How to assign Custom security attributes using Powershell

Custom security attributes are used to extend the default set of attributes associated with user and group objects. These custom attributes enable you to store additional information about users and groups, which can be used for various purposes, such as access control, reporting, and compliance.

Custom security attributes in Azure AD can be useful in scenarios where you need to store specific information unique to your organization or applications. For example, you might want to add attributes like “Cost Center” “Employee hire date,” “Hourly Salary,” “Weekly Salary,” or any other custom information relevant to your business processes.

Custom security attributes are available in your Azure AD tenant. It supports different data type for values like String, Boolean and Integer. It could be single valued or multi-valued attribute. You can also pre-define a value to an attribute so that there are less chances for errors when assigning the attribute to any Azure AD user.

Azure AD users, Azure AD enterprise applications (Service Principals) and Managed Identities currently support custom security attributes. At the time of writing this blog post, this feature is currently in preview. Therefore, a lot of improvement and new features can be added till it goes to General availabilty (GA).

You would require either Azure AD premium P1 or P2 license for using custom security attributes. We would be using Update-MgUser cmdlet to assign Custom security attributes to the users.

As this blog post is about assigning custom security attributes to the users, therefore please create custom security attributes in Azure AD manually. This involves creating an Attribute set, Attributes and defining its value. I have written a blog post which is a detailed step by step guide on how to Create and Assign Custom Security attributes in Azure AD.

Which permissions are required to manage Custom security attributes

To manage custom security attributes using powershell, the user should be assigned with Attribute Definition Administrator or Attribute Assignment Administrator roles. If you want to know more about these permissions and how to assign it to the admin then you can check out the link “Which permissions are required to manage Custom security attributes“.

Assign Custom security attributes using Powershell

First, you would need to connect to Microsoft Graph using Connect-MgGraph cmdlet and then use Update-MgUser cmdlet to assign the custom security attributes to the users. Please note below values which we will need in the powershell script.

As I have already created an Attribute Set, Attributes and defined its values. I would be using the same in powershell script for the assignment. Below are the values of Attributes which I want to assign it to the Azure AD users.

  • Attribute Set Name: CostCenter
  • Attribute Name: CloudInfra
  • Attribute Value: CloudInfra-1890C

First, You need to establish a connection with Microsoft Graph. Please use below command to authenticate with Microsoft Graph.

Connect to Microsoft Graph

Connect-Mggraph -scopes "User.ReadWrite.All,Directory.ReadWrite.All,CustomSecAttributeAssignment.ReadWrite.All,CustomSecAttributeDefinition.ReadWrite.All"
Connect-MgGraph
Connect-MgGraph

You may get a prompt to consent and Accept the permissions. Please consent to it and click on Accept. This will create an Enterprise Application in Azure Active Directory. Go to Microsoft Entra Admin Center > Identity >Applications > Enterprise applications.

Application Name is “Microsoft Graph Command Line Tools“. Click on the application to check for Permissions.

Microsoft Graph Command Line Tools
Microsoft Graph Command Line Tools

After you click on the application. Scroll down to Permissions under Security. You will find all the permissions which you have consented for using Connect-Mggraph.

Microsoft Graph Command Line Tools Permissions
Microsoft Graph Command Line Tools Permissions

Once you are successfully connected to Microsoft Graph using the given scopes. You can use below Powershell script to Assign a tag to the user. Please note the variable $userId which has been assigned Object Id of the user. You can easily find the object Id of any user from Microsoft Entra Admin center by clicking on the user to show more details.

Assign Custom Security attribute using Powershell

<#
.DESCRIPTION
    This script Export the users having CostCenter Attribute 
    Author: Jatin Makhija
    Site: cloudinfra.net
    Version: 1.0.0
#>
#ObjectID of the Azure AD user
$userId = "98a20e37-7f44-4cae-af6f-aff35e74a0ae"
Select-MgProfile -Name "beta"
$customSecurityAttributes = @{
    "CostCenter" = @{
        "@odata.type" = "#Microsoft.DirectoryServices.CustomSecurityAttributeValue"
        "CloudInfra" = "CloudInfra-1890C"
    }
}
#Update Custom Security Attribute for the userId 
Update-MgUser -UserId $userId -CustomSecurityAttributes $customSecurityAttributes

Assign Custom security attributes to bulk users using Powershell

Powershell script in previous section will only work for One user. However, if you have 100’s of users in your organization, running a powershell script for each user to update Custom security attribute can be tedious.

Therefore, you can use below powershell script which will loop through each user’s object Id picked from a csv file and assign a custom security attribute. In your organization, the Custom security attribute names and value’s could be different. Therefore replace it in the powershell script as per your environment.

Example:

  • Create a csv file called CustomSecurity_v2.csv – First Column will be ObjectId, Second Column is for CostcenterCode and third is CostCenterTag.
  • Update the variable $CSV to point it to this file
  • Connect to Microsoft Graph using the command using Connect-Mggraph -scopes “User.ReadWrite.All,Directory.ReadWrite.All,CustomSecAttributeAssignment.ReadWrite.All,CustomSecAttributeDefinition.ReadWrite.All” command.
  • Execute powershell script to update Custom security attribute on all user’s object Id’s which are in CSV file.

bulkAssignCustomSecurityAttributes.ps1

$CSV = "C:\Temp\CustomSecurity_v2.csv"
Import-Csv $CSV -Header id, CostCenterCode, CostCenterTag | ForEach-Object{ 
                                                $Objectid = $_.id
                                                $CostCenterValue = $_.CostCenterCode 
                                                $CostCenterTag = $_.CostCenterTag                                                 
Write-Host "$objectid"
Select-MgProfile -Name "beta"
$customSecurityAttributes = @{
    "CostCenter" = @{
        "@odata.type" = "#Microsoft.DirectoryServices.CustomSecurityAttributeValue"
        "$CostCenterTag"   = "$CostCenterValue"
    }
}
#Update Custom Security Attribute for the userId 
Update-MgUser -UserId $Objectid -CustomSecurityAttributes $customSecurityAttributes
}

Export users based on Custom security attributes to CSV file

You can use a filter on Microsoft Entra admin center to filter the users based on custom security attributes and click on Download users to Export the users in a CSV file. But currently the export process is not working from Microsoft Entra admin center or Microsoft Azure Active Directory portal.

You will get an error message while exporting the users. I have provided more details and a screenshot of the error message on my other blog post “Create and Assign Custom Security attributes in Azure AD“. Scroll down on the blog post to the section “How to filter users based on Custom security attributes”.

Alternatively, I have created and tested below powershell script to Export the list of users with Custom Security Attributes in a CSV file.

Conclusion

In this blog post, we have seen how to assign custom security attributes to Azure AD users. Please make sure to use Connect-MgGraph cmdlet to connect to Microsoft Graph before running the script. In another blog post, we will see how to Export the list of users based on a particular custom security attribute set in a CSV file.

READ NEXT