In this blog post I will go through a demo of setting up Custom Security Attributes in Microsoft Entra ID.
What are Custom Security Attributes?
Custom Security Attributes are an Entra ID P1 or P2 license feature and can be created in Microsoft Entra ID to extend user profiles, such as adding employee hourly salary, certifications and other secure attributes to an employees profile. We can also add custom security attributes to Azure Applications (Service Principles) and resources. These secure attributes are not visible to anyone by default unless assigned a particular role within Entra ID. The Global Administrator can not see these values by default either.
Which role can create these custom security attributes?
To be able to add or activate or deactivate a custom security attribute definition, the admin will require the built in role Attribute Definition Administrator assigned. By default, the Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes.
Here are built in custom security attributes roles (shown below),
Implement Custom Security Attributes step by step
– I have assigned my account the Attribute Administrator Role. I was not automatically granted this role by being a member of the Global Administrators group.
– Once you add a custom security attribute definition, you can’t delete it. However, you can deactivate a custom security attribute definition.
– This feature is still in preview at the time of writing this post
In this demo I will create an attribute set and add an attribute named SecurityCleared with the values BPSS, SC, CTC and DV (National security vetting clearance levels in the UK). I will then assign one of these levels to one of my demo users and demonstrate how I can search for users assigned one of these security levels in Entra ID.
- Login to entra.microsoft.com, expand Protection from the left pane and click Custom security attributes. You can also access this feature via Entra ID (formerly Azure AD) through portal.azure.com
2. Click Add attribute set
An attribute set contains a collection of security attributes. All custom security attributes must be included in an attribute set.
3. For the purpose of this demo I will name my attribute set EmployeeConfidential and allow a maximum of 25 attributes inside this set. For limits and constraints, visit the following link Custom Security Attributes Limits and Constraints
4. Click create
5. Click to open the newly created attribute set
6. Click roles and administrators from the left pane. Here you can assign roles at the attribute set level so anyone assigned permissions here will only be able to manage attributes inside this attribute set. For example, if you require for another admin to create attributes inside this attribute set, here is where you configure the permissions, and that admin would only be able to manage this attribute set and not any others you may create in the future. I won’t be adding any additional admins to these built in roles.
7. Next, I add attributes inside my newly created attribute set, click Add attribute
8. Here is my attribute. It is one for Staff Security Clearance.
Attribute Name: SecurityCleared
Description: Levels of Security Clearance
Allow multiple values to be assigned: I have set to no as in this example I only wish to assign one of the four values to employees. However, if there was a requirement to assign more than one of these values to an employee, I would enable this option.
Only allow predefined values to be assigned: I only wish to assign one of the four values I have defined below. BPSS, SC, CTC and DV are the national security vetting clearance levels in the UK.
9. Click save
10. Next, I need to assign one of the four security levels to a user. For this example, my demo user called Lynne Robbins has a security clearance of SC so I would like to apply this to the account. I locate Lynne’s account in Entra ID and click Custom security attributes as shown below.
11. I receive a permissions error. I have the role of Attribute Definition Administrator. I can create custom security attributes but can not assign them to users. For the purpose of this demo, I assign my account the Attribute Assignment Administrator role which will allow me to assign custom security attributes to users.
12. I try again after assigning the required role. Log out and back into the portal if needed. Click Add assignment,
13. I assign the SC security clearance attribute to Lynne. Because I initially configured the attribute to only allow the assignment of one value, I can not add multiple values to Lynne. Click save.
Done. Let’s search for all users who have security clearance of SC. It should only be Lynne.
14. In Entra ID, click users
15. Click Add filter
16. Click Custom security attributes from the filter list.
17. I select value of SC and click apply
18. One user found, it’s Lynne. Lynne is the only employee who is SC cleared
If anyone in the organisation attempts to access the Custom Security Attribute filter without the required permissions, they will not be able to access and receive an access denied message. These secure attributes can only be searched by admins with the assigned roles as mentioned earlier.
I hope this helps.
If you wish to learn more about custom security attributes, add them to an application or use in conditional access policies, visit the Microsoft Learn links below,
– What are custom security attributes in Microsoft Entra ID?
– Manage custom security attributes for an application
– Filter for applications in Conditional Access policy