Custom Security Attributes in Azure AD

One of the things which was always more or less “difficult” to do in Azure AD was adding custom attributes. The ability to do schema extensions is there, but it requires either Microsoft Graph or PowerShell to manage such extensions. You could also sync on-premise attributes for hybrid identities, but that’s not always an option. On December 1st, 2021, Microsoft announced the availability of a public preview for something they call Custom Security Attributes. This blog post will give you some more insight into how to use this feature.

The State of Custom Attributes in AAD

As explained in the intro, there’s been a few possible ways to add custom attributes into Azure AD:

  • Adding custom extensions using Microsoft Graph as described here
  • Adding custom extension attributes using Azure AD Connect as you can see here
  • PowerShell cmdlets like Set-AzureADUserExtension

These all offer their own benefits and add their own level of complexity. One thing that’s missing for all of them is:

  • Fine grained control over who can update such custom attributes and the ability to delegate this
  • A nice web based UI to manage custom attributes

This is where the new public preview of Custom Security Attributes comes into the picture. It allows you to manage custom attributes via the Azure AD Admin Center, PowerShell or Microsoft Graph. At the same time Microsoft also introduces a new set of privileged roles that can be provided to manage custom attributes (including the ability to do delegation).

New Privileged Roles

Managing the custom security attributes requires one of the following roles:

Also worth noting is that by default someone with the Global Administrator role cannot manage custom attributes, so you’ll need to make sure to assign the correct privileged role.

Attribute Sets and Attributes

When defining custom security attributes, the first thing you’re confronted with is the need to create an attribute set:

Attribute sets are the top level container for custom attributes. Each set can have a maximum number of attributes (defaults to 25 but can be changed to 500), and can be applied to applications or users. You can also delegate each set to additional users for management. This way you can give users who normally do not have a broad privileged role the ability to still manage an attribute set that’s relevant for them.

After creating a new attribute set, you can add one or more custom attributes:

As you can see, you have control over what you would like to name the attribute, what type it is and if it allows multiple values or not. At the moment, you cannot delete attributes, you can only deactivate them.

Assigning Custom Attributes to Users or Applications

Once a new custom attribute set has been defined, it can be assigned to individual users or applications:

Once assigned, the custom attributes can be retrieved using PowerShell or Microsoft Graph. Microsoft is also working on making these attributes available to other applications and systems, and hopefully will also add the ability to use these custom security attributes in SAML claims mapping.

Conclusion

It seems Custom Security Attributes are a powerful way of extending Azure AD. It remains to be seen how this will integrate with other parts of Azure AD, external applications and other services which are part of the Microsoft 365/Azure ecosystem. For now, Microsoft provides a flexible way of dealing with these attributes, and I hope to see a GA release soon! As soon as new features or updates are added, I’ll make sure to update this blog post.