Azure AD Custom Properties for Enhanced Security and Management

Azure AD custom properties can be a game-changer for enhanced security and management. By storing additional information about users and devices, you can make more informed decisions about access and security.

Custom properties can be used to store information such as department, location, or job title, which can be used to create more targeted security policies. This can help prevent security breaches by limiting access to sensitive resources.

Having access to more information about users and devices also makes it easier to manage and troubleshoot issues. For example, if a user is experiencing issues with their account, you can use custom properties to quickly identify their department or location and provide more tailored support.

Custom properties in Azure AD allow you to collect and store additional user data. This data can be used to enhance your application's user experience and make informed decisions.

You can create custom properties for users, groups, and devices in Azure AD. These properties can be used to store information such as user preferences, interests, or other attributes that are not included in the default user profile.

For more insights, see: Azure Ad Update User Attributes Powershell

Custom properties can be used to personalize the user experience in your application. For example, you can use a custom property to store a user's preferred language and then use that information to display content in the user's preferred language.

Azure AD custom properties support a variety of data types, including strings, integers, and booleans. This allows you to store a wide range of data in your custom properties.

You can use Azure AD custom properties to enforce business rules and policies in your organization. For example, you can create a custom property to store a user's job title and then use that information to determine whether a user has access to certain resources or applications.

Custom properties can be used in conjunction with other Azure AD features, such as conditional access and single sign-on. This allows you to create a more comprehensive and secure identity management system for your organization.

Azure AD custom properties can be updated by users, administrators, or through automated scripts. This allows you to keep your custom property data up to date and ensure that it remains accurate and relevant.

Recommended read: Get Azure Ad User

To assign custom properties, you'll need to assign Azure AD roles for managing Custom Security Attributes, Sets, assignments, and values. This can be done at the tenant-level or for specific Attribute Sets.

Built-in Azure AD roles like Attribute Definition Administrator and Attribute Assignment Administrator can be assigned to administrators for providing access to all Custom Security Attributes, Sets, assignments, and values tenant-wide. These roles can be assigned through the Azure AD Portal or PIM.

To assign a custom attribute to a user, you can either use the Azure AD Portal or Microsoft Graph. In the Azure AD Portal, go to the Users blade, click on a user, and then click Custom security attributes to add an assignment. Alternatively, you can use Microsoft Graph to make a PATCH request to the /users/{id|upn} endpoint with the correct user ID or userPrincipalName.

Here's a summary of the built-in Azure AD roles for managing Custom Security Attributes:

Note that these roles are used to manage custom attributes and can be assigned at the tenant-level or for specific Attribute Sets.

To create an Attribute Set, you'll need to follow these steps. Go to the Azure AD Portal and navigate to the Custom Security Attributes blade.

Once you're there, click on Add attribute set and specify the Attribute set name and Description. This is a permanent change, so make sure to test it in a demo tenant first.

You can also create an Attribute Set using Microsoft Graph. To do this, go to Graph Explorer and sign in to your tenant.

Consent to the necessary Graph permissions, CustomSecAttributeAssignment.ReadWrite.All and CustomSecAttributeDefinition.ReadWrite.All, before making a POST request to the /directory/attributeSets (beta) endpoint.

The required properties for the POST request are id (Attribute Set name), description, and maxAttributesPerSet. The Graph response will contain the created Attribute Set's details.

Here's a summary of the required properties for creating an Attribute Set:

Once you've created your Custom Security Attributes, you can return to the Azure AD Portal to manage them.

You can return to the Azure AD Portal to manage your Custom Security Attributes by going back to the Custom Security Attributes blade and clicking on the Attribute Set created earlier.

If you need to make any changes to your Custom Security Attributes, you can do so by clicking on the Attribute name, Description, Data type, and other properties to edit them.

Custom Security Attributes can be disabled if no longer in use, but they cannot be deleted from the tenant nor have their Attribute name changed.

To manage your Custom Security Attributes via Microsoft Graph, you can use the Graph Explorer and make a POST request to the /directory/customSecurityAttributeDefinitions (beta) endpoint.

Here are the properties you can specify in the body of the POST request:

To assign a custom property to a user, you can either use the Azure AD Portal or Microsoft Graph. In the Azure AD Portal, navigate to the Users blade, click on a user, and then click Custom security attributes. From there, you can add an assignment to the user.

See what others are reading: Azure Ad User

In the Azure AD Portal, you can assign a custom property to a user by clicking Add assignment and selecting the attribute set and attribute name. You can also add an attribute value to the user.

Alternatively, you can use Microsoft Graph to assign a custom property to a user. To do this, you need to make a PATCH request to the endpoint /users/{id|upn} (beta) with the correct user ID or user principal name. In the body of the request, you need to add the properties of the custom security attribute, such as the attribute set name and attribute name.

Here's an example of what the request body might look like:

{"customSecurityAttributes":{"BusinessProjects":{"@odata.type":"#Microsoft.DirectoryServices.CustomSecurityAttributeValue"",ProjectID":"PBX4718"}}}

After making the request, you can view the assigned custom properties on the user by making a GET request to the endpoint /users/{id|upn}?$select=id,userPrincipalName,customSecurityAttributes (beta) with the correct user ID or user principal name.

Here's an example of what the response might look like:

{"@odata.context":"https://graph.microsoft.com/beta/$metadata#users(id,userPrincipalName,customSecurityAttributes)/$entity"",id":"26406275-67f9-47fe-a80b-f71b18865cf2"",userPrincipalName":"[email protected]"",customSecurityAttributes":{"BusinessProjects":{"@odata.type":"#microsoft.graph.customSecurityAttributeValue"",ProjectID":"PBX4718"}}}

Note that the custom security attribute is represented as a JSON object with the attribute set name and attribute name as keys.

Consider reading: Microsoft Entra vs Azure Ad

To use custom attributes in your user flow, you'll need to follow these steps. First, select the User flows option in your Azure AD B2C tenant. Then, select your policy to open it, and from there, select User attributes and choose the custom attribute you've created.

You can use the custom attribute in your user flow by adding it to the User attributes section and saving your changes. To do this, select Application claims and then select the custom attribute. After that, save your changes.

Once you've created a new user using the user flow, you can verify the customer experience by using the Run user flow feature. This will allow you to see the custom attribute in the list of attributes collected during the sign-up journey, and it will also be included in the token sent back to your application.

You might enjoy: Azure Ad Application

ABAC is a new feature introduced by Microsoft for Azure Blob Storage, currently in public preview. It brings a new flavor to access control management of Azure resources.

Additional reading: New Name for Azure Ad

Microsoft explains that Custom Security Attributes builds on the ABAC public preview, allowing for fine-grained access control with fewer Azure role assignments. This means you can grant users access to Azure Blob Storage with Attribute-based Access Control (ABAC) using Custom Security Attributes instead of just through Role-Based Access Control (RBAC).

You can check out the blog post "Control access to Azure Storage Blobs with Attribute-based Access Control conditions" to see how this works.

A different take: Azure Create Custom Role

Assigning Azure AD roles is a crucial step in managing Custom Security Attributes. To manage all Custom Security Attributes, Sets, assignments and values tenant-wide, administrators need to be assigned both Attribute Definition Administrator and Attribute Assignment Administrator Azure AD roles.

These roles can be assigned at the tenant-level through the Azure AD Portal: Roles and administrators blade or PIM. This grants them the necessary permissions to manage Custom Security Attributes tenant-wide.

For administrators who only need specific permissions to specific Custom Security Attributes, they should be assigned set-level role(s) directly on the Attribute Set(s). This can be done through the AAD: Custom Security Attributes blade -> Attribute Set -> Roles and administrators.

For more insights, see: Azure Custom Roles

Here are the built-in Azure AD roles that exist for both tenant-level and specific Attribute Sets:

Note that Global Admin and other high-privileged roles do not have access to Custom Security Attributes by default.

ABAC is a new feature introduced by Microsoft for Azure Blob Storage, currently in public preview.

This feature brings a new flavor to access control management of Azure resources, and it's likely that ABAC will be introduced to many other Azure resources in the future.

Only Azure Blob Storage is supported right now, but it's a great starting point for fine-grained access control.

Microsoft explains that Custom Security Attributes builds on the ABAC public preview, allowing users to grant access to Azure Blob Storage with Attribute-based Access Control.

This means you can use Custom Security Attributes instead of just Role-Based Access Control (RBAC), resulting in fewer Azure role assignments.

Broaden your view: Azure Ad Connect Move to New Server

Adding OIDC/OAuth JWT Claims is a crucial step in ensuring seamless authentication and authorization in your application. You can create a claims mapping policy to emit extension attributes as claims in the token using the Microsoft Graph API with PowerShell.

To create a claims mapping policy, you'll need to assign it to the service principal in your tenant. This involves making a PUT call to update the policy and assigning it to the service principal.

You can verify that the claims mapping policy has been created by signing in to the application with a user that has the extension attributes populated. The claims should be returned in your test application.

To add directory extension attributes as optional claims, you can add the defined application as optional claims or add the extension attributes as optional claims in the application manifest. This can be done through the Token Configuration page, which will show you any errors if you mess up.

Here's a step-by-step guide to adding directory extension attributes as optional claims:

By following these steps, you can ensure that your OIDC/OAuth JWT claims are properly configured and your application is able to authenticate and authorize users seamlessly.

You can use the Microsoft Graph API to manage custom attributes in your Azure AD B2C tenant. This allows you to create and manage custom attributes, and set their values for a user.

Custom attributes in the Microsoft Graph API are named using a specific convention. They follow the format extension_{appId-without-hyphens}_{extensionProperty-name}, where {appId-without-hyphens} is the stripped version of the appId for the b2c-extensions-app.

For example, if the appId is 11112222-bbbb-3333-cccc-4444dddd5555 and the attribute name is loyaltyId, then the custom attribute is named extension_25883231668a43a780b25685c3f874bc_loyaltyId.

You can use the Microsoft Graph API to manage the custom attributes.

See what others are reading: Azure Ad B2c Userinfo_endpoint

Identities are a fundamental concept in Azure AD custom properties. They are the building blocks of user information and are used to store and manage data about users, groups, and devices.

You can think of identities as the unique profiles of individuals or entities within your organization. In Azure AD, identities are represented as objects that contain attributes such as name, email, and department.

Custom properties can be added to identities to store additional information that is relevant to your organization. For example, you can add a custom property to store a user's job title or location.

This allows you to tailor the information stored about each identity to meet your specific needs. You can also use custom properties to create custom groups and assignments based on specific attributes.

Custom properties can be used to extend the existing attributes of identities, such as name, email, and department. This can help you to create more targeted and effective identity management policies.

By leveraging custom properties, you can create a more comprehensive and accurate picture of your users, groups, and devices. This can help you to make more informed decisions and improve your overall identity management strategy.

Consider reading: How to Create a Group in Azure Ad

If you're experiencing issues with Azure AD custom properties, don't worry, we've got you covered. Here are some common problems and their solutions.

Azure AD custom properties may not be visible in the Azure portal if they are not properly configured. This is because custom properties require a specific schema to be defined before they can be used.

To troubleshoot this issue, check that the schema for your custom property is correctly defined in the Azure portal. If the schema is missing or incorrect, update it to the correct format.

If you're still having trouble, try resetting the Azure AD custom properties to their default values. This can help resolve any issues caused by incorrect configuration.

See what others are reading: Windows Azure Ad Portal

Custom Security Attributes are still in public preview, and Microsoft is working on making the feature complete.

Global Admins can read Azure AD audit logs to see Custom Security Attribute definitions and assignments, including Attribute values. This means others might also view these if audit logs are exported elsewhere.

Users with attribute set-level role assignments can view other Attribute Sets and Custom Security Attribute definitions.

The current lack of read-only Graph scope is a notable downside.

Removing custom attributes can be a bit tricky, but it's a necessary step when troubleshooting issues. You need to set the extension attribute value to null for each account in the directory before removing the custom attribute itself. This ensures you explicitly remove the extension attribute's values.

To remove a custom attribute, you'll need to sign in to the Azure portal as at least External ID User Flow Attribute Administrator of your Azure AD B2C tenant. Make sure you're using the correct directory that contains your Azure AD B2C tenant.

Here are the steps to remove a custom attribute from a user flow in your tenant:

It's also worth noting that if you delete an extension attribute, it's removed from all user accounts and the values are deleted. So, be careful when removing custom attributes!