Microsoft Entra Custom Security Attributes - Overview
Introduction
Microsoft Entra Custom Security Attributes enable organizations to define and assign custom metadata to directory objects in Microsoft Entra ID. This feature extends the standard directory schema, allowing you to store business-specific information that supports access control, resource management, and compliance requirements.
EmpowerID provides native integration with Microsoft Entra Custom Security Attributes, enabling you to manage these attributes through familiar identity governance workflows. This integration brings attribute management under the same governance framework used for other identity and access resources, including approval workflows, audit trails, and policy-based controls.
What Are Custom Security Attributes?
Custom Security Attributes are business-defined metadata fields that you create and assign to users, service principals, and applications in your Microsoft Entra tenant. Unlike extension attributes or directory schema extensions, Custom Security Attributes are tenant-specific, defined and managed within your organization's Entra tenant. They provide flexibility through support for multiple data types and value configurations, while remaining isolated from the core directory schema to prevent conflicts. This isolation ensures that your custom metadata doesn't interfere with standard directory operations while still being governed and restricted to specific administrators and use cases.
Attribute Structure
Custom Security Attributes are organized in a two-level hierarchy. At the top level, attribute sets serve as logical containers that group related attributes. Each set has a unique name within the tenant and can contain multiple individual attributes, up to a maximum of 500 attributes per set. Within these sets, individual attributes define the actual metadata fields, each with specific data types. These attributes can be configured to accept single or multiple values and may allow free text entry or restrict input to predefined values. Each attribute must have a unique name within its containing set.
Supported Object Types
Microsoft Entra Custom Security Attributes can be assigned to users (standard user accounts in Microsoft Entra ID), service principals (enterprise applications and managed identities), and applications (registered applications in Microsoft Entra ID). However, Custom Security Attributes cannot be assigned to groups, including both security groups and Microsoft 365 groups.
Custom Security Attributes cannot be assigned to groups. All attribute assignments must target individual user accounts or service principals. Additionally, only Microsoft Entra objects are supported—on-premises Active Directory objects that are not synchronized to Entra cannot receive Custom Security Attribute assignments.
Integration Capabilities
EmpowerID's integration with Microsoft Entra Custom Security Attributes provides comprehensive synchronization between the two systems. The integration maintains bidirectional sync between EmpowerID and Microsoft Entra ID, managing the inventory of attribute sets, attributes, and assignments. When attributes are created or modified in either system, updates occur in real-time, and assignment tracking is maintained for all users and service principals.
The governance layer adds approval workflows for attribute assignment requests, along with policy-based access control that determines who can assign attributes. Eligibility rules define which users can request or receive attributes, and time-bound assignments can be configured with automatic expiration when needed.
From a management perspective, the integration enables IAM Shop functionality for self-service attribute requests, while also supporting direct assignment through the Resource Admin interface. Bulk operations facilitate managing multiple attributes or assignments simultaneously, and complete assignment lifecycle management covers everything from initial assignment through modification and eventual removal.
Compliance and audit capabilities ensure complete audit trails for all attribute changes, with assignment history tracked from initial request through final fulfillment. Compliance reporting provides visibility into attribute usage and assignments, and risk assessment occurs during the assignment request process to evaluate potential security implications.
Attribute Data Types
Custom Security Attributes support three data types, each designed for specific use cases. String attributes store text-based values up to 256 characters in length, making them suitable for department names, job titles, project codes, location identifiers, and free-text comments. Integer attributes use 32-bit signed integer values and are commonly used for employee IDs, cost center numbers, building or floor numbers, priority levels, and numeric classifications. It's important to note that integer attributes are designed for storage and identification rather than mathematical operations—numeric codes that won't be calculated should use string types instead. Boolean attributes store true or false values and are ideal for approval flags, status indicators, compliance flags, and feature toggles.
Attribute Value Configurations
Attributes can be configured to accept values in four different ways, determined by two settings: whether the attribute allows multiple values, and whether it restricts input to predefined values only.
When an attribute is configured to disallow multiple values and not restrict to predefined values, it operates as a single value, free text field. Users can enter one text value without restrictions, making this configuration suitable for employee comments or notes, unique identifiers not in a predefined list, and free-form descriptions.
Setting an attribute to disallow multiple values but restrict to predefined values only creates a single value, predefined configuration. In this mode, users must select one value from a predefined list. This configuration works well for employment type classifications (Full-time, Part-time, Contractor), primary department assignments, security clearance levels, and risk classifications.
When an attribute allows multiple values but doesn't restrict to predefined values, it becomes a multiple values, free text configuration. Users can enter multiple text values without restrictions, which is useful for skills or certifications, languages spoken, project tags, and custom identifiers.
Finally, when an attribute allows multiple values and restricts to predefined values only, it operates as a multiple values, predefined configuration. Users can select multiple values from a predefined list, making this ideal for project memberships, access groups or teams, multiple department assignments, and role categories.
The "Allow multiple values" and "Only allow predefined values" settings cannot be changed after an attribute is created. Plan your attribute configuration carefully based on expected usage patterns.
Assignment Methods
EmpowerID supports multiple methods for assigning Custom Security Attributes to users and service principals. Direct assignment allows administrators with appropriate permissions to assign attributes directly through the Resource Admin interface. These assignments bypass approval workflows and are fulfilled immediately, making them suitable for emergency access requirements, administrative corrections, bulk assignment operations, and initial attribute population.
The IAM Shop provides a self-service approach where users can request attributes for themselves or others through the IAM Shop portal. These requests create Business Requests that are routed through approval workflows based on configured policies. This method is appropriate for standard access requests, user-initiated attribute requests, scenarios requiring justification and approval, and situations where an approval audit trail is required.
Assignment Types by User Category
The way users interact with attributes in IAM Shop depends on how attribute eligibility is configured. Users designated as eligible assignees can request the attribute through IAM Shop, which creates a Business Request that is routed through the approval workflow. These requests may be auto-approved if the requestor is also an approver and no other approvals are needed.
Pre-approved assignees see an "Activate" button in IAM Shop that provides immediate assignment without approval. No Business Request is created in these scenarios, making this approach useful for low-risk, pre-authorized situations where the user population has been pre-validated.
Users identified as suggested assignees see the attribute as a suggested item in IAM Shop, helping them discover relevant attributes they might need. When these users request the attribute, the request follows standard approval routing just like eligible assignees.
Approval Workflows
When attributes are requested through IAM Shop, Business Requests are created and routed according to the configured Access Request Policy. These policies define who must approve the request (managers, role owners, risk owners), whether approval stages are sequential or parallel, and how many approvals are needed at each stage. The policies also specify auto-approval conditions for scenarios where approval should be automatic, along with timeout and escalation actions taken if approvals are delayed. Approval policies are configured during the attribute eligibility setup process and can vary by attribute sensitivity and organizational requirements.
Integration Architecture
The integration between EmpowerID and Microsoft Entra Custom Security Attributes relies on several key components working together. The Custom Security Attributes Inventory Job is a system job that synchronizes attribute sets and attributes from Microsoft Entra ID to EmpowerID. This job runs on a configurable schedule (recommended every 6-12 hours) and discovers new attribute sets and attributes, updates attribute definitions and predefined values, and must remain enabled for proper synchronization.
Assignment inventory functionality is enabled through the EnableCustomSecurityAttributesAssignmentInventory configuration parameter. When enabled, this parameter synchronizes attribute assignments between systems, tracks assignment changes and updates, and is required for assignment visibility in EmpowerID.
Data Flow
The data flow for Custom Security Attributes follows a specific sequence through the integrated systems.
When an attribute set is created in either EmpowerID or Microsoft Entra ID, it is synchronized to both systems. Attributes defined in either system are synchronized bidirectionally to maintain consistency. When a user requests an attribute through IAM Shop, the request is routed to approvers based on the configured policy. Once approved, the assignment is created in Microsoft Entra ID via API, and then synchronized back to EmpowerID for inventory and reporting purposes.
Accessing Custom Security Attributes
Custom Security Attributes are managed through the EmpowerID Resource Admin microservice. To access this functionality, navigate to your organization's portal for Resource Admin, select Applications from the navigation dropdown, and click Custom Security Attributes.
Custom Security Attributes in Resource Admin
The main interface displays all attribute sets configured in your Microsoft Entra tenant and provides access to attribute set details and configuration, active and deactivated attributes within each set, current assignments for users and service principals, and management functions for attributes and assignments.
Configuration Prerequisites
Before implementing Custom Security Attributes in EmpowerID, several requirements must be met in both Microsoft Entra and EmpowerID systems.
Microsoft Entra Requirements
Your Microsoft Entra environment must have a Microsoft Entra ID P1 or P2 license, with P2 recommended for advanced features. User accounts managing Custom Security Attributes require the Attribute Assignment Administrator role or higher in Microsoft Entra ID, along with permissions to manage Custom Security Attributes in the tenant.
The EmpowerID service principal needs specific API permissions granted and admin-consented: CustomSecAttributeAssignment.ReadWrite.All, CustomSecAttributeDefinition.ReadWrite.All, User.Read.All, and Application.Read.All.
EmpowerID Configuration
The EmpowerID environment requires a configured and active Microsoft Entra account store with a successful connection test to Microsoft Entra ID and appropriate API permissions granted and admin-consented. The Custom Security Attributes Inventory job must be enabled in Resource System settings, scheduled to run at appropriate intervals, with at least one successful job execution completed. Additionally, the EnableCustomSecurityAttributesAssignmentInventory parameter must be set to true and configured in the Microsoft Entra Resource System.
Both the Custom Security Attributes Inventory job and the EnableCustomSecurityAttributesAssignmentInventory parameter must be enabled for proper functionality. Disabling either will prevent synchronization and assignment management.
Attribute Management Workflow
The typical workflow for implementing Custom Security Attributes in EmpowerID follows a logical sequence. First, configure the prerequisites by ensuring the account store, jobs, and parameters are properly configured. Next, create attribute sets to define logical groupings for related attributes. Then create individual attributes within those sets, specifying data types and value configurations. After the attributes exist, configure eligibility to set up IAM Shop visibility and approval policies for each attribute. Once eligibility is configured, users can request or administrators can assign attributes to users and service principals. Finally, monitor and manage the environment by tracking assignments, processing approvals, and managing the attribute lifecycle.
Use Cases
Custom Security Attributes support a variety of organizational needs. For access control, attributes can define access levels, clearances, or authorization categories that are then used in conditional access policies or application authorization rules. Organizations can store organizational metadata such as department, cost center, project membership, or other information that supports reporting and resource allocation.
Compliance tracking becomes easier when attributes track compliance status, training completion, certification dates, or other compliance-related metadata required for audit and regulatory purposes. Applications that consume Custom Security Attributes can use them for application-specific authorization or personalization through application integration. Finally, workforce classification allows organizations to classify employees by type (full-time, contractor, intern), location, status, or other HR-related categories that inform access decisions.
Relationship to Other EmpowerID Features
Custom Security Attributes integrate seamlessly with other EmpowerID capabilities. Attributes can be requested through the IAM Shop using the same self-service interface used for roles, groups, and other resources. Attribute requests follow the same Business Request approval workflow pattern as other access requests, creating consistency in the user experience. In Resource Admin, attributes are managed alongside other directory resources in a unified interface, reducing the learning curve for administrators.
From a reporting perspective, attribute assignments appear in standard access reports and can be included in custom reports, providing comprehensive visibility into attribute usage. All attribute changes are captured in EmpowerID's audit logs with the same level of detail as other identity changes, ensuring complete audit trails for compliance purposes.
Next Steps
After understanding the conceptual foundation of Custom Security Attributes, review the Configuration Guide to set up attribute sets, create attributes, and configure eligibility. Consult the Assignment Procedures documentation for step-by-step instructions on assigning attributes, and see the Approval Workflow Guide for detailed information on processing attribute requests as an approver.