As we move from on-prem to Hybrid and even from Hybrid to full cloud, there is new ways to controll access to resources. In on-prem AD you had ExtensionAttributes that you could use with different values. When you move to full cloud, you need to switch to Custom Security Attributes (CSA). To use CSA, you need to create a CSA Set that contain CSA Attributes, you can create multiple Attributes. After you have created these Attributes, you need to give them values, and if you have hundreds or thousands of users, you need to apply the value with PowerShell and MS Graph. Here is a script for applying CSA values.
In this script I apply 2 values to an CSA Sett named "Personal" that contain a Attribute Name named "Role" and "EmployeeNumber"
# Ensure you're connected to Azure and Microsoft Graph
Connect-AzAccount
Connect-MgGraph
# Import the Microsoft Graph Users module
Import-Module Microsoft.Graph.Users
# Specify the path to your CSV file
$csvPath = "C:\temp\CSA_Users_Attribute_Value.csv"
# Import the CSV file
$users = Import-Csv -Path $csvPath
foreach ($user in $users) {
try {
$params = @{
customSecurityAttributes = @{
Personal = @{
"@odata.type" = "#Microsoft.DirectoryServices.CustomSecurityAttributeValue"
Role = $user.Role
EmployeeNumber = $user.EmployeeNumber
}
}
}
# Update each user with the custom security attributes
Update-MgUser -UserId $user.UserPrincipalName -BodyParameter $params
Write-Host "Updated custom security attributes for user: $($user.UserPrincipalName)"
} catch {
Write-Host "Failed to update user: $($user.UserPrincipalName). Error: $_"
}
}Here you can read more about Custom Security Attribute: https://learn.microsoft.com/en-us/entra/fundamentals/custom-security-attributes-overview
Comments