Custom Security Attributes and Bulk Operations in Microsoft Entra ID (SC-300)
Why Are Custom Security Attributes and Bulk Operations Important?
In enterprise environments, organizations often need to classify and manage users, service principals, and applications based on business-specific criteria that go beyond standard directory attributes. Custom security attributes in Microsoft Entra ID (formerly Azure AD) allow organizations to define their own business-specific attributes and assign them to directory objects. When combined with bulk operations, administrators can efficiently manage these attributes at scale across thousands of objects, saving significant time and reducing human error.
For the SC-300 exam, understanding custom security attributes and bulk operations is critical because they represent a key part of identity governance, access control, and operational efficiency — all core themes of the Identity and Access Administrator role.
What Are Custom Security Attributes?
Custom security attributes are business-specific attributes (key-value pairs) that you can define and assign to Microsoft Entra objects such as:
- Users
- Service principals (enterprise applications)
- Managed identities
Key characteristics of custom security attributes include:
• Attribute Sets: Custom security attributes are organized into attribute sets. An attribute set is a logical grouping of related attributes. For example, you might create an attribute set called ProjectManagement or HRData. A tenant can have up to 500 attribute sets, and each attribute set can contain up to 500 attribute definitions.
• Attribute Definitions: Each custom security attribute has a definition that includes its name, description, data type (String, Integer, or Boolean), and whether it allows single or multiple values. You can also define predefined values that restrict what can be assigned.
• Security and Access Control: Custom security attributes are inherently secure. They are not visible to regular users by default. Only users with the Attribute Assignment Reader, Attribute Assignment Administrator, Attribute Definition Reader, or Attribute Definition Administrator roles can read or manage them. Even Global Administrators cannot read custom security attributes by default unless they are explicitly assigned one of these roles.
• Use in Conditional Access and Access Reviews: Custom security attributes can be used as conditions in Azure attribute-based access control (Azure ABAC) for Azure role assignments and can be leveraged for dynamic membership rules and filtering in certain scenarios.
How Do Custom Security Attributes Work?
The workflow for implementing custom security attributes follows these steps:
Step 1: Create an Attribute Set
Navigate to Microsoft Entra admin center → Protection → Custom security attributes. Create a new attribute set by providing a name (which cannot be changed after creation), a description, and a maximum number of attributes.
Step 2: Define Custom Security Attributes
Within the attribute set, define individual attributes. Specify the attribute name, data type (String, Integer, Boolean), whether it allows multiple values, whether predefined values are required, and optionally add predefined values. For example, you might create an attribute called ClearanceLevel of type String with predefined values of Confidential, Secret, and TopSecret.
Step 3: Assign Attributes to Objects
Assign custom security attribute values to users, service principals, or managed identities. This can be done through the Microsoft Entra admin center, Microsoft Graph API, or PowerShell.
Step 4: Use Attributes for Governance and Access Decisions
Once assigned, these attributes can be used to filter users, make access control decisions, or support compliance and audit requirements.
What Are Bulk Operations?
Bulk operations allow administrators to perform actions on multiple directory objects simultaneously rather than one at a time. In the context of custom security attributes, bulk operations are essential for:
• Bulk assigning custom security attribute values to many users or service principals at once
• Bulk updating existing attribute values across multiple objects
• Bulk removing attribute values from multiple objects
How Bulk Operations Work with Custom Security Attributes:
1. CSV File Upload (Microsoft Entra Admin Center): For user management, the Entra admin center supports bulk create, bulk invite, bulk delete, and bulk download via CSV files. While direct bulk assignment of custom security attributes via CSV in the portal has limitations, you can use the downloaded user list to identify targets for bulk attribute operations.
2. Microsoft Graph API: The most flexible approach is using the Microsoft Graph API with batch requests. You can use the $batch endpoint to send up to 20 requests in a single HTTP call. This is ideal for programmatically assigning or updating custom security attributes for many objects. The Graph API endpoint for custom security attributes on a user is: PATCH https://graph.microsoft.com/v1.0/users/{id} with the customSecurityAttributes property in the request body.
3. PowerShell (Microsoft Graph PowerShell SDK): Using the Update-MgUser cmdlet with the -CustomSecurityAttributes parameter, administrators can script bulk operations. A typical approach involves:
- Importing a list of users from a CSV file
- Looping through each user
- Assigning or updating custom security attribute values using the Update-MgUser cmdlet
4. Azure Logic Apps or Power Automate: For recurring bulk operations, you can build automated workflows that trigger on a schedule or event and use the Microsoft Graph connector to update custom security attributes in bulk.
Required Roles for Custom Security Attributes:
Understanding role requirements is crucial for the exam:
• Attribute Definition Administrator: Can define and manage custom security attribute definitions and attribute sets. Cannot assign attributes to objects.
• Attribute Definition Reader: Can read custom security attribute definitions and attribute sets.
• Attribute Assignment Administrator: Can assign custom security attribute values to objects (users, service principals). Can also read attribute definitions.
• Attribute Assignment Reader: Can read custom security attribute values assigned to objects.
• Attribute Log Administrator: Can read audit logs for custom security attributes.
• Attribute Log Reader: Can read audit logs for custom security attributes.
Important: Global Administrator does NOT automatically have access to custom security attributes. This is a deliberate security design to ensure separation of duties.
Key Constraints and Limitations to Remember:
• Attribute set names and attribute names cannot be renamed or deleted after creation (they can only be deactivated).
• A tenant supports up to 500 attribute sets with up to 500 attribute definitions each.
• Custom security attributes are NOT included in standard user profile responses — they require specific permissions and explicit API queries.
• Custom security attributes are stored in Microsoft Entra ID and are separate from extension attributes in Exchange or on-premises AD.
• Predefined values can be enforced to restrict what values can be assigned to an attribute.
Exam Tips: Answering Questions on Custom Security Attributes and Bulk Operations
1. Focus on Role Assignments: The SC-300 exam frequently tests whether you understand which role is needed for which action. Remember: Definition roles manage the schema (creating attribute sets and definitions), while Assignment roles manage the values on objects. Global Admin alone is NOT sufficient.
2. Know the Immutability Rules: Attribute sets and attribute definitions cannot be deleted or renamed — only deactivated. If a question asks about modifying an attribute set name, the correct answer is that it cannot be done; a new one must be created.
3. Understand the Separation from Global Admin: This is a commonly tested concept. If a scenario describes a Global Administrator who cannot see custom security attribute values, the answer involves assigning the Attribute Assignment Reader or Attribute Assignment Administrator role.
4. Bulk Operations Method Selection: When a question asks about the most efficient or recommended way to assign custom security attributes to hundreds or thousands of users, look for answers involving Microsoft Graph API (especially with batch requests) or PowerShell scripts. The Entra admin center UI is suitable for individual assignments but not for bulk attribute operations.
5. CSV vs. API for Bulk Operations: Remember that the built-in CSV bulk operations in the Entra portal are primarily for user lifecycle management (create, invite, delete). For bulk custom security attribute assignment, PowerShell or Graph API is the correct approach.
6. Data Types Matter: If a question specifies that an attribute must store multiple values (e.g., a user belongs to multiple projects), ensure the attribute is defined with Allow multiple values set to Yes. This setting cannot be changed after creation.
7. Predefined vs. Freeform Values: If a scenario requires restricting attribute values to a specific list (e.g., departments or clearance levels), the answer involves creating predefined values and setting Only allow predefined values to Yes.
8. Audit and Compliance: Custom security attribute changes are logged in the Microsoft Entra audit logs. The Attribute Log Reader and Attribute Log Administrator roles control access to these specific logs. Questions about tracking who changed an attribute value will point to audit logs and these roles.
9. Scenario-Based Questions: Look for scenarios where the organization needs to classify users by business-specific criteria (cost center, project assignment, security clearance, compliance classification). The answer is almost always custom security attributes rather than extension attributes or directory extensions, especially when the requirement mentions security, restricted visibility, or ABAC.
10. Integration with Azure ABAC: If a question involves controlling access to Azure resources (like storage blobs) based on user attributes, custom security attributes can be used as part of Azure attribute-based access control (ABAC) conditions in role assignment conditions. This is distinct from Conditional Access policies.
11. Watch for Trick Questions: Questions may try to confuse custom security attributes with extension attributes (from application extensions or directory extensions), on-premises AD custom attributes synced via Entra Connect, or claims in token configurations. These are all different concepts. Custom security attributes are unique to Microsoft Entra ID and have their own dedicated RBAC model.
12. Practice the Workflow: Remember the order: Create Attribute Set → Define Attributes → Assign Roles → Assign Values to Objects. If any step is missing in a scenario, that is likely the answer to the question about what went wrong.
