Microsoft Entra ID introduces custom security attributes, a powerful way to define and assign business-specific attributes (key-value pairs) to Microsoft Entra objects. These attributes provide flexibility in storing information, categorizing objects, or enforcing fine-grained access control over Azure resources. Additionally, custom security attributes integrate seamlessly with Azure Attribute-Based Access Control (ABAC).
Why Use Custom Security Attributes?
Custom security attributes are invaluable in scenarios where business-specific attributes enhance functionality. For instance:
- Extending user profiles: Add fields like Hourly Salary to employee profiles and restrict visibility to administrators.
- Application categorization: Organize hundreds or thousands of applications to enable filterable auditing inventories.
- Enhanced access control: Grant access to Azure Storage blobs for specific projects based on attributes.
Key Capabilities of Custom Security Attributes
With custom security attributes, you can:
- Define tenant-wide, business-specific information.
- Assign attributes to users and applications.
- Manage objects using queries and filters.
- Govern attribute access for enhanced control over sensitive data.
Limitations:
- Not supported in Microsoft Entra Domain Services.
- Not applicable for Security Assertion Markup Language (SAML) token claims
Understanding Azure Attribute-Based Access Control (ABAC)
Azure ABAC enhances Azure Role-Based Access Control (RBAC) by allowing permissions based on attributes. These attributes can belong to security principals, resources, or the environment.
Role Assignment Conditions
Azure ABAC adds role assignment conditions to refine access control. These conditions act as filters, granting permissions only if specific criteria are met. For example, you can grant User read access to blobs in your subscription only if the blobs are tagged as Project=Blue.
Benefits of Role Assignment Conditions:
- Fine-grained access control: Add conditions to limit permissions.
- Reduced role assignments: Simplify management by consolidating thousands of roles.
- Business-relevant attributes: Use tags like project names or classification levels to manage access.
Example Scenarios:
- Read access to blobs tagged
Project=Cascade. - Write access to blobs with specific paths.
- Access restricted by time or network location.
Features of Custom Security Attributes
Custom security attributes support:
- Supports Tenant Wide
- Can Include description
- Multiple data types: Boolean, integer, string.
- Single or multi-value configurations.
- User-defined free-form or predefined values.
- Supports On-premise Synced Users
You can assign these attributes to:
- Microsoft Entra users.
- Microsoft Entra enterprise applications (service principals).
Comparison with Extensions
| Capability | Extensions | Custom Security Attributes |
|---|---|---|
| Extend Microsoft Entra objects | Yes | Yes |
| Supported Objects | Depends on the extension type | Users & service principals |
| Restricted access | No | Yes |
| Sensitive data storage | No | Yes |
| Licensing requirements | All editions | All editions |
Custom Security Attribute Properties
The following table lists the properties you can specify for attribute sets and custom security attributes. Some properties are immutable and cannot be changed later.
| Property | Required | Can be changed later | Description |
|---|---|---|---|
| Attribute set name | ✓ | Name of the attribute set. Must be unique within a tenant. Cannot include spaces or special characters. | |
| Attribute set description | ✓ | Description of the attribute set. | |
| Maximum number of attributes | ✓ | Maximum number of custom security attributes that can be defined in an attribute set. Default value is null. If not specified, the administrator can add up to the maximum of 500 active attributes per tenant. | |
| Attribute set | ✓ | A collection of related custom security attributes. Every custom security attribute must be part of an attribute set. | |
| Attribute name | ✓ | Name of the custom security attribute. Must be unique within an attribute set. Cannot include spaces or special characters. | |
| Attribute description | ✓ | Description of the custom security attribute. | |
| Data type | ✓ | Data type for the custom security attribute values. Supported types are Boolean, Integer, and String. | |
| Allow multiple values to be assigned | ✓ | Indicates whether multiple values can be assigned to the custom security attribute. If data type is set to Boolean, cannot be set to Yes. | |
| Only allow predefined values to be assigned | ✓ | Indicates whether only predefined values can be assigned to the custom security attribute. If set to No, free-form values are allowed. Can later be changed from Yes to No, but cannot be changed from No to Yes. If data type is set to Boolean, cannot be set to Yes. | |
| Predefined values | Predefined values for the custom security attribute of the selected data type. More predefined values can be added later. Values can include spaces, but some special characters are not allowed. | ||
| Predefined value is active | ✓ | Specifies whether the predefined value is active or deactivated. If set to false, the predefined value cannot be assigned to any additional supported directory objects. | |
| Attribute is active | ✓ | Specifies whether the custom security attribute is active or deactivated. |
Terminology
| Property | Required | Can be changed later | Description |
|---|---|---|---|
| Attribute set name | ✓ | Name of the attribute set. Must be unique within a tenant. Cannot include spaces or special characters. | |
| Attribute set description | ✓ | Description of the attribute set. | |
| Maximum number of attributes | ✓ | Maximum number of custom security attributes that can be defined in an attribute set. Default value is null. If not specified, the administrator can add up to the maximum of 500 active attributes per tenant. | |
| Attribute set | ✓ | A collection of related custom security attributes. Every custom security attribute must be part of an attribute set. | |
| Attribute name | ✓ | Name of the custom security attribute. Must be unique within an attribute set. Cannot include spaces or special characters. | |
| Attribute description | ✓ | Description of the custom security attribute. | |
| Data type | ✓ | Data type for the custom security attribute values. Supported types are Boolean, Integer, and String. | |
| Allow multiple values to be assigned | ✓ | Indicates whether multiple values can be assigned to the custom security attribute. If data type is set to Boolean, cannot be set to Yes. | |
| Only allow predefined values to be assigned | ✓ | Indicates whether only predefined values can be assigned to the custom security attribute. If set to No, free-form values are allowed. Can later be changed from Yes to No, but cannot be changed from No to Yes. If data type is set to Boolean, cannot be set to Yes. | |
| Predefined values | Predefined values for the custom security attribute of the selected data type. More predefined values can be added later. Values can include spaces, but some special characters are not allowed. | ||
| Predefined value is active | ✓ | Specifies whether the predefined value is active or deactivated. If set to false, the predefined value cannot be assigned to any additional supported directory objects. | |
| Attribute is active | ✓ | Specifies whether the custom security attribute is active or deactivated. |
Limits and Constraints
| Resource | Limit |
|---|---|
| Active Attribute Definitions | 500 |
| Attribute Sets per Tenant | 500 |
| Predefined Values per Definition | 100 |
| Attribute Value Length | 64 Unicode characters |
Custom Security Attribute Roles
| Role | Permissions |
|---|---|
| Attribute Definition Reader | Read attribute sets and definitions. |
| Attribute Definition Administrator | Manage all aspects of attribute sets and definitions. |
| Attribute Assignment Reader | Read keys and values for users and service principals. |
| Attribute Assignment Administrator | Read and update keys and values for users and service principals. |
| Attribute Log Reader | Access audit logs for custom security attributes. |
| Attribute Log Administrator | Configure diagnostic settings and read audit logs. |
Steps to Use Custom Security Attributes
1.Check Permissions
Locate the roles Attribute Definition Administrator and Attribute Assignment Administrator.
2.Add Attribute Sets
Now that the attribute set has been created, the next step is to assign attributes to it. Group related attributes together for easier management and organization.
Select the attribute set name to begin adding attributes.
3. Define Attributes
To add a new custom security attribute to an attribute set, follow these steps:
Specify Data Types and Value Configurations:
Select Add Attribute to create a new custom security attribute within the attribute set. In the Attribute Name field, enter a unique name for the custom security attribute. The name must be 32 characters or fewer, without spaces or special characters. Once set, the attribute name cannot be renamed.
- Add an Optional Description: In the Description field, provide a brief description (up to 128 characters).The description can be updated later if needed.
- Choose the Data Type: From the Data Type dropdown menu, select the appropriate data type: Boolean: A true/false value (e.g.,
TrueorFalse). - Integer: A 32-bit integer value.
- String: A text value of specified length.
- Allow Multiple Values: For Allow multiple values to be assigned, choose: Yes to enable assigning multiple values to this attribute. No to restrict it to a single value.
Specify Predefined Values:
For Only allow predefined values to be assigned, choose: Yes to limit values to a predefined list. If selected, click Add Value to define these predefined values. An active value is available for assignment, while inactive values remain defined but unavailable .No to permit user-defined values or a mix of predefined values.
Save the Attribute:
We have now added a few more attributes for testing. Below screenshots shows the attributes
4.Assign Attributes
To assign custom security attributes, log in to the Microsoft Entra admin center with the required permissions. Navigate to Identity > Users > All users, find and select the user to whom you want to assign attributes, and access the Custom security attributes option.
5. Manage Attribute Sets
To manage access, you need the Attribute Assignment Administrator role. Each custom security attribute must belong to an attribute set, which serves as a way to group and organize related attributes. You should determine how to structure attribute sets based on your organization needs, such as grouping by departments, teams, or projects. This organization is key to effectively managing and granting access to custom security attributes.
The scope of access defines the set of resources that permissions apply to. For custom security attributes, roles can be assigned at either the tenant scope or the attribute set scope. Assigning roles at the tenant scope allows broad access across all attribute sets. Conversely, assigning roles at the attribute set scope enables you to limit access to specific attribute sets, ensuring that sensitive data remains secure and accessible only to relevant users or groups.
- Select the attribute set for which you want to grant access.
- Go to Roles and Administrators and add assignments for the custom security attribute roles.
When a user is added to the assignments through Custom Security Attributes, the scope will be automatically set to This resource.
Note:
If you are using Microsoft Entra Privileged Identity Management (PIM), eligible role assignments at the attribute set scope are not currently supported. However, permanent role assignments at the attribute set scope are supported.
6.Use Attributes
You can filter the custom security attributes assigned to users directly from the All users page in the Microsoft Entra admin center.
Sign In: Log in to the Microsoft Entra admin center with the Attribute Assignment Reader role.Navigate to Users: Go to Identity > Users > All users.
Add a Filter: Click Add filter to open the filter pane.
Select Attributes: Choose Custom security attributes.
Specify Attribute Details: Select your attribute set and attribute name.
For Operator, choose from: equals (==),
not equals (!=),
starts with.
For Value, enter or select the desired value.
This allows you to refine the user list based on custom security attribute criteria.
7.Deactivate a custom security attribute definition
Once a custom security attribute definition is created, it cannot be deleted, but it can be deactivated. Follow these steps to deactivate a custom security attribute definition:
- Sign In: Log in to the Microsoft Entra admin center with the Attribute Definition Administrator role.
- Navigate to Custom Security Attributes: Go to Protection > Custom Security Attributes.
- Select the Attribute Set: Choose the attribute set containing the custom security attribute you want to deactivate.
- Mark the Attribute: In the list of custom security attributes, check the box next to the attribute you wish to deactivate.
- Deactivate the Attribute: Click Deactivate Attribute.
- Confirm Deactivation: In the confirmation dialog, select Yes.
Deactivation does not count toward the tenant-wide limit of 500 active definitions. Note that you can only activate or deactivate custom security attribute definitions; deletion is not supported.
Conclusion
Custom security attributes in Microsoft Entra ID empower organizations to implement business-specific enhancements and enforce granular access control. By leveraging Azure ABAC and role assignment conditions, businesses can achieve dynamic, attribute-driven security. Whether extending user profiles, categorizing applications, or implementing advanced access policies, custom security attributes offer unparalleled flexibility and control.
0 Comments