Custom Security Attributes in Microsoft Entra ID

Managing identities securely and efficiently has become crucial for compliance and operational success across modern enterprise environments. While Microsoft Entra ID offers robust default user and app profiles, sometimes you need to store custom business-specific attributes that the default setup doesn’t support. That’s where Custom Security Attributes in Entra ID come into play. This blog will guide you on what custom security attributes in Entra ID are, why they’re useful, and how to configure them in the organization.

Custom security attributes are like special tags you can add to your users or applications in Microsoft Entra ID. They consist of key-value pairs, allowing you to define a label and assign it a specific value. This structure helps you categorize and control access to users and apps more efficiently. Fully customizable, the attributes can be tailored to align with your organization’s specific requirements.

Here are some practical scenarios where custom security attributes add value:

1. Add Extra Employee Information: You can store additional data about users like hour salary, employee type, clearance level, etc. This info might not be available in the default Entra ID user profile, but you can easily add it using custom attributes.

Tip: If you’re dealing with a large user base, the bulk edit feature in Entra ID helps apply properties efficiently across multiple accounts, saving time and effort.

2. Restrict Visibility to Sensitive Fields: Let’s say you add an attribute like “Hourly Salary” to employee profiles. You don’t want everyone to see this. With custom security attributes, you can make sure only HR or admin with the right role can view or update it.

3. Control Access to Azure Resources: Suppose you want to allow only members of Project X to access a specific Azure storage container. You can assign an attribute and create a rule that only the users with that attribute can access the resource.

In short, custom security attributes let you shape your Entra environment the way your business works, securely, flexibly, and smartly.

Before you can assign or manage custom security attributes, ensure:

• You must have a Microsoft Entra account with an active subscription.

• You need the Attribute Assignment Administrator and Attribute Definition Administrator roles assigned.

Note: Even Global Admins don’t have access to define or assign these attributes by default.

• Add an attribute set in Microsoft Entra ID
• Define a custom security attribute in Microsoft Entra ID
• Assign custom security attributes to a user in Entra ID

To begin organizing and managing custom security attributes, you’ll first need to create an attribute set:

1. Sign in to the Microsoft Entra admin center using an Attribute Definition Administrator account.
2. Navigate to Protection –> Custom security attributes.
3. Select the Add attribute set. (If the option is disabled, it means that you haven’t been assigned with the right role)
4. Enter the Name, Description, and Maximum number of attributes.
5. Click Add.

Once added, your new attribute set will appear in the list. You can now start defining attribute definitions within it.

Follow the steps below to define a custom security attribute in Microsoft Entra ID.

1. In the custom security attribute page in Entra ID, open an existing attribute set or create a new one.
2. Select Add attribute.

3. Name the attribute. The name can be up to 32 characters long and must not contain spaces or special characters.
4. Select a data type for the attribute. You can choose between Boolean, Integer, or String.
5. Specify whether multiple values can be assigned to the attribute. If you select “Yes,” the attribute can hold more than one value. If you select “No,” the attribute will only allow a single value.
6. Decide if only predefined values should be allowed. If you select “Yes,” the attribute must be assigned values from a predefined list. If you select “No,” the attribute can accept user-defined values as well.

When you have entered all the necessary information, click “Save.” The new custom security attribute is now defined in the selected attribute set.

As we already defined the custom security attributes in the previous section, we can now move on to assigning them to users. Follow the steps below to proceed.

1. Sign in to the Microsoft Entra admin center using an account with the Attribute Assignment Administrator role.
2. Navigate to Identity –> Users –> All Users.
3. Select the user you want to assign attributes to.
4. Under the Manage section, click on the Custom security attributes.
5. Click Add assignment.
6. From the Attribute set dropdown, choose the relevant attribute set.
7. Under the Attribute name, pick the custom security attribute you want to assign.
8. Depending on the attribute type, provide the appropriate value:

• Single-valued: Type the value into the Assigned values box.
• Predefined values: Select a value from the list of Assigned values.
• Multi-valued attributes: Click Add values, input the values in the Attribute values pane, then select Done.

9. Once you have added the necessary values, click Save to complete the assignment.

Follow the below-mentioned steps to remove an existing attribute assignment.

1. Sign in as an Attribute Assignment Administrator.
2. Go to Identity > Users > All users and select the user.
3. Click Custom security attributes under Manage.
4. Check the attributes to remove.
5. Click Remove assignment.

You can also update the values of a custom security attribute for a user by opening the user profile and editing the assigned attributes.

To assign custom security attributes to an application, you need to follow the same steps as you would for a user. However, the navigation path is slightly different. Instead of going to Identity → Users → All Users, you’ll navigate to:

Identity → Applications → Enterprise applications

From there, select the application and proceed with assigning the required custom security attributes through the Microsoft Entra admin center.

• To assign, sign in as an Attribute Assignment Administrator, go to Entra ID > Enterprise apps, choose the app, and then add attributes from predefined sets with single or multiple values.
• To update, you can only modify the attribute values—not the attribute name or set.
• To filter, use the All applications page with the custom security attribute filter options.
• To remove, select the relevant application and delete the assigned attributes from the Custom security attributes section.

Tip: Once custom security attributes are assigned, consider reviewing your application management policies in Entra ID. This ensures consistent governance and secure access control for applications using those attributes.

You can also manage custom security attributes using Microsoft Graph API and PowerShell. This allows administrators to assign, update, or remove attributes, which is especially helpful for bulk operations or automation. These attributes can be of various data types like String, Integer, Boolean, & collections and are grouped under attribute sets.

Assign or Update a Custom Security Attribute Using MS Graph

You can use the cmdlet Update-MgUser to assign or update custom security attributes for a user.

To assign a single attribute, run the following.

The above command assigns the user to the “Engineering” category and sets a project date of May 15, 2025.

You can also filter users based on attribute values using PowerShell queries, such as filtering by country or project.

When working with custom security attributes, the following limitations and constraints apply:

• You can create up to 500 attribute sets and 500 attribute definitions per tenant.
• Attribute and attribute set names can be up to 32 Unicode characters long and are case-sensitive.
• Descriptions can have up to 128 Unicode characters.
• Each attribute definition can have up to 100 predefined values.
• Each assigned attribute value can be up to 64 Unicode characters in length.
• You can assign up to 50 values per attribute to a single object.
• Special characters are not allowed in attribute values.
• Custom security attributes cannot be used in dynamic group membership rules.
• These attributes are not visible to end users or guest users, regardless of permissions.

I hope this blog helps you understand custom attributes in Microsoft Entra ID. Feel free to reach us through the comments section if you have any queries.