Like on-premises Active Directory, Azure AD is used to store various objects (users, groups, or devices). All AAD objects have a predefined set of attributes that can be configured using the Azure AD portal or PowerShell. In addition to the standard set of attributes, you can add additional attributes for your AAD users. For example, custom ADDS attributes can be added to the on-premises Active Directory schema and then synced as an extension attribute of Active Directory users using Azure AD Connect.
Azure AD recently introduced a new feature that allows you to create your own custom security attributes to help you extend user profiles. Custom security attributes are business-specific attributes (key-value pairs) that can be configured and assigned to Azure AD objects. Custom user security attributes are supported in the Azure portal, PowerShell, and the Microsoft Graph API (but not in the Microsoft 365 Admin Center).
To create custom security attributes in Azure AD:
- You have at least an Azure AD Premium P1 subscription.
- The Attribute definition administrator role must be assigned to your account (by default, the Global Administrator and Privileged Role Administrator roles do not have privileges to add custom security attributes).
- Sign in to Azure AD Portal.
- Go to Azure Active Directory > Roles and administrators.
Assign the following roles to your account:
— Attribute assignment administrator.
— Attribute assignment reader.
— Attribute definition administrator.
— Attribute definition reader/
- Sign out of the Azure Portal and sign in again before you will be able to create attribute definitions;
- Go to Azure Active Directory > Custom security attributes, click on the Add attribute button;
- Type the name of the new attribute set and the maximum number of attributes in it;
- Now select your attribute set and click on Add attribute;
- You need to specify the attribute name, description, data type (String/Boolean/Integer);
- You can use multi-value attributes. Also, you can set a predefined list of values for String and Integer attribute types;
- Now you need to assign the new set of attributes to a supported AAD object type. In this example, we’ll assign a new set of attributes to the user;
- Go to AAD Users > select a user > select the Custom security attributes > click on Add assignment;
- Select the previously created attribute and set its value.
Note that user attributes and attribute sets cannot currently be deleted. They can only be deactivated.
AAD’s custom security attributes are currently in the preview stage, but should soon be available to all Azure tenants.
3 comments
Nice! Do I need an on-prem AD to use these on the AAD side? … and how do I access these attributes via PowerShell?
Hi Cyril,
Do you know if we can use Custom security attributes for AAD dynamic security groups?
It seems that the assignment is only for the selected user. Is it possible to assign it to all users, and auto-assign it to new created users?