Entra ID: Custom Security Attributes (CSA)

As we move from on-prem to Hybrid and even from Hybrid to full cloud, there is new ways to controll access to resources. In on-prem AD you had ExtensionAttributes that you could use with different values. When you move to full cloud, you need to switch to Custom Security Attributes (CSA). To use CSA, you need to create a CSA Set that contain CSA Attributes, you can create multiple Attributes. After you have created these Attributes, you need to give them values, and if you have hundreds or thousands of users, you need to apply the value with PowerShell and MS Graph. Here is a script for applying CSA values.

In this script I apply 2 values to an CSA Sett named "Personal" that contain a Attribute Name named "Role" and "EmployeeNumber"

# Ensure you're connected to Azure and Microsoft Graph
Connect-AzAccount
Connect-MgGraph

# Import the Microsoft Graph Users module
Import-Module Microsoft.Graph.Users

# Specify the path to your CSV file
$csvPath = "C:\temp\CSA_Users_Attribute_Value.csv"

# Import the CSV file
$users = Import-Csv -Path $csvPath

foreach ($user in $users) {
    try {
        $params = @{
            customSecurityAttributes = @{
                Personal = @{
                    "@odata.type" = "#Microsoft.DirectoryServices.CustomSecurityAttributeValue"
                    Role = $user.Role
				  EmployeeNumber = $user.EmployeeNumber
                }
            }
        }
        
        # Update each user with the custom security attributes
        Update-MgUser -UserId $user.UserPrincipalName -BodyParameter $params
        Write-Host "Updated custom security attributes for user: $($user.UserPrincipalName)"
    } catch {
        Write-Host "Failed to update user: $($user.UserPrincipalName). Error: $_"
    }
}

Here you can read more about Custom Security Attribute: https://learn.microsoft.com/en-us/entra/fundamentals/custom-security-attributes-overview