Add or deactivate custom security attribute definitions in Microsoft Entra ID
Custom security attributes in Microsoft Entra ID are business-specific attributes (key-value pairs) that you can define and assign to Microsoft Entra objects. This article describes how to add, edit, or deactivate custom security attribute definitions.
Prerequisites
To add or deactivate custom security attributes definitions, you must have:
- Attribute Definition Administrator
- Microsoft.Graph module when using Microsoft Graph PowerShell
- AzureADPreview version 2.0.2.138 or later when using Azure AD PowerShell
Important
By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes.
Add an attribute set
Tip
Steps in this article might vary slightly based on the portal you start from.
An attribute set is a collection of related attributes. All custom security attributes must be part of an attribute set. Attribute sets cannot be renamed or deleted.
Sign in to the Microsoft Entra admin center as a Attribute Definition Administrator.
Browse to Protection > Custom security attributes.
Select Add attribute set to add a new attribute set.
If Add attribute set is disabled, make sure you are assigned the Attribute Definition Administrator role. For more information, see Troubleshoot custom security attributes.
Enter a name, description, and maximum number of attributes.
An attribute set name can be 32 characters with no spaces or special characters. Once you've specified a name, you can't rename it. For more information, see Limits and constraints.
When finished, select Add.
The new attribute set appears in the list of attribute sets.
Add a custom security attribute definition
Sign in to the Microsoft Entra admin center as a Attribute Definition Administrator.
Browse to Protection > Custom security attributes.
On the Custom security attributes page, find an existing attribute set or select Add attribute set to add a new attribute set.
All custom security attribute definitions must be part of an attribute set.
Select to open the selected attribute set.
Select Add attribute to add a new custom security attribute to the attribute set.
In the Attribute name box, enter a custom security attribute name.
A custom security attribute name can be 32 characters with no spaces or special characters. Once you've specified a name, you can't rename it. For more information, see Limits and constraints.
In the Description box, enter an optional description.
A description can be 128 characters long. If necessary, you can later change the description.
From the Data type list, select the data type for the custom security attribute.
Data type Description Boolean A Boolean value that can be true, True, false, or False. Integer A 32-bit integer. String A string that can be X characters long. For Allow multiple values to be assigned, select Yes or No.
Select Yes to allow multiple values to be assigned to this custom security attribute. Select No to only allow a single value to be assigned to this custom security attribute.
For Only allow predefined values to be assigned, select Yes or No.
Select Yes to require that this custom security attribute be assigned values from a predefined values list. Select No to allow this custom security attribute to be assigned user-defined values or potentially predefined values.
If Only allow predefined values to be assigned is Yes, select Add value to add predefined values.
An active value is available for assignment to objects. A value that is not active is defined, but not yet available for assignment.
When finished, select Save.
The new custom security attribute appears in the list of custom security attributes.
If you want to include predefined values, follow the steps in the next section.
Edit a custom security attribute definition
Once you add a new custom security attribute definition, you can later edit some of the properties. Some properties are immutable and cannot be changed.
Sign in to the Microsoft Entra admin center as a Attribute Definition Administrator.
Browse to Protection > Custom security attributes.
Select the attribute set that includes the custom security attribute you want to edit.
In the list of custom security attributes, select the ellipsis for the custom security attribute you want to edit, and then select Edit attribute.
Edit the properties that are enabled.
If Only allow predefined values to be assigned is Yes, select Add value to add predefined values. Select an existing predefined value to change the Is active? setting.
Deactivate a custom security attribute definition
Once you add a custom security attribute definition, you can't delete it. However, you can deactivate a custom security attribute definition.
Sign in to the Microsoft Entra admin center as a Attribute Definition Administrator.
Browse to Protection > Custom security attributes.
Select the attribute set that includes the custom security attribute you want to deactivate.
In the list of custom security attributes, add a check mark next to the custom security attribute you want to deactivate.
Select Deactivate attribute.
In the Deactivate attribute dialog that appears, select Yes.
The custom security attribute is deactivated and moved to the Deactivated attributes list.
PowerShell or Microsoft Graph API
To manage custom security attribute definitions in your Microsoft Entra organization, you can also use PowerShell or Microsoft Graph API. The following examples manage attribute sets and custom security attribute definitions.
Get all attribute sets
The following example gets all attribute sets.
Get-MgDirectoryAttributeSet | Format-List
Description : Attributes for engineering team
Id : Engineering
MaxAttributesPerSet : 25
AdditionalProperties : {}
Description : Attributes for marketing team
Id : Marketing
MaxAttributesPerSet : 25
AdditionalProperties : {}
Get top attribute sets
The following example gets the top attribute sets.
Get-MgDirectoryAttributeSet -Top 10
Get attribute sets in order
The following example gets attribute sets in order.
Get-MgDirectoryAttributeSet -Sort "Id"
Get an attribute set
The following example gets an attribute set.
- Attribute set:
Engineering
Get-MgDirectoryAttributeSet -AttributeSetId "Engineering" | Format-List
Description : Attributes for engineering team
Id : Engineering
MaxAttributesPerSet : 25
AdditionalProperties : {[@odata.context, https://graph.microsoft.com/v1.0/$metadata#directory/attributeSets/$entity]}
Add an attribute set
The following example adds a new attribute set.
- Attribute set:
Engineering
$params = @{
Id = "Engineering"
Description = "Attributes for engineering team"
MaxAttributesPerSet = 25
}
New-MgDirectoryAttributeSet -BodyParameter $params
Id Description MaxAttributesPerSet
-- ----------- -------------------
Engineering Attributes for engineering team 25
Update an attribute set
The following example updates an attribute set.
- Attribute set:
Engineering
Update-MgDirectoryAttributeSet
$params = @{
description = "Attributes for engineering team"
maxAttributesPerSet = 20
}
Update-MgDirectoryAttributeSet -AttributeSetId "Engineering" -BodyParameter $params
Get all custom security attribute definitions
The following example gets all custom security attribute definitions.
Get-MgDirectoryCustomSecurityAttributeDefinition
Get-MgDirectoryCustomSecurityAttributeDefinition | Format-List
AllowedValues :
AttributeSet : Engineering
Description : Target completion date
Id : Engineering_ProjectDate
IsCollection : False
IsSearchable : True
Name : ProjectDate
Status : Available
Type : String
UsePreDefinedValuesOnly : False
AdditionalProperties : {}
AllowedValues :
AttributeSet : Engineering
Description : Active projects for user
Id : Engineering_Project
IsCollection : True
IsSearchable : True
Name : Project
Status : Available
Type : String
UsePreDefinedValuesOnly : True
AdditionalProperties : {}
AllowedValues :
AttributeSet : Marketing
Description : Country where is application is used
Id : Marketing_AppCountry
IsCollection : True
IsSearchable : True
Name : AppCountry
Status : Available
Type : String
UsePreDefinedValuesOnly : True
AdditionalProperties : {}
Filter custom security attribute definitions
The following examples filter custom security attribute definitions.
- Filter: Attribute name eq 'Project' and status eq 'Available'
Get-MgDirectoryCustomSecurityAttributeDefinition
Get-MgDirectoryCustomSecurityAttributeDefinition -Filter "name eq 'Project' and status eq 'Available'" | Format-List
AllowedValues :
AttributeSet : Engineering
Description : Active projects for user
Id : Engineering_Project
IsCollection : True
IsSearchable : True
Name : Project
Status : Available
Type : String
UsePreDefinedValuesOnly : True
AdditionalProperties : {}
- Filter: Attribute set eq 'Engineering' and status eq 'Available' and data type eq 'String'
Get-MgDirectoryCustomSecurityAttributeDefinition
Get-MgDirectoryCustomSecurityAttributeDefinition -Filter "attributeSet eq 'Engineering' and status eq 'Available' and type eq 'String'" | Format-List
AllowedValues :
AttributeSet : Engineering
Description : Target completion date
Id : Engineering_ProjectDate
IsCollection : False
IsSearchable : True
Name : ProjectDate
Status : Available
Type : String
UsePreDefinedValuesOnly : False
AdditionalProperties : {}
AllowedValues :
AttributeSet : Engineering
Description : Active projects for user
Id : Engineering_Project
IsCollection : True
IsSearchable : True
Name : Project
Status : Available
Type : String
UsePreDefinedValuesOnly : True
AdditionalProperties : {}
Get a custom security attribute definition
The following example gets a custom security attribute definition.
- Attribute set:
Engineering
- Attribute:
ProjectDate
Get-MgDirectoryCustomSecurityAttributeDefinition
Get-MgDirectoryCustomSecurityAttributeDefinition -CustomSecurityAttributeDefinitionId "Engineering_ProjectDate" | Format-List
AllowedValues :
AttributeSet : Engineering
Description : Target completion date
Id : Engineering_ProjectDate
IsCollection : False
IsSearchable : True
Name : ProjectDate
Status : Available
Type : String
UsePreDefinedValuesOnly : False
AdditionalProperties : {[@odata.context, https://graph.microsoft.com/v1.0/$metadata#directory/customSecurityAttributeDefinitions/$entity]}
Add a custom security attribute definition
The following example adds a new custom security attribute definition.
- Attribute set:
Engineering
- Attribute:
ProjectDate
- Attribute data type: String
New-MgDirectoryCustomSecurityAttributeDefinition
$params = @{
attributeSet = "Engineering"
description = "Target completion date"
isCollection = $false
isSearchable = $true
name = "ProjectDate"
status = "Available"
type = "String"
usePreDefinedValuesOnly = $false
}
New-MgDirectoryCustomSecurityAttributeDefinition -BodyParameter $params | Format-List
AllowedValues :
AttributeSet : Engineering
Description : Target completion date
Id : Engineering_ProjectDate
IsCollection : False
IsSearchable : True
Name : ProjectDate
Status : Available
Type : String
UsePreDefinedValuesOnly : False
AdditionalProperties : {[@odata.context, https://graph.microsoft.com/v1.0/$metadata#directory/customSecurityAttributeDefinitions/$entity]}
Add a custom security attribute definition that supports multiple predefined values
The following example adds a new custom security attribute definition that supports multiple predefined values.
- Attribute set:
Engineering
- Attribute:
Project
- Attribute data type: Collection of Strings
New-MgDirectoryCustomSecurityAttributeDefinition
$params = @{
attributeSet = "Engineering"
description = "Active projects for user"
isCollection = $true
isSearchable = $true
name = "Project"
status = "Available"
type = "String"
usePreDefinedValuesOnly = $true
}
New-MgDirectoryCustomSecurityAttributeDefinition -BodyParameter $params | Format-List
AllowedValues :
AttributeSet : Engineering
Description : Active projects for user
Id : Engineering_Project
IsCollection : True
IsSearchable : True
Name : Project
Status : Available
Type : String
UsePreDefinedValuesOnly : True
AdditionalProperties : {[@odata.context, https://graph.microsoft.com/v1.0/$metadata#directory/customSecurityAttributeDefinitions/$entity]}
Add a custom security attribute definition with a list of predefined values
The following example adds a new custom security attribute definition with a list of predefined values.
- Attribute set:
Engineering
- Attribute:
Project
- Attribute data type: Collection of Strings
- Predefined values:
Alpine
,Baker
,Cascade
New-MgDirectoryCustomSecurityAttributeDefinition
$params = @{
attributeSet = "Engineering"
description = "Active projects for user"
isCollection = $true
isSearchable = $true
name = "Project"
status = "Available"
type = "String"
usePreDefinedValuesOnly = $true
allowedValues = @(
@{
id = "Alpine"
isActive = $true
}
@{
id = "Baker"
isActive = $true
}
@{
id = "Cascade"
isActive = $true
}
)
}
New-MgDirectoryCustomSecurityAttributeDefinition -BodyParameter $params | Format-List
AllowedValues :
AttributeSet : Engineering
Description : Active projects for user
Id : Engineering_Project
IsCollection : True
IsSearchable : True
Name : Project
Status : Available
Type : String
UsePreDefinedValuesOnly : True
AdditionalProperties : {[@odata.context, https://graph.microsoft.com/v1.0/$metadata#directory/customSecurityAttributeDefinitions/$entity]}
Update a custom security attribute definition
The following example updates a custom security attribute definition.
- Attribute set:
Engineering
- Attribute:
ProjectDate
Update-MgDirectoryCustomSecurityAttributeDefinition
$params = @{
description = "Target completion date (YYYY/MM/DD)"
}
Update-MgDirectoryCustomSecurityAttributeDefinition -CustomSecurityAttributeDefinitionId "Engineering_ProjectDate" -BodyParameter $params
Update the predefined values for a custom security attribute definition
The following example updates the predefined values for a custom security attribute definition.
- Attribute set:
Engineering
- Attribute:
Project
- Attribute data type: Collection of Strings
- Update predefined value:
Baker
- New predefined value:
Skagit
Note
For this request, you must add the OData-Version header and assign it the value 4.01
.
$params = @{
"allowedValues@delta" = @(
@{
id = "Baker"
isActive = $false
}
@{
id = "Skagit"
isActive = $true
}
)
}
$header = @{
"OData-Version" = 4.01
}
Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/v1.0/directory/customSecurityAttributeDefinitions/Engineering_Project5" -Headers $header -Body $params
Deactivate a custom security attribute definition
The following example deactivates a custom security attribute definition.
- Attribute set:
Engineering
- Attribute:
Project
Update-MgDirectoryCustomSecurityAttributeDefinition
$params = @{
status = "Deprecated"
}
Update-MgDirectoryCustomSecurityAttributeDefinition -CustomSecurityAttributeDefinitionId "Engineering_ProjectDate" -BodyParameter $params
Get all predefined values
The following example gets all predefined values for a custom security attribute definition.
- Attribute set:
Engineering
- Attribute:
Project
Get-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue
Get-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue -CustomSecurityAttributeDefinitionId "Engineering_Project" | Format-List
Id : Skagit
IsActive : True
AdditionalProperties : {}
Id : Baker
IsActive : False
AdditionalProperties : {}
Id : Cascade
IsActive : True
AdditionalProperties : {}
Id : Alpine
IsActive : True
AdditionalProperties : {}
Get a predefined value
The following example gets a predefined value for a custom security attribute definition.
- Attribute set:
Engineering
- Attribute:
Project
- Predefined value:
Alpine
Get-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue
Get-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue -CustomSecurityAttributeDefinitionId "Engineering_Project" -AllowedValueId "Alpine" | Format-List
Id : Alpine
IsActive : True
AdditionalProperties : {[@odata.context, https://graph.microsoft.com/v1.0/$metadata#directory/customSecurityAttributeDefinitions('Engineering_Project')/al
lowedValues/$entity]}
Add a predefined value
The following example adds a predefined value for a custom security attribute definition.
You can add predefined values for custom security attributes that have usePreDefinedValuesOnly
set to true
.
- Attribute set:
Engineering
- Attribute:
Project
- Predefined value:
Alpine
New-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue
$params = @{
id = "Alpine"
isActive = $true
}
New-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue -CustomSecurityAttributeDefinitionId "Engineering_Project" -BodyParameter $params | Format-List
Id : Alpine
IsActive : True
AdditionalProperties : {[@odata.context, https://graph.microsoft.com/v1.0/$metadata#directory/customSecurityAttributeDefinitions('Engineering_Project')/al
lowedValues/$entity]}
Deactivate a predefined value
The following example deactivates a predefined value for a custom security attribute definition.
- Attribute set:
Engineering
- Attribute:
Project
- Predefined value:
Alpine
Update-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue
$params = @{
isActive = $false
}
Update-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue -CustomSecurityAttributeDefinitionId "Engineering_Project" -AllowedValueId "Alpine" -BodyParameter $params
Frequently asked questions
Can you delete custom security attribute definitions?
No, you can't delete custom security attribute definitions. You can only deactivate custom security attribute definitions. Once you deactivate a custom security attribute, it can no longer be applied to the Microsoft Entra objects. Custom security attribute assignments for the deactivated custom security attribute definition are not automatically removed. There is no limit to the number of deactivated custom security attributes. You can have 500 active custom security attribute definitions per tenant with 100 allowed predefined values per custom security attribute definition.