Troubleshoot custom security attributes in Microsoft Entra ID
Symptom - Add attribute set is disabled
When signed in to the Microsoft Entra admin center and you try to select the Custom security attributes > Add attribute set option, it's disabled.
Cause
You don't have permissions to add an attribute set. To add an attribute set and custom security attributes, you must be assigned the Attribute Definition Administrator role.
Important
By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes.
Solution
Make sure that you're assigned the Attribute Definition Administrator role at either the tenant scope or attribute set scope. For more information, see Manage access to custom security attributes in Microsoft Entra ID.
Symptom - Error when you try to assign a custom security attribute
When you try to save a custom security attribute assignment, you get the message:
Insufficient privileges to save custom security attributes
This account does not have the necessary admin privileges to change custom security attributes
Cause
You don't have permissions to assign custom security attributes. To assign custom security attributes, you must be assigned the Attribute Assignment Administrator role.
Important
By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes.
Solution
Make sure that you're assigned the Attribute Assignment Administrator role at either the tenant scope or attribute set scope. For more information, see Manage access to custom security attributes in Microsoft Entra ID.
Symptom - Can't filter custom security attributes for users or applications
Cause 1
You don't have permissions to filter custom security attributes. To read and filter custom security attributes for users or enterprise applications, you must be assigned the Attribute Assignment Reader or Attribute Assignment Administrator role.
Important
By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes.
Solution 1
Make sure that you're assigned one of the following Microsoft Entra built-in roles at either the tenant scope or attribute set scope. For more information, see Manage access to custom security attributes in Microsoft Entra ID.
Cause 2
You're assigned the Attribute Assignment Reader or Attribute Assignment Administrator role, but you haven't been assigned access to an attribute set.
Solution 2
You can delegate the management of custom security attributes at the tenant scope or at the attribute set scope. Make sure you have been assigned access to an attribute set at either the tenant scope or attribute set scope. For more information, see Manage access to custom security attributes in Microsoft Entra ID.
Cause 3
There are no custom security attributes defined and assigned yet for your tenant.
Solution 3
Add and assign custom security attributes to users or enterprise applications. For more information, see Add or deactivate custom security attribute definitions in Microsoft Entra ID, Assign, update, list, or remove custom security attributes for a user, or Assign, update, list, or remove custom security attributes for an application.
Symptom - Custom security attributes can't be deleted
Cause
You can only activate and deactivate custom security attribute definitions. Deletion of custom security attributes isn't supported. Deactivated definitions don't count toward the tenant wide 500 definition limit.
Solution
Deactivate the custom security attributes you no longer need. For more information, see Add or deactivate custom security attribute definitions in Microsoft Entra ID.
Symptom - Can't add a role assignment at an attribute set scope using PIM
When you try to add an eligible Microsoft Entra role assignment using Microsoft Entra Privileged Identity Management (PIM), you can't set the scope to an attribute set.
Cause
PIM currently doesn't support adding an eligible Microsoft Entra role assignment at an attribute set scope.
Symptom - Insufficient privileges to complete the operation
When you try to use Graph Explorer to call Microsoft Graph API for custom security attributes, you see a message similar to the following:
Forbidden - 403. You need to consent to the permissions on the Modify permissions (Preview) tab
Authorization_RequestDenied
Insufficient privileges to complete the operation.
Or when you try to use a PowerShell command, you see a message similar to the following:
Insufficient privileges to complete the operation.
Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied
Cause 1
You're using Graph Explorer and you haven't consented to the required custom security attribute permissions to make the API call.
Solution 1
Open the Permissions panel, select the appropriate custom security attribute permission, and select Consent. In the Permissions requested window that appears, review the requested permissions.
Cause 2
You aren't assigned the required custom security attribute role to make the API call.
Important
By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes.
Solution 2
Make sure that you're assigned the required custom security attribute role. For more information, see Manage access to custom security attributes in Microsoft Entra ID.
Cause 3
You're trying to remove a single-valued custom security attribute assignment by setting it to null
using the Update-MgUser or Update-MgServicePrincipal command.
Solution 3
Use the Invoke-MgGraphRequest command instead. For more information, see Remove a single-valued custom security attribute assignment from a user or Remove custom security attribute assignments from applications.
Symptom - Request_UnsupportedQuery error
When you try to call Microsoft Graph API for custom security attributes, you see a message similar to the following:
Bad Request - 400
Request_UnsupportedQuery
Unsupported or invalid query filter clause specified for property '<AttributeSet>_<Attribute>' of resource 'CustomSecurityAttributeValue'.
Cause
The request isn't formatted correctly.
Solution
If required, add ConsistencyLevel=eventual
in the request or the header. You might also need to include $count=true
to ensure the request is routed correctly. For more information, see Examples: Assign, update, list, or remove custom security attribute assignments using the Microsoft Graph API.