This article is the eighth in a series about Custom Attributes in Entra ID and will step through the decision tree which I hope will be the definitive guide to which way to store custom data in Entra ID. Names and aliases Naming Conventions Resource Types Data Types Lifecycle Limitations Use Cases Decision Tree
This article is the seventh in a series about Custom Attributes in Entra ID and will discuss the use cases of each these approaches. Names and aliases Naming Conventions Resource Types Data Types Lifecycle Limitations Use Cases Decision Tree Use Cases Extension attributes Directory Extensions Schema Extensions Open Extensions Custom Security Attributes Visible on Profile Card Y (Exclusive) N N N N Exchange Dynamic Groups Y (Exclusive) N N N N Group Dynamic Membership Rule Y Y N N N Administrative Unit Dynamic Membership rule Y Y N N N Inbound Cloud Provisioning Y Y N N N Cloud User App Provisioning Y Y N N N User App Provisioning Filtering Y Y N N N On Premise Sync Y Y N N N Cross Tenant Sync Y Y N N N Customized Token Claims Y Y N N N** Entra ID DS Y Y N N N Graph Filterable Y Y Y N Y Azure B2C Y Y N N N External ID Custom User Attributes N Y (Exclusive) N N N Restricted Access/Sensitive Data N N N N Y (Exclusive) Conditional Access Filter on Enterprise Applications N N N N Y (Exclusive) Conditional Access Filter on Devices Y (Exclusive) N N N N Conditional Access Filter on Users and Groups (via Dynamic Group Membership) Y Y N N N UI to manage the customizations N/A N* N N Y Azure ABAC N N N N Y (Exclusive) Lifecycle Workflows: Scope Filter Y Y N N Y Lifecycle Workflows: Trigger Attributes N N N N N Access package assignment Policy Y Y N N N My default answer: use a Directory Extension unless you can’t!
This article is the sixth in a series about Custom Attributes in Entra ID and will discuss the Limitations of each these approaches. Names and aliases Naming Conventions Resource Types Data Types Lifecycle Limitations Use Cases Decision Tree Limitation Extension attributes Directory Extensions Schema Extensions Open Extensions Custom Security Attributes Needs an App to own it N Y Y N but an App must create it N Values Per Resource 15 100 100 2 kb of data 50 Per App N/A 5 definitions 2 extensions N/A Per Tenant 15 Infinte Infinte Infinte 500 Schema can be shared Built in to every tenant If other tenants install your mult-tenant app Discoverable Globally N N Can exist on Synced User Y Y Y Y Y Must Manage on Prem for Synced User Y N* N N N *No, except for Directory extensions from the “Tenant Schema Extension App” used by Entra ID Connect Sync and Cloud Sync.
This article is the fifth in a series about Custom Attributes in Entra ID and will discuss the Resource Types that each of these approaches can use. Names and aliases Naming Conventions Resource Types Data Types Lifecycle Limitations Use Cases Decision Tree Lifecycle Question Extension attributes Directory Extensions Schema Extensions Open Extensions Custom Security Attributes Has Lifecycle States?
This article is the fourth in a series about Custom Attributes in Entra ID and will discuss the Resource Types that each of these approaches can use. Names and aliases Naming Conventions Resource Types Data Types Lifecycle Limitations Use Cases Decision Tree Resource Types Extension attributes Directory Extensions Schema Extensions Open Extensions Custom Security Attributes String Y 256 characters Y Y 64 Characters Binary N Y Y N N Boolean N Y Y N Y DateTime N Y Y N N Integer N Y Y N Y LargeInteger N Y N N N Multi-valued Attributes N Y N Y Y Strongly Typed N Y Y N Y If you need to go beyond single valued string data then Extension Attributes are out.
This article is the third in a series about Custom Attributes in Entra ID and will discuss the Resource Types that each of these approaches can use. Names and aliases Naming Conventions Resource Types Data Types Lifecycle Limitations Use Cases Decision Tree Resource Types Extension attributes Directory Extensions Schema Extensions Open Extensions Custom Security Attributes servicePrincipal N N N N Y user Y Y Y Y Y device Y Y Y Y N group N Y Y Y N administrative unit N Y Y N N application N Y N N N organization N Y Y Y N contact N N Y Y N event N N Y Y N message N N Y Y N post N N Y Y N todoTask N N N Y N todoTaskList N N N Y N The most startling thing this table reveals, is that the only way to extend Service Principals (aka Enterprise Applications – this also includes Managed Identities) is with Custom Security Attributes.
This article is the second in a series about Custom Attributes in Entra ID and will discuss the Naming Conventions so that you can recognize them when you see them in the wild and understand how uniqueness is enforced and guaranteed. Names and aliases Naming Conventions Resource Types Data Types Lifecycle Limitations Use Cases Decision Tree Names Name or ID Example Notes Extension attributes extensionAttribute1 .
Microsoft has had a lot of chefs in the Entra ID kitchen baking up solutions to different problems and now we have an array of confusing choices about where to put your data. This is the first of a series of posts to help you choose the correct one for you and your needs. While Microsoft’s official documentation provides a fairly handy comparison table it completely leaves out Custom Security Attributes.
In Part 1 of How to import the Domain attribute into the FIM Portal I provided you the simple technique for the single domain forest, and the technique that works although is a bit unwieldy – that of looking at the first 41 characters of the object’s SID and using a lookup table through nested IIF statements and this doesn’t . What if there was a simpler way? What about using the Domain Component option in the attribute flow?
