the attribute set if required. As I have multiple Organizations with different Cost center tags, I have created another attribute called TechPress.
Both the attributes are created under CostCenter attribute set. You can see the Attribute Name, description, data type and its predefined values.
Assign Custom security attribute set to Azure AD Users
After you have created Attribute set and added attributes, you can now assign it to the users either manually or by using powershell. We will see how to assign it to the users using Microsoft Entra admin center and in another blog post we will see how to assign it using Powershell.
- Login on Microsoft Entra admin center > Identity> All users
- Click on any user and then click on Custom security attributes under Manage.
- Click on + Add assignment link.
- Using the drop down options select the Attribute set, Attribue name and its Assigned values. Click on Save.
We have assigned an Attribute CloudInfra to a user Grady Archie. Similary, you can assign the attributes to users as per the attribute set and attribute definitions created. One user can have multiple Attribute set / Attributes assigned as well.
How to delete a Custom Security Attribute in Azure AD
At the time of writing this blog post, This is currently not possible. Once you create an Attribute Set, it cannot be deleted. However, you can Deactivate attribute under an Attribute set which then goes into Deactivated attributes category.
Once an attribute is deactivated, you can find it under Deactivated attributes. You can again Activate or Edit the deactivated attribute by going into the Deactivated attributes option.
How to remove a custom security attribute assigned to the user
You can remove or delete a custom security attribute which is assigned to any Azure AD user. Please follow below steps for the same:
- Login on Microsoft Entra admin center > Identity> All users
- Click on any user and then click on Custom security attributes under Manage.
- Select the Attribute set and click on “Remove assignment“
How to filter users based on Custom security attributes
After you have assigned Custom security attributes to the users in Azure AD portal. You can take the benefit of it by using filters to filter the users based on custom security attributes.
- Login on Microsoft Entra admin center > Identity> All users.
- Click on Add filter and Select Custom security attributes filter.
- Select the Attribute Set, Attribute Name and provide its value to match.
- Click on Apply to Filter the users with matching attributes.
You can also click on Download users to download the filtered users based on the custom security attribute. However as of now this does now work. I did checked with Microsoft but they advised that this feature is currently in Preview and its advised to wait for all the bugs to be fixed. This bug may get fixed in future.
Conclusion
In this blog post, we have seen how to create and assign custom security attributes in Azure AD. Its a really useful to store any sensitive data which can be used for authorization purpose. In another blog post, we will see how to manage custom security attributes using Powershell. Using powershell to assign custom security attributes to users could save a lot of time when you are dealing with thousands of Azure AD users.
READ NEXT
- Error Joining Device To Active Directory. Event ID 4097
- How To Bulk Import Devices In Azure AD Security Group
- Create Azure AD Dynamic Device Security Group Using Display Name Property
- How To Create And Retreive Secrets From Azure Keyvault Using Azure CLI
- Configure Integration Of Defender For Cloud Apps With Azure AD