Create and Assign Custom Security attributes in Entra ID

Custom security attributes are used to extend the default set of attributes associated with user and group objects. These custom attributes enable you to store additional information about users and groups, which can be used for various purposes, such as access control, reporting, and compliance.

Custom security attributes in Entra ID can be valuable in situations where you need to store specific information that is unique to your organization or applications. For instance, you may want to include attributes like “Cost Center,” “Employee hire date,” “Hourly Salary,” “Weekly Salary,” or any other custom information that’s relevant to your business processes.

Custom security attributes allow for various types of data values, such as strings, booleans, and integers. These attributes can be single or have multiple values. You also have the option to preset a value for an attribute, which helps minimize the risk of errors when assigning the attribute to an Entra ID user.

As of the time of writing this blog post, custom security attributes are supported for Entra ID users, Entra ID enterprise applications (Service Principals), and Managed Identities.

Before we proceed with creating a custom security attribute, it’s essential to know the permissions necessary for setting up and managing security attributes. To work with custom security attributes, you’ll need either an Entra ID Premium P1 or P2 license.

What permissions are necessary for the management of custom security attributes?

To manage custom security attributes in Entra ID, you would require Attribute Definition Administrator or Attribute Assignment Administrator roles. By default, Global Administrator and any other administrator role do not have permission to read, define, or assign custom security attributes.

A Global Administrator can assign the roles of Attribute Definition Administrator or Attribute Assignment Administrator to a user responsible for managing custom security attributes, and this user could also be another Global Administrator.

  • Attribute Definition Administrator – Manage all aspects of attribute sets and Manage all aspects of custom security attribute definitions
  • Attribute Assignment Administrator – Read attribute sets, Read custom security attribute definitions, and Read and update custom security attribute keys and values for users and service principals.

Assign role to manage Custom security attributes:

  • Sign in to the Entra admin center
  • Search for Entra ID roles and Administrators.
  • Search for Attribute Assignment Administrator and Attribute Definition Administrator roles.
What permissions are necessary for the management of custom security attributes?
What permissions are necessary for the management of custom security attributes?
  • Click on each role, then select “+ Add assignments” and choose the user to whom you want to assign this role.

Locating Custom Security Attributes in Entra Admin Center

3 Steps for Creating Custom Security Attributes

There are three steps for creating Custom security attributes in Entra ID. Please find below:

  • Check permissions – Make sure that you are either assigned Attribute Assignment Administrator or Attribute Definition Administrator role.
  • Add attribute sets – Create an Attribute set.
  • Manage attribute sets – Control who can assign or define Custom security attributes when it’s operational.
3 Steps for Creating Custom Security Attributes
3 Steps for Creating Custom Security Attributes

Step 1 – Create a Custom security attribute set

The initial step is to create an attribute set. If you hold the roles of Attribute Assignment Administrator or Attribute Definition Administrator, you’ll notice the “Add attribute set” button, which allows you to create an attribute set.

1.1 Create a New Attribute set

  • Sign in to Microsoft Entra admin center > Protection > Custom security attributes.
  • Click on “Add attribute set” to create a New attribute set.
    • Attribute set name – This is a required field where you must enter the name of the attribute set. The name can contain a maximum of 32 characters.
    • Description – Provide a useful description of the attribute set.
    • Maximum number of attributes – The maximum number of attributes allowed for the attribute set is 500.

Example: My objective is to implement a “CostCenter” attribute with distinct values for multiple organizations operating within the same tenant. As a result, I will group all other organizations within the “CostCenter” attribute set. This approach will become clearer when we create attributes and their values in the upcoming sections of the blog post.

Create a Custom security attribute set
Create a Custom security attribute set
  • As evident in the screenshot below, the “CostCenter” attribute set has been successfully created. Click on it to open and define the attributes.
Create a Custom security attribute set
Create a Custom security attribute set

1.2 Add Attributes

Now that we have created a Custom security attribute set, let’s add an attribute to the attribute set.

  • Click on the Attribute set and then click on + Add attribute.
Add Attributes
Add Attributes

When creating a new attribute, you will be required to provide the following values:

  • Attribute name: Provide the name of the attribute which can be a of maximum 32 characters.
  • Description: Provide a useful description of this attribute.
  • Data type: Depending upon the data, you can select a data type from either String, Boolean, or Integer types.
  • Allow multiple values to be assigned: Select No if you are going to provide only a single value to this attribute.
  • Only allow predefined values to be assigned: Select Yes to only allow pre-defined values to be assigned.
  • Predefined values: Click on + Add value and provide pre-defined values. You can add up to 100 predefined values.
Add Attributes
Add Attributes
  • If necessary, you can add another attribute to the attribute set. In my case, as I have multiple organizations with different cost center tags, I’ve created another attribute called “TechPress.”
Add Attributes
Add Attributes
  • Both attributes have been created within the “CostCenter” attribute set. You can observe the Attribute Name, description, data type, and their predefined values.
Find Attributes under Attribute set on Entra admin center
Add Attributes

Assign Custom security attribute set to Entra ID Users

Once you’ve created the attribute set and added attributes, you can proceed to assign it to users, either manually or through PowerShell. In this blog post, we’ll explore how to assign it to users using the Microsoft Entra Admin Center, while in another blog post, we’ll delve into how to assign it using PowerShell.

  • Login on Microsoft Entra admin center > Identity> All users
  • Click on any user and then click on Custom security attributes under Manage.
  • Click on + Add assignment link.
Assign Custom security attribute set to Entra ID Users
Assign Custom security attribute set to Entra ID Users
  • From the drop-down options, choose the Attribute set, Attribute name, and its assigned values. Then, click on “Save“.
Assign an attribute to a user on Entra admin center
Assign Custom security attribute set to Entra ID Users
  • We’ve successfully assigned the “CloudInfra” attribute to the user Grady Archie. Similarly, you can assign attributes to users based on the attribute set and attribute definitions you’ve created. It’s worth noting that one user can have multiple attribute sets and attributes assigned as well.

How to delete a Custom Security Attribute in Entra ID

As of the time when this blog post was written, it’s important to note that the ability to delete an attribute set is currently not possible. However, you do have the option to deactivate an attribute within an attribute set, which then moves it into the “Deactivated attributes” category.

After deactivating an attribute, you can locate it under “Deactivated attributes.” It is possible to reactivate or edit the deactivated attribute by accessing the “Deactivated attributes” option.

How to delete a Custom Security Attribute in Entra ID
How to delete a Custom Security Attribute in Entra ID

How to Unassign Custom Security Attribute from user

You have the capability to unassign or delete a custom security attribute that has been assigned to any Entra ID user. To achieve this, please follow the steps outlined below:

  • Login on Microsoft Entra admin center > Identity> All users
  • Click on any user and then click on Custom security attributes under Manage.
  • Select the Attribute set and click on “Remove assignment
How to Unassign Custom Security Attribute from user
How to Unassign Custom Security Attribute from user

How to filter users based on Custom security attributes

Once you have assigned custom security attributes to the users in the Entra ID portal, you can leverage this by using filters to sort and filter users based on their custom security attributes.

  • Login on Microsoft Entra admin center > Identity > All users
  • Click on Add filter and Select Custom Security Attributes filter
  • Select the Attribute Set, and Attribute Name and provide its value to match
  • Click on Apply to Filter the users with matching attributes
How to filter users based on Custom security attributes
How to filter users based on Custom security attributes
  • Additionally, you have the option to click on “Download users” to download the filtered users based on the custom security attribute. It’s worth noting that as of now, this feature may not work correctly. I have verified this with Microsoft, and they have advised that this feature is currently in Preview. It’s recommended to wait for all the bugs to be addressed, and this issue may be resolved in the future.
How to filter users based on Custom security attributes
How to filter users based on Custom security attributes

Conclusion

In this blog post, we’ve explored the process of creating and assigning custom security attributes in Entra ID. This feature is highly beneficial for storing additional data that can be utilized for authorization purposes.

In a separate blog post, we will delve into the management of custom security attributes using PowerShell. Utilizing PowerShell to assign custom security attributes to users can be a time-saving approach, especially when dealing with a large number of Entra ID users.

Leave a Comment