Custom Security Attributes in Entra ID enable storage of sensitive information on user and application objects in Azure Active Directory.
Attributes
Each attribute consists of the following: the name of the attribute, the name of attribute and consist of two components: attributes and attribute sets. Each attribute consists of a definition and an assignment and each attribute set consists of a definition and the permissions applied to the attribute set.
Attribute defintions
The definition of an attribute or attribute set cannot be changed once the object is created. The definition of an attribute set consists of the name of the attribute set. The definition of an attribute consists of the name of the attribute, the attribute set that contains the attribute, the data type of the attribute, and the value of if the attribute . The name of the attribute, the containing attribute set, and the data type cannot be changed once the attribute has been created. The value of the attribute can be changed by authorized users.
Attribute Sets
Each attribute set consists of the following: the name of the attribute set and the attributes contained within the set. The name of the attribute set cannot be changed once the attribute set has been created. The list of attributes in the set can be expanded by creating new attribute. Existing attributes in set cannot be removed.is single-valued or multi-valued. The data type can be string, integer, or boolean.
Attribute assignments
The assignment of an attribute is the value of an attribute and can modified by authorized users at any time. The value must adhere to the requirements of the data type defined for the attribute.
Attribute set permissions
The permissions on an attribute set define who can modify the value of any attributes in attribute set.
Limitations
The following limitations are defined by Microsoft:
A maximum of 500 attributes can be defined in a tenant.
A maximum of 500 attribute sets can be defined in a tenant.
A maximum of 50 values can be set on a each user or application.
Implementation
The following restrictions are currently applied to custom security attributes in the utexas tenant. These restrictions are intended to allow attributes to be recycled and prevent exhaustion of attribute values by a single attribute.
Attributes and attribute sets will adhere to a generic naming convention
Attribute sets will contain a single attribute
Only single-valued attributes are permitted
Naming Conventions
The following naming conventions are proposed convention has been defined for Custom Security Attributes to ensure that attributes and attribute sets can be re-used.:
The name of each attribute and associated attribute set will include the tenant name followed by the static Csa identifier followed by the
...
data type and a sequential numeric
...
identifier within the set of
...
attributes that are of the same
...
data type.
...
Ex. utexasCsaString1,
...
utexasCsaInteger2, utexasCsaBoolean3
Attribute Map
The following page contains the details of the custom security attributes assignments: