Custom Security Attributes
Custom security attributes in Microsoft Entra ID are business-specific attributes (key-value pairs) that you can define and assign to Microsoft Entra objects. These attributes can be used to store information, categorize objects, or enforce fine-grained access control over specific Azure resources. For more information, refer to Custom security attributes in Microsoft Entra.
In addition to the schema attributes listed in Schema Attributes section, the connector supports managing the custom security attributes that are defined in Azure. Creation of local user (B2C) also supports custom attributes.
Supported Operations
-
Aggregation of assigned custom security attributes for MS Entra ID users.
-
Aggregation of assigned custom security attributes for Service Principals.
-
Aggregation of assigned custom security attributes for User-Assigned Managed Identities.
-
Aggregation of assigned custom security attributes for System-Assigned Managed Identities.
-
Assign, update, remove, and delete custom security attributes for MS Entra ID users.
Note
The connector only aggregate (read-only) Custom Security Attribute values for service principals or managed identities. Provisioning is supported only for MS Entra ID users .
Required Permissions
Assign below permissions to the Microsoft Entra ID source to manage custom security attributes:
|
Purpose |
Permissions |
|---|---|
|
To aggregate assigned custom security attributes |
Attribute Assignment Reader |
|
To assign, update, delete, and remove custom security attributes |
Attribute Assignment Administrator |
Adding Custom Security Attributes
To aggregate custom security attributes, you must update the Account Schema with the custom attribute names. Ensure the custom security attribute name matches the Attribute set and Attribute name defined on the Microsoft Entra ID system. Refer to the following table to define the attributes in the Account Schema:
|
Attribute Type |
Example |
Custom Attribute Format |
|---|---|---|
|
Single-valued and Multivalued |
- |
customSecurityAttributes_<Attribute set name>_<Attribute name > |
|
Multiple Attribute Sets
|
Attribute 1: Attribute set = Engineering Attribute = Project Attribute data type = Collection of Strings Attribute value = ["Baker","Cascade"] |
customSecurityAttributes_Engineering_Project (Data Type – String, isMulti - True) |
|
Attribute 2: Attribute set = Engineering Attribute = ProjectDate Attribute data type = String Attribute value = "2022-10-01" |
customSecurityAttributes_Engineering_ProjectDate (Data Type – String) |
|
|
Attribute 3: Attribute set = Marketing Attribute = EmployeeId Attribute data type = String Attribute value = "QN26904" |
customSecurityAttributes_Marketing_EmployeeId (Data Type – String) |
Managing Custom Security Attributes
To manage the assignments (such as assigning, updating, and removing custom security attributes for MS Entra ID Users) in addition to adding attributes in Account Schema, you need to also add the attributes in a similar format to Create Account section within the ISC user interface.
The following table lists the appropriate options to manage identities.
To manage identities, go to Feature Management > Managed Identities Settings. From there, enable the appropriate option.
|
Identity Type |
Setting to Enable |
|---|---|
|
User-Assigned Managed Identities |
Manage User-Assigned Managed Identities as Accounts |
|
System-Assigned Managed Identities |
Manage System-Assigned Managed Identities as Accounts |
|
Microsoft Entra Service Principals |
Manage Microsoft Entra Service Principals as Accounts |
Note
Ensure to select the Aggregate Custom Security Attributes checkbox to aggregate custom attributes for these identities, when required.