Custom Attributes in Entra ID -- Use Cases

This article is the seventh in a series about Custom Attributes in Entra ID and will discuss the use cases

of each these approaches.

1. Names and aliases
2. Naming Conventions
3. Resource Types
4. Data Types
5. Lifecycle
6. Limitations
7. Use Cases
8. Decision Tree

Recall that we only have 15 Extension Attributes and there are two use cases for users that can only be done using them: Making custom data visible on the Profile Card and using Custom Data in membership rules for Exchange Online Dynamic Groups. We have no other way to do these things.

Only Extension Attributes can be added to the Profile Card and show up “Teams, Outlook, or other Office apps and services.”

Extension Attributes also have an exclusive on using Custom Data for Conditional Access Filters for Devices.

Custom Security Attributes have three exclusive use cases:

• Azure ABAC
• Conditional Access Filter on Enterprise Applications
• Storing custom data in a way that you can allow a user or app to read and write some of the data but not all of it.

Custom Security Attributes can be used in conjunction with resource tags inside of Azure ABAC to do finer grained access control. For example you could grant read and/or write permissions to certain Azure resources, such as blobs that have an index tag that matches a custom security attribute on a user or Enterprise Application.

Conditional Access Filter on Enterprise Applications can provide a great help to categorizing Enterprise Applications (Service Principals, which includes Managed Identities) and then being apply to apply Conditional Access Policies in systematized categoric way. For example one client has many Storage Account Enterprise Apps that they had excluded individually creating a management headache.