Export users with Custom security attributes using Powershell

Custom security attributes are used to extend the default set of attributes associated with user and group objects. These custom attributes enable you to store additional information about users and groups, which can be used for various purposes, such as access control, reporting, and compliance.

Custom security attributes in Azure AD can be useful in scenarios where you need to store specific information unique to your organization or applications. For example, you might want to add attributes like “Cost Center” “Employee hire date,” “Hourly Salary,” “Weekly Salary,” or any other custom information relevant to your business processes.

Custom security attributes are available in your Azure AD tenant. It supports different data type for values like String, Boolean and Integer. It could be single valued or multi-valued attribute. You can also pre-define a value to an attribute so that there are less chances for errors when assigning the attribute to any Azure AD user.

Azure AD users, Azure AD enterprise applications (Service Principals) and Managed Identities currently support custom security attributes. At the time of writing this blog post, this feature is currently in preview. Therefore, a lot of improvement and new features can be added till it goes to General availabilty (GA).

You would require either Azure AD premium P1 or P2 license for using custom security attributes. You can use Update-MgUser cmdlet to assign Custom security attributes to the users and Get-MgUser to retrieve custom security attribute values assigned to the user.

As this blog post is about Exporting the list of users with specific custom security attributes set assigned to the users, therefore I am assuming that you have already created and assigned custom security attributes to the Azure AD users already. This involves creating an Attribute set, Attributes and defining its value. I have written a blog post which is a detailed step by step guide on how to Create and Assign Custom Security attributes in Azure AD.

Which permissions are required to manage Custom security attributes

To manage custom security attributes using powershell, the user should be assigned with Attribute Definition Administrator or Attribute Assignment Administrator roles. If you want to know more about these permissions and how to assign it to the admin then you can check out the link “Which permissions are required to manage Custom security attributes“.

Export Users with Custom security attributes using Powershell

First, you would need to connect to Microsoft Graph using Connect-MgGraph cmdlet and then use Get-MgUser cmdlet to fetch the custom security attributes assigned to the users. Please note below values which we will need in the powershell script.

You would need below values for the powershell script.

  • Attribute Set Name: CostCenter
  • Attribute Names: All the attributes under CostCenter attribute set. For Example: CloudInfra, Techpress etc. which we will define in an array.

Connect to Microsoft Graph

Connect-Mggraph -scopes "User.ReadWrite.All,Directory.ReadWrite.All,CustomSecAttributeAssignment.ReadWrite.All,CustomSecAttributeDefinition.ReadWrite.All"

You may get a prompt to consent and Accept the permissions. Please consent to it and Accept. This will create an Enterprise Application in Azure Active Directory. Go to Microsoft Entra Admin Center > Identity >Applications > Enterprise applications.

Application Name is “Microsoft Graph Command Line Tools“. Click on the application to check for Permissions.

Microsoft Graph Command Line Tools
Microsoft Graph Command Line Tools

After you click on the application. Scroll down to Permissions under Security. You will find all the permissions which you have consented for using Connect-Mggraph.

Microsoft Graph Command Line Tools Permissions
Microsoft Graph Command Line Tools Permissions

Once you are successfully connected to Microsoft Graph using the given scopes. You can use below Powershell script to Export users list.

Export users based on Custom security attributes to CSV file

You can use a filter on Microsoft Entra admin center to filter the users based on custom security attributes and click on Download users to Export the users in a CSV file. But currently the export process is not working from Microsoft Entra admin center or Microsoft Azure Active Directory portal.

You will get an error message while exporting the users. I have provided more details and a screenshot of the error message on my other blog post “Create and Assign Custom Security attributes in Azure AD“. Scroll down on the blog post to the section “How to filter users based on Custom security attributes”.

Alternatively, I have created and tested below powershell script to Export the list of users with Custom Security Attributes in a CSV file.

Powershell script to export users based on Custom security attributes to CSV file

    This script Export the users having CostCenter Attribute 
    Author: Jatin Makhija
    Site: cloudinfra.net
    Version: 1.0.0
#Provide all Custom security Attributes in an Array
$CSA = @('CloudInfra', 'TechPress')
#Initialize an empty array
$Users = @()
$Users = Get-MgUser -All -Property CustomSecurityAttributes, Id, DisplayName
$object = ForEach ($User in $Users) {
    If ($User.customsecurityattributes.AdditionalProperties['CostCenter'] -ne $Null) {
        $data = $User.customsecurityattributes.AdditionalProperties['CostCenter']
        $value = $data.keys | foreach-object {if ($_ -in $CSA) {$data[$_]}}
         Name = $User.DisplayName
         CostCenterCode = $value
 $object | Export-Csv c:\temp\CloudinfraUsers.csv -NoTypeInformation

I have opened CloudInfraUsers.csv file to check its contents. You can see two columns in the excel file as per the Powershell script. First one is Name and Second one is CostCenterCode.

Export users based on Custom security attributes to CSV file
Export users based on Custom security attributes to CSV file


In this blog post, we have seen how to Export the list of users with a specific Custom security attribute set. The export of data is in a CSV file which is easy to read and you can format it according to your requirement. You can also easily assign a custom security attribute using powershell and also manually as well using Entra admin center.