Share via

EntraID Application User Custom Properties

J Shaw 0 Reputation points
2025-01-24T17:59:32.33+00:00

I am developing an online business portal for Employees at 100+ locations around the country. Each location has a LocationCode and orders and customer data are related to the location code in ERP databases.

I am currently using EntraID Application Roles to manage permissions, but I need to know which office location the user is assigned to so I can limit what they see. For example if the employee is assigned to the Phoenix Office (PHX), I only want them to see orders and customer data for the Phoenix office.

I am currently getting user roles/permissions via the Users Claims when they authenticate with Microsoft Identity Platform. This works well limiting access to parts of the app, but not what data (orders), the user should see.

My hope is I would receive it as a Custom Claim when they authenticate, but I'd prefer not to create 100s of roles and that seems incorrect. I've also seen that I can add it to the EntraID User profile and then query it via Azure Graph.

As an extra requirement, I will also be allowing External Users to access the application and they will be assigned to locations as well.

How would I ideally manage the users assigned office/location and how to best retrieve it in the application?

Thank you for any guidance.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,104 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kancharla Saiteja 310 Reputation points Microsoft Vendor
    2025-01-29T07:14:10.7333333+00:00

    Hi @J Shaw,Thank you for posting your query on Microsoft Q&A. I am Saiteja from Q&A will be assisting you with your query.

    Based on the description, here is my understanding: Would like to pass location as an attribute to restrict the access on the data of the application.

    To add a custom attribute to the token we have this Microsoft document which helps you in adding the attribute based on your requirement. This would help you in providing the location of the user from where they are trying to access the application.
    Set the user location in Azure which would help in marking the user location of usage. If you would like to enable usage location from on premises, you need to follow this document.

    But if you would like to restrict the access of the data based on the location from Azure app registration, which is not a possible scenario. We do not have any feature or options to restrict the user accessing data based on the location. We only have the location-based authorization from conditional access policy but there is no option to set access for the application data from Azure.
    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.