CustomSecurityAttributes

Custom Attributes in Entra ID -- Decision Tree

By DavidLundell

October 1, 2025

This article is the eighth in a series about Custom Attributes in Entra ID and will step through the decision tree which I hope will be the definitive guide to which way to store custom data in Entra ID.

  1. Names and aliases
  2. Naming Conventions
  3. Resource Types
  4. Data Types
  5. Lifecycle
  6. Limitations
  7. Use Cases
  8. Decision Tree

  1. Is this custom data intended for Enterprise Applications or Managed Identities (both of which are of the servicePrincipal resource type)?

If “Yes,” then you must use Custom Security Attributes – this is the only way to filter on Applications in Conditional Access Policies

Continue reading

Custom Attributes in Entra ID -- Use Cases

By DavidLundell

October 1, 2025

This article is the seventh in a series about Custom Attributes in Entra ID and will discuss the use cases of each these approaches. There are seven use cases that have only one solution, three exclusive use cases for Extension Attributes, three exclusive for Custom Security Attributes and one for Directory Extensions.

  1. Names and aliases
  2. Naming Conventions
  3. Resource Types
  4. Data Types
  5. Lifecycle
  6. Limitations
  7. Use Cases
  8. Decision Tree
Use Cases Extension attributes Directory Extensions Schema Extensions Open Extensions Custom Security Attributes
Visible on Profile Card Y (Exclusive) N N N N
Exchange Dynamic Groups Y (Exclusive) N N N N
Group Dynamic Membership Rule Y Y N N N
Administrative Unit Dynamic Membership rule Y Y N N N
Inbound Cloud Provisioning Y Y N N N
Cloud User App Provisioning Y Y N N N
User App Provisioning Filtering Y Y N N N
On Premise Sync Y Y N N N
Cross Tenant Sync Y Y N N N
Customized Token Claims Y Y N N N**
Entra ID DS Y Y N N N
Graph Filterable Y Y Y N Y
Azure B2C Y Y N N N
External ID Custom User Attributes N Y (Exclusive) N N N
Restricted Access/Sensitive Data N N N N Y (Exclusive)
Conditional Access Filter on Enterprise Applications N N N N Y (Exclusive)
Conditional Access Filter on Devices Y (Exclusive) N N N N
Conditional Access Filter on Users and Groups (via Dynamic Group Membership) Y Y N N N
UI to manage the customizations N/A N* N N Y
Azure ABAC N N N N Y (Exclusive)
Lifecycle Workflows: Scope Filter Y Y N N Y
Lifecycle Workflows: Trigger Attributes N N N N N
Access package assignment Policy Y Y N N N

My default answer: use a Directory Extension unless you can’t!

Custom Attributes in Entra ID -- Limitations

By DavidLundell

October 1, 2025

This article is the sixth in a series about Custom Attributes in Entra ID and will discuss the Limitations of each these approaches.

  1. Names and aliases
  2. Naming Conventions
  3. Resource Types
  4. Data Types
  5. Lifecycle
  6. Limitations
  7. Use Cases
  8. Decision Tree
Limitation Extension attributes Directory Extensions Schema Extensions Open Extensions Custom Security Attributes
Needs an App to own it N Y Y N but an App must create it N
Values Per Resource 15 100 100 2 kb of data 50
Per App N/A 5 definitions 2 extensions N/A
Per Tenant 15 Infinte Infinte Infinte 500
Schema can be shared Built in to every tenant If other tenants install your mult-tenant app Discoverable Globally N N
Can exist on Synced User Y Y Y Y Y
Must Manage on Prem for Synced User Y N* N N N

*No, except for Directory extensions from the “Tenant Schema Extension App” used by Entra ID Connect Sync and Cloud Sync.

Continue reading

Custom Attributes in Entra ID -- Lifecycle

By DavidLundell

September 27, 2025

This article is the fifth in a series about Custom Attributes in Entra ID and will discuss the Lifecycle of each of these approaches.

  1. Names and aliases
  2. Naming Conventions
  3. Resource Types
  4. Data Types
  5. Lifecycle
  6. Limitations
  7. Use Cases
  8. Decision Tree
Lifecycle Question Extension attributes Directory Extensions Schema Extensions Open Extensions Custom Security Attributes
Has Lifecycle States? No(always there) No(there and not there) Yes (InDevelopment, Available, Deprecated) No(never there) Yes(Active,Deactivated)
Can other apps in the same tenant discover the extensions definitions? Yes (same in every tenant) Yes Yes No defintions to discover Only with the Attribute Definition roles
Can other apps in same Tenant read the data (If app has read permissions to the resource)? Yes Yes Yes Yes Only with Attribute Assignment Roles
Can other apps in same Tenant write the data (If app has write permissions to the resource)? Yes Yes Yes Yes Only with Attribute Assignment Roles
Can defintions be shared with or discovered by other tenants? They already are If app is Multi-Tenant and gets installed Once the Schema Extension is in Available State No No
Can the extension be deleted? No Yes Only when in the InDevelopment State N/A (there are no definitions) No
Can be deactivated or deprecated? No No Yes (deprecated) No Yes (deactivated)
Deletion of owning App
What happens to the definitions? N/A Deletes the Extensions Definition Not deleted  but no longer updateable Deleting the Creator app has no impact N/A
What happens to the definitions in other tenants? N/A Nothing – other tenants could not update the definitions anyhow Nothing – other tenants could not update the definitions anyhow N/A N/A
What happens to the data? N/A Makes it undiscoverable All properties and values are still discoverable Deleting the Creator app has no impact N/A
What happens to the data in other tenants? N/A None None N/A N/A
Can the extension be deleted? N/A Yes Only when in the InDevelopment State N/A (there are no definitions) No
What happens to the definitions? N/A Deletes the Extensions Definition Definition deleted and undiscoverable[[1]](#_msocom_1) N/A N/A
What happens to the definitions in other tenants? N/A Nothing – other tenants could not update the definitions anyhow N/A (can’t delete when shared) N/A N/A
What happens to the data? N/A Makes it undiscoverable Makes it undiscoverable N/A N/A
What happens to the data in other tenants? N/A Nothing N/A (can’t delete when shared) N/A N/A
Can the extension be deactivated or deprecated? No No Yes (deprecated) extension can no longer be read or modified No Yes (deactivated) Can no longer be applied
Effect on other tenants? N/A N/A extension can no longer be read or modified N/A N/A
What happens to the data when the Extension is deprecated or deactivated? N/A N/A Can read, update and delete existing property values N/A *Data is preserved * Can no longer be applied to resources
Effect on other tenants? N/A N/A Can read, update and delete existing property values N/A N/A
Data in Undiscoverable/Deactivated count against limits N/A Yes Probably N/A Yes

Continue reading

Custom Attributes in Entra ID -- Data Types

By DavidLundell

September 26, 2025

This article is the fourth in a series about Custom Attributes in Entra ID and will discuss the Data Types that each of these approaches can use.

  1. Names and aliases
  2. Naming Conventions
  3. Resource Types
  4. Data Types
  5. Lifecycle
  6. Limitations
  7. Use Cases
  8. Decision Tree
Resource Types Extension attributes Directory Extensions Schema Extensions Open Extensions Custom Security Attributes
String Y 256 characters Y Y 64 Characters
Binary N Y Y N N
Boolean N Y Y N Y
DateTime N Y Y N N
Integer N Y Y N Y
LargeInteger N Y N N N
Multi-valued Attributes N Y N Y Y
Strongly Typed N Y Y N Y

Going beyond single valued strings

Continue reading

Custom Attributes in Entra ID -- Resource Types

By DavidLundell

September 26, 2025

This article is the third in a series about Custom Attributes in Entra ID and will discuss the Resource Types that each of these approaches can use.

  1. Names and aliases
  2. Naming Conventions
  3. Resource Types
  4. Data Types
  5. Lifecycle
  6. Limitations
  7. Use Cases
  8. Decision Tree
Resource Types Extension attributes Directory Extensions Schema Extensions Open Extensions Custom Security Attributes
servicePrincipal N N N N Y
user Y Y Y Y Y
device Y Y Y Y N
group N Y Y Y N
administrative unit N Y Y N N
application N Y N N N
organization N Y Y Y N
contact N N Y Y N
event N N Y Y N
message N N Y Y N
post N N Y Y N
todoTask N N N Y N
todoTaskList N N N Y N

Right away it should be noted that contact resources are personal contacts not the Organization contacts (orgContact) that are maintained by the org’s admins. Contact resources are Outlook Items (or resources) and not directory resources. orgContact is a directory resource type. You can tell because in the doc it says, “Inherits from directoryObject.” In other words contacts are visible for a particular user and not to the organization. Whereas orgContact resources are visible for the entire organization through the Global Address List.

Continue reading

Custom Attributes in Entra ID -- Naming Conventions

By DavidLundell

September 26, 2025

This article is the second in a series about Custom Attributes in Entra ID and will discuss the Naming Conventions so that you can recognize them when you see them in the wild and understand how uniqueness is enforced and guaranteed.

  1. Names and aliases
  2. Naming Conventions
  3. Resource Types
  4. Data Types
  5. Lifecycle
  6. Limitations
  7. Use Cases
  8. Decision Tree
Names Name or ID Example Notes
Extension attributes extensionAttribute1 .. extensionAttribute15 extensionAttribute15 The names are already pre-determined
Directory Extensions extension_ {ApplicationId}_attributeName extension_ 4b2af6e7f3ac4f598e35c364e0126c6d _MgrLvl The Application ID or Client ID (not the object ID of the Application)
Schema Extensions verifiedVanityDomainextensionID OR ext{8-random-alphanumeric-chars}{schema-name} snappyslackers_coordinates OR extwmo14pts_coordinates You can choose between using the verified Vanity Domain Name or allowing EntraID to generate a random prefix for you
Open Extensions ReverseFQDN.extensionName com.snappyslackers.coordinates It looks like this is an unenforced convention
Custom Security Attributes <AttributeSetName_AttributeName> HR_MgrLvl Both the AttributeSetName and the AttributeName can be up to 32 Unicode Characters with neither spaces nor specials characters. AttributeName must be unique within its Attribute set, which in turn must be unique within the tenant.

Extension Attributes

You do not get to choose the names of the Extension Attributes as they are predetermined and fixed.

Continue reading

Custom Attributes in Entra ID

By DavidLundell

September 26, 2025

Microsoft has had a lot of chefs in the Entra ID kitchen baking up solutions to different problems and now we have an array of confusing choices about where to put your data.

This is the first of a series of posts to help you choose the correct one for you and your needs.

While Microsoft’s official documentation provides a fairly handy comparison table it completely leaves out Custom Security Attributes. Overall, I find that there are some gaps, and a couple of contradictions but not a definitive guide to help you know when to use which extension.

Continue reading

Search

Categories

Tags