| title | description | author | manager | ms.author | ms.service | ms.subservice | ms.topic | ms.date | ms.collection |
|---|---|---|---|---|---|---|---|---|---|
Add or deactivate custom security attribute definitions in Microsoft Entra ID | Learn how to add new custom security attribute definitions or deactivate custom security attribute definitions in Microsoft Entra ID. | rolyon | femila | rolyon | entra | fundamentals | how-to | 11/27/2024 | M365-identity-device-management |
Custom security attributes in Microsoft Entra ID are business-specific attributes (key-value pairs) that you can define and assign to Microsoft Entra objects. This article describes how to add, edit, or deactivate custom security attribute definitions.
To add or deactivate custom security attributes definitions, you must have:
- Attribute Definition Administrator
- Microsoft.Graph module when using Microsoft Graph PowerShell
- AzureADPreview version 2.0.2.138 or later when using Azure AD PowerShell
[!INCLUDE security-attributes-roles]
An attribute set is a collection of related attributes. All custom security attributes must be part of an attribute set. Attribute sets cannot be renamed or deleted.
Sign in to the Microsoft Entra admin center as a Attribute Definition Administrator.
Browse to Entra ID > Custom security attributes.
Select Add attribute set to add a new attribute set.
If Add attribute set is disabled, make sure you are assigned the Attribute Definition Administrator role. For more information, see Troubleshoot custom security attributes.
Enter a name, description, and maximum number of attributes.
An attribute set name can be 32 characters with no spaces or special characters. Once you've specified a name, you can't rename it. For more information, see Limits and constraints.
:::image type="content" source="./media/custom-security-attributes-add/attribute-set-add.png" alt-text="Screenshot of New attribute set pane in Microsoft Entra admin center." lightbox="./media/custom-security-attributes-add/attribute-set-add.png":::
When finished, select Add.
The new attribute set appears in the list of attribute sets.
Sign in to the Microsoft Entra admin center as a Attribute Definition Administrator.
Browse to Entra ID > Custom security attributes.
On the Custom security attributes page, find an existing attribute set or select Add attribute set to add a new attribute set.
All custom security attribute definitions must be part of an attribute set.
Select to open the selected attribute set.
Select Add attribute to add a new custom security attribute to the attribute set.
:::image type="content" source="./media/custom-security-attributes-add/attribute-new.png" alt-text="Screenshot of New attribute pane in Microsoft Entra admin center." lightbox="./media/custom-security-attributes-add/attribute-new.png":::
In the Attribute name box, enter a custom security attribute name.
A custom security attribute name can be 32 characters with no spaces or special characters. Once you've specified a name, you can't rename it. For more information, see Limits and constraints.
In the Description box, enter an optional description.
A description can be 128 characters long. If necessary, you can later change the description.
From the Data type list, select the data type for the custom security attribute.
Data type Description Boolean A Boolean value that can be true, True, false, or False. Integer A 32-bit integer. String A string that can be X characters long. For Allow multiple values to be assigned, select Yes or No.
Select Yes to allow multiple values to be assigned to this custom security attribute. Select No to only allow a single value to be assigned to this custom security attribute.
For Only allow predefined values to be assigned, select Yes or No.
Select Yes to require that this custom security attribute be assigned values from a predefined values list. Select No to allow this custom security attribute to be assigned user-defined values or potentially predefined values.
If Only allow predefined values to be assigned is Yes, select Add value to add predefined values.
An active value is available for assignment to objects. A value that is not active is defined, but not yet available for assignment.
:::image type="content" source="./media/custom-security-attributes-add/attribute-new-value-add.png" alt-text="Screenshot of New attribute pane with Add predefined value pane in Microsoft Entra admin center." lightbox="./media/custom-security-attributes-add/attribute-new-value-add.png":::
When finished, select Save.
The new custom security attribute appears in the list of custom security attributes.
If you want to include predefined values, follow the steps in the next section.
Once you add a new custom security attribute definition, you can later edit some of the properties. Some properties are immutable and cannot be changed.
Sign in to the Microsoft Entra admin center as a Attribute Definition Administrator.
Browse to Entra ID > Custom security attributes.
Select the attribute set that includes the custom security attribute you want to edit.
In the list of custom security attributes, select the ellipsis for the custom security attribute you want to edit, and then select Edit attribute.
Edit the properties that are enabled.
If Only allow predefined values to be assigned is Yes, select Add value to add predefined values. Select an existing predefined value to change the Is active? setting.
:::image type="content" source="./media/custom-security-attributes-add/attribute-predefined-value-add.png" alt-text="Screenshot of Add predefined value pane in Microsoft Entra admin center." lightbox="./media/custom-security-attributes-add/attribute-predefined-value-add.png":::
Once you add a custom security attribute definition, you can't delete it. However, you can deactivate a custom security attribute definition.
Sign in to the Microsoft Entra admin center as a Attribute Definition Administrator.
Browse to Entra ID > Custom security attributes.
Select the attribute set that includes the custom security attribute you want to deactivate.
In the list of custom security attributes, add a check mark next to the custom security attribute you want to deactivate.
Select Deactivate attribute.
In the Deactivate attribute dialog that appears, select Yes.
The custom security attribute is deactivated and moved to the Deactivated attributes list.
To manage custom security attribute definitions in your Microsoft Entra organization, you can also use PowerShell or Microsoft Graph API. The following examples manage attribute sets and custom security attribute definitions.
The following example gets all attribute sets.
Get-MgDirectoryAttributeSet|Format-ListDescription : Attributes for engineering team Id : Engineering MaxAttributesPerSet : 25 AdditionalProperties : {} Description : Attributes for marketing team Id : Marketing MaxAttributesPerSet : 25 AdditionalProperties : {} GET https://graph.microsoft.com/v1.0/directory/attributeSetsGet-AzureADMSAttributeSetThe following example gets the top attribute sets.
Get-MgDirectoryAttributeSet-Top 10GET https://graph.microsoft.com/v1.0/directory/attributeSets?$top=10None
The following example gets attribute sets in order.
Get-MgDirectoryAttributeSet-Sort "Id"GET https://graph.microsoft.com/v1.0/directory/attributeSets?$orderBy=idNone
The following example gets an attribute set.
- Attribute set:
Engineering
Get-MgDirectoryAttributeSet-AttributeSetId "Engineering"|Format-ListDescription : Attributes for engineering team Id : Engineering MaxAttributesPerSet : 25 AdditionalProperties : {[@odata.context, https://graph.microsoft.com/v1.0/$metadata#directory/attributeSets/$entity]} GET https://graph.microsoft.com/v1.0/directory/attributeSets/EngineeringGet-AzureADMSAttributeSet-Id "Engineering"The following example adds a new attribute set.
- Attribute set:
Engineering
$params=@{ Id="Engineering"Description="Attributes for engineering team"MaxAttributesPerSet=25 } New-MgDirectoryAttributeSet-BodyParameter $paramsId Description MaxAttributesPerSet -- ----------- ------------------- Engineering Attributes for engineering team 25 POST https://graph.microsoft.com/v1.0/directory/attributeSets { "id":"Engineering", "description":"Attributes for engineering team", "maxAttributesPerSet":25 }New-AzureADMSAttributeSet-Id "Engineering"-Description "Attributes for engineering team"-MaxAttributesPerSet 10The following example updates an attribute set.
- Attribute set:
Engineering
Update-MgDirectoryAttributeSet
$params=@{ description="Attributes for engineering team"maxAttributesPerSet=20 } Update-MgDirectoryAttributeSet-AttributeSetId "Engineering"-BodyParameter $paramsPATCH https://graph.microsoft.com/v1.0/directory/attributeSets/Engineering { "description":"Attributes for engineering team", "maxAttributesPerSet":20 }Set-AzureADMSAttributeSet-Id "Engineering"-Description "Attributes for cloud engineering team"Set-AzureADMSAttributeSet-Id "Engineering"-MaxAttributesPerSet 20The following example gets all custom security attribute definitions.
Get-MgDirectoryCustomSecurityAttributeDefinition
Get-MgDirectoryCustomSecurityAttributeDefinition|Format-ListAllowedValues : AttributeSet : Engineering Description : Target completion date Id : Engineering_ProjectDate IsCollection : False IsSearchable : True Name : ProjectDate Status : Available Type : String UsePreDefinedValuesOnly : False AdditionalProperties : {} AllowedValues : AttributeSet : Engineering Description : Active projects for user Id : Engineering_Project IsCollection : True IsSearchable : True Name : Project Status : Available Type : String UsePreDefinedValuesOnly : True AdditionalProperties : {} AllowedValues : AttributeSet : Marketing Description : Country where is application is used Id : Marketing_AppCountry IsCollection : True IsSearchable : True Name : AppCountry Status : Available Type : String UsePreDefinedValuesOnly : True AdditionalProperties : {} List customSecurityAttributeDefinitions
GET https://graph.microsoft.com/v1.0/directory/customSecurityAttributeDefinitionsGet-AzureADMSCustomSecurityAttributeDefinition
Get-AzureADMSCustomSecurityAttributeDefinitionThe following examples filter custom security attribute definitions.
- Filter: Attribute name eq 'Project' and status eq 'Available'
Get-MgDirectoryCustomSecurityAttributeDefinition
Get-MgDirectoryCustomSecurityAttributeDefinition-Filter "name eq 'Project' and status eq 'Available'"|Format-ListAllowedValues : AttributeSet : Engineering Description : Active projects for user Id : Engineering_Project IsCollection : True IsSearchable : True Name : Project Status : Available Type : String UsePreDefinedValuesOnly : True AdditionalProperties : {} List customSecurityAttributeDefinitions
GET https://graph.microsoft.com/v1.0/directory/customSecurityAttributeDefinitions?$filter=name+eq+'Project'%20and%20status+eq+'Available'None
- Filter: Attribute set eq 'Engineering' and status eq 'Available' and data type eq 'String'
Get-MgDirectoryCustomSecurityAttributeDefinition
Get-MgDirectoryCustomSecurityAttributeDefinition-Filter "attributeSet eq 'Engineering' and status eq 'Available' and type eq 'String'"|Format-ListAllowedValues : AttributeSet : Engineering Description : Target completion date Id : Engineering_ProjectDate IsCollection : False IsSearchable : True Name : ProjectDate Status : Available Type : String UsePreDefinedValuesOnly : False AdditionalProperties : {} AllowedValues : AttributeSet : Engineering Description : Active projects for user Id : Engineering_Project IsCollection : True IsSearchable : True Name : Project Status : Available Type : String UsePreDefinedValuesOnly : True AdditionalProperties : {} List customSecurityAttributeDefinitions
GET https://graph.microsoft.com/v1.0/directory/customSecurityAttributeDefinitions?$filter=attributeSet+eq+'Engineering'%20and%20status+eq+'Available'%20and%20type+eq+'String'None
The following example gets a custom security attribute definition.
- Attribute set:
Engineering - Attribute:
ProjectDate
Get-MgDirectoryCustomSecurityAttributeDefinition
Get-MgDirectoryCustomSecurityAttributeDefinition-CustomSecurityAttributeDefinitionId "Engineering_ProjectDate"|Format-ListAllowedValues : AttributeSet : Engineering Description : Target completion date Id : Engineering_ProjectDate IsCollection : False IsSearchable : True Name : ProjectDate Status : Available Type : String UsePreDefinedValuesOnly : False AdditionalProperties : {[@odata.context, https://graph.microsoft.com/v1.0/$metadata#directory/customSecurityAttributeDefinitions/$entity]} Get customSecurityAttributeDefinition
GET https://graph.microsoft.com/v1.0/directory/customSecurityAttributeDefinitions/Engineering_ProjectDateGet-AzureADMSCustomSecurityAttributeDefinition
Get-AzureADMSCustomSecurityAttributeDefinition-Id "Engineering_ProjectDate"The following example adds a new custom security attribute definition.
- Attribute set:
Engineering - Attribute:
ProjectDate - Attribute data type: String
New-MgDirectoryCustomSecurityAttributeDefinition
$params=@{ attributeSet="Engineering"description="Target completion date"isCollection=$falseisSearchable=$truename="ProjectDate"status="Available"type="String"usePreDefinedValuesOnly=$false } New-MgDirectoryCustomSecurityAttributeDefinition-BodyParameter $params|Format-ListAllowedValues : AttributeSet : Engineering Description : Target completion date Id : Engineering_ProjectDate IsCollection : False IsSearchable : True Name : ProjectDate Status : Available Type : String UsePreDefinedValuesOnly : False AdditionalProperties : {[@odata.context, https://graph.microsoft.com/v1.0/$metadata#directory/customSecurityAttributeDefinitions/$entity]} Create customSecurityAttributeDefinition
POST https://graph.microsoft.com/v1.0/directory/customSecurityAttributeDefinitions { "attributeSet":"Engineering", "description":"Target completion date", "isCollection":false, "isSearchable":true, "name":"ProjectDate", "status":"Available", "type":"String", "usePreDefinedValuesOnly": false }New-AzureADMSCustomSecurityAttributeDefinition
New-AzureADMSCustomSecurityAttributeDefinition-AttributeSet "Engineering"-Name "ProjectDate"-Description "Target completion date"-Type "String"-Status "Available"-IsCollection $false-IsSearchable $true-UsePreDefinedValuesOnly $falseThe following example adds a new custom security attribute definition that supports multiple predefined values.
- Attribute set:
Engineering - Attribute:
Project - Attribute data type: Collection of Strings
New-MgDirectoryCustomSecurityAttributeDefinition
$params=@{ attributeSet="Engineering"description="Active projects for user"isCollection=$trueisSearchable=$truename="Project"status="Available"type="String"usePreDefinedValuesOnly=$true } New-MgDirectoryCustomSecurityAttributeDefinition-BodyParameter $params|Format-ListAllowedValues : AttributeSet : Engineering Description : Active projects for user Id : Engineering_Project IsCollection : True IsSearchable : True Name : Project Status : Available Type : String UsePreDefinedValuesOnly : True AdditionalProperties : {[@odata.context, https://graph.microsoft.com/v1.0/$metadata#directory/customSecurityAttributeDefinitions/$entity]} Create customSecurityAttributeDefinition
POST https://graph.microsoft.com/v1.0/directory/customSecurityAttributeDefinitions { "attributeSet":"Engineering", "description":"Active projects for user", "isCollection":true, "isSearchable":true, "name":"Project", "status":"Available", "type":"String", "usePreDefinedValuesOnly": true }None
The following example adds a new custom security attribute definition with a list of predefined values.
- Attribute set:
Engineering - Attribute:
Project - Attribute data type: Collection of Strings
- Predefined values:
Alpine,Baker,Cascade
New-MgDirectoryCustomSecurityAttributeDefinition
$params=@{ attributeSet="Engineering"description="Active projects for user"isCollection=$trueisSearchable=$truename="Project"status="Available"type="String"usePreDefinedValuesOnly=$trueallowedValues=@( @{ id="Alpine"isActive=$true } @{ id="Baker"isActive=$true } @{ id="Cascade"isActive=$true } ) } New-MgDirectoryCustomSecurityAttributeDefinition-BodyParameter $params|Format-ListAllowedValues : AttributeSet : Engineering Description : Active projects for user Id : Engineering_Project IsCollection : True IsSearchable : True Name : Project Status : Available Type : String UsePreDefinedValuesOnly : True AdditionalProperties : {[@odata.context, https://graph.microsoft.com/v1.0/$metadata#directory/customSecurityAttributeDefinitions/$entity]} Create customSecurityAttributeDefinition
POST https://graph.microsoft.com/v1.0/directory/customSecurityAttributeDefinitions { "attributeSet": "Engineering", "description": "Active projects for user", "isCollection": true, "isSearchable": true, "name": "Project", "status": "Available", "type": "String", "usePreDefinedValuesOnly": true, "allowedValues": [ { "id": "Alpine", "isActive": true }, { "id": "Baker", "isActive": true }, { "id": "Cascade", "isActive": true } ] }None
The following example updates a custom security attribute definition.
- Attribute set:
Engineering - Attribute:
ProjectDate
Update-MgDirectoryCustomSecurityAttributeDefinition
$params=@{ description="Target completion date (YYYY/MM/DD)" } Update-MgDirectoryCustomSecurityAttributeDefinition-CustomSecurityAttributeDefinitionId "Engineering_ProjectDate"-BodyParameter $paramsUpdate customSecurityAttributeDefinition
PATCH https://graph.microsoft.com/v1.0/directory/customSecurityAttributeDefinitions/Engineering_ProjectDate { "description": "Target completion date (YYYY/MM/DD)", }Set-AzureADMSCustomSecurityAttributeDefinition
Set-AzureADMSCustomSecurityAttributeDefinition-Id "Engineering_ProjectDate"-Description "Target completion date (YYYY/MM/DD)"The following example updates the predefined values for a custom security attribute definition.
- Attribute set:
Engineering - Attribute:
Project - Attribute data type: Collection of Strings
- Update predefined value:
Baker - New predefined value:
Skagit
Note
For this request, you must add the OData-Version header and assign it the value 4.01.
$params=@{ "allowedValues@delta"=@( @{ id="Baker"isActive=$false } @{ id="Skagit"isActive=$true } ) } $header=@{ "OData-Version"=4.01 } Invoke-MgGraphRequest-Method PATCH -Uri "https://graph.microsoft.com/v1.0/directory/customSecurityAttributeDefinitions/Engineering_Project5"-Headers $header-Body $paramsUpdate customSecurityAttributeDefinition
Note
For this request, you must add the OData-Version header and assign it the value 4.01.
PATCH https://graph.microsoft.com/v1.0/directory/customSecurityAttributeDefinitions/Engineering_Project { "allowedValues@delta": [ { "id": "Baker", "isActive": false }, { "id": "Skagit", "isActive": true } ] }None
The following example deactivates a custom security attribute definition.
- Attribute set:
Engineering - Attribute:
Project
Update-MgDirectoryCustomSecurityAttributeDefinition
$params=@{ status="Deprecated" } Update-MgDirectoryCustomSecurityAttributeDefinition-CustomSecurityAttributeDefinitionId "Engineering_ProjectDate"-BodyParameter $paramsUpdate customSecurityAttributeDefinition
PATCH https://graph.microsoft.com/v1.0/directory/customSecurityAttributeDefinitions/Engineering_Project { "status": "Deprecated" }Set-AzureADMSCustomSecurityAttributeDefinition
Set-AzureADMSCustomSecurityAttributeDefinition-Id "Engineering_Project"-Status "Deprecated"The following example gets all predefined values for a custom security attribute definition.
- Attribute set:
Engineering - Attribute:
Project
Get-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue
Get-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue-CustomSecurityAttributeDefinitionId "Engineering_Project"|Format-ListId : Skagit IsActive : True AdditionalProperties : {} Id : Baker IsActive : False AdditionalProperties : {} Id : Cascade IsActive : True AdditionalProperties : {} Id : Alpine IsActive : True AdditionalProperties : {} GET https://graph.microsoft.com/v1.0/directory/customSecurityAttributeDefinitions/Engineering_Project/allowedValuesGet-AzureADMSCustomSecurityAttributeDefinitionAllowedValue
Get-AzureADMSCustomSecurityAttributeDefinitionAllowedValue-CustomSecurityAttributeDefinitionId "Engineering_Project"The following example gets a predefined value for a custom security attribute definition.
- Attribute set:
Engineering - Attribute:
Project - Predefined value:
Alpine
Get-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue
Get-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue-CustomSecurityAttributeDefinitionId "Engineering_Project"-AllowedValueId "Alpine"|Format-ListId : Alpine IsActive : True AdditionalProperties : {[@odata.context, https://graph.microsoft.com/v1.0/$metadata#directory/customSecurityAttributeDefinitions('Engineering_Project')/al lowedValues/$entity]} GET https://graph.microsoft.com/v1.0/directory/customSecurityAttributeDefinitions/Engineering_Project/allowedValues/AlpineGet-AzureADMSCustomSecurityAttributeDefinitionAllowedValue
Get-AzureADMSCustomSecurityAttributeDefinitionAllowedValue-CustomSecurityAttributeDefinitionId "Engineering_Project"-Id "Alpine"The following example adds a predefined value for a custom security attribute definition.
You can add predefined values for custom security attributes that have usePreDefinedValuesOnly set to true.
- Attribute set:
Engineering - Attribute:
Project - Predefined value:
Alpine
New-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue
$params=@{ id="Alpine"isActive=$true } New-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue-CustomSecurityAttributeDefinitionId "Engineering_Project"-BodyParameter $params|Format-ListId : Alpine IsActive : True AdditionalProperties : {[@odata.context, https://graph.microsoft.com/v1.0/$metadata#directory/customSecurityAttributeDefinitions('Engineering_Project')/al lowedValues/$entity]} POST https://graph.microsoft.com/v1.0/directory/customSecurityAttributeDefinitions/Engineering_Project/allowedValues { "id":"Alpine", "isActive":"true" }Add-AzureADMScustomSecurityAttributeDefinitionAllowedValues
Add-AzureADMScustomSecurityAttributeDefinitionAllowedValues-CustomSecurityAttributeDefinitionId "Engineering_Project"-Id "Alpine"-IsActive $trueThe following example deactivates a predefined value for a custom security attribute definition.
- Attribute set:
Engineering - Attribute:
Project - Predefined value:
Alpine
Update-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue
$params=@{ isActive=$false } Update-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue-CustomSecurityAttributeDefinitionId "Engineering_Project"-AllowedValueId "Alpine"-BodyParameter $paramsPATCH https://graph.microsoft.com/v1.0/directory/customSecurityAttributeDefinitions/Engineering_Project/allowedValues/Alpine { "isActive":"false" }Set-AzureADMSCustomSecurityAttributeDefinitionAllowedValue
Set-AzureADMSCustomSecurityAttributeDefinitionAllowedValue-CustomSecurityAttributeDefinitionId "Engineering_Project"-Id "Alpine"-IsActive $falseCan you delete custom security attribute definitions?
No, you can't delete custom security attribute definitions. You can only deactivate custom security attribute definitions. Once you deactivate a custom security attribute, it can no longer be applied to the Microsoft Entra objects. Custom security attribute assignments for the deactivated custom security attribute definition are not automatically removed. There is no limit to the number of deactivated custom security attributes. You can have 500 active custom security attribute definitions per tenant with 100 allowed predefined values per custom security attribute definition.
