One of the things which was always more or less “difficult” to do in Azure AD was adding custom attributes. The ability to do schema extensions is there, but it requires either Microsoft Graph or PowerShell to manage such extensions. You could also sync on-premise attributes for hybrid identities, but that’s not always an option. On December 1st, 2021, Microsoft announced the availability of a public preview for something they call Custom Security Attributes. This blog post will give you some more insight into how to use this feature.
The State of Custom Attributes in AAD
As explained in the intro, there’s been a few possible ways to add custom attributes into Azure AD:
- Adding custom extensions using Microsoft Graph as described here
- Adding custom extension attributes using Azure AD Connect as you can see here
- PowerShell cmdlets like Set-AzureADUserExtension
These all offer their own benefits and add their own level of complexity. One thing that’s missing for all of them is:
- Fine grained control over who can update such custom attributes and the ability to delegate this
- A nice web based UI to manage custom attributes
This is where the new public preview of Custom Security Attributes comes into the picture. It allows you to manage custom attributes via the Azure AD Admin Center, PowerShell or Microsoft Graph. At the same time Microsoft also introduces a new set of privileged roles that can be provided to manage custom attributes (including the ability to do delegation).
New Privileged Roles
Managing the custom security attributes requires one of the following roles:
Attribute Sets and Attributes
When defining custom security attributes, the first thing you’re confronted with is the need to create an attribute set:
After creating a new attribute set, you can add one or more custom attributes:
As you can see, you have control over what you would like to name the attribute, what type it is and if it allows multiple values or not. At the moment, you cannot delete attributes, you can only deactivate them.
Assigning Custom Attributes to Users or Applications
Once a new custom attribute set has been defined, it can be assigned to individual users or applications:
Once assigned, the custom attributes can be retrieved using PowerShell or Microsoft Graph. Microsoft is also working on making these attributes available to other applications and systems, and hopefully will also add the ability to use these custom security attributes in SAML claims mapping.
It seems Custom Security Attributes are a powerful way of extending Azure AD. It remains to be seen how this will integrate with other parts of Azure AD, external applications and other services which are part of the Microsoft 365/Azure ecosystem. For now, Microsoft provides a flexible way of dealing with these attributes, and I hope to see a GA release soon! As soon as new features or updates are added, I’ll make sure to update this blog post.