Azure AD – You can now create custom security attributes (preview)

If you use a Microsoft Cloud service like Office 365 you already know that identity and authentication are managed by Azure Active Directory (Azure AD).

Azure AD is very similar to Active Directory meaning objects (users, groups or devices) have attributes you can managed using either the Azure AD portal and/or Azure AD PowerShell.

Well, you can now create your very own custom security attributes to help you extend user profiles, categorize applications or enforce fine-grained access control on Azure resources.

The below objects supports these new custom security attributes:

  • Azure AD users
  • Azure AD enterprise applications (service principals)
  • Managed identities for Azure resources

Before you start, you need to ensure you have set the minimum prerequisites:

  • Custom security attributes require to have at least Azure AD Premium P1
  • You need to have the Attribute definition administrator to create attribute sets – Global Administrator and Privileged Role Administrator roles do not have permission to add or read custom security attributes

Additional role may be required for reading or assigning the custom attributes:

  • Attribute assignment administrator to assign the attributes and values
  • Attribute assignment reader to read the attributes and values assigned to objects
  • Attribute definition reader to read the attribute definition

Don’t forget you can use group to assign the corresponding roles (see

To assign the corresponding role, connect to your Azure AD portal ( and access the Azure Active Directory\Roles and administrators blade to search for the attribute roles


Once you have assigned the Attribute definition administrator role, you have to sign out and sign in again before you will be able to create attribute definition

To create an attribute definition by accessing the Azure Active Directory\Custom security attributes blade

image  image

An attribute set can be defined by a maximum of 500 attributes

Once you have created your attribute set, you can edit it to define the custom attributes


An attribute can be any if the following type:

  • String
  • Boolean
  • Integer

It can be multi value and/or set based on a predefined list of values (only for string and integer types)


If you choose to use a predefined list of values you will have to first create the attribute and then edit it to define the list of values

image  image

Then you can assign the attribute set to a supported object in Azure AD by accessing the Custom security attributes blade on the corresponding object

image  image

Few limitations of the custom attributes:

  • Maximum number of active Attribute definitions per tenant: 500
  • Maximum number of Attribute sets per tenant: 500
  • Maximum Attribute set name length: 32 (Unicode characters and case insensitive)
  • Maximum Attribute set description length: 128 (Unicode characters)
  • Maximum Attribute name length: 32 (Unicode characters and case insensitive)
  • Maximum Attribute description length: 128 (Unicode characters)
  • Maximum Predefined values per attribute definition: 100 (Unicode characters and case insensitive)
  • Maximum Attribute value length: 64 (Unicode characters)
  • Maximum Attribute values assigned per object: 50
  • Characters not allowed for:
    • Attribute set name and Attribute name: <space> ` ~ ! @ # $ % ^ & * ( ) _ - + = { [ } ] \| \ : ; " ' < , > . ? /
    • Attribute values: # % & * + \ : " / < > ?
  • At this stage custom attribute and attribute set can not be deleted; they only be deactivated

Leave a Comment

Your email address will not be published. Required fields are marked *