Forgotten Features Series, Part 3: The Metadata Revolution You’re Missing – Custom Security Attributes

As a Managed Service Provider (MSP), you manage dozens or hundreds of customers across multiple tenants, each with different service tiers, billing models, and compliance requirements. Critical customer context lives in your PSA tool, CRM, or billing system – completely disconnected from Microsoft Entra ID. You know which customers have Premium SLA, which require GDPR data residency, or which applications belong to specific clients, but your access control and automation can’t see any of it. This guide reveals how Custom Security Attributes turn MSP business logic into enforceable technical policies.

What are Custom Security Attributes?

Custom Security Attributes are business-specific key-value pairs that you define and assign to Microsoft Entra objects (users, service principals). For MSPs, they bridge the gap between your business systems and Microsoft Entra ID by capturing customer context-which customer a user belongs to, service tier, billing model, data residency requirements, and technical contacts.

Key MSP capabilities:

  • Customer Tagging: Tag users and applications with customer names, service tiers, billing codes, and technical contacts
  • Multiple Data Types: Boolean (“Premium SLA”), Integer (“MaxUsers”), String (“CustomerName”, “DataRegion”)
  • Predefined Values: Restrict to approved customers, service tiers (“Basic”, “Standard”, “Premium”), or data regions (“EU-West”, “NL-Central”)
  • Restricted Access: Protect sensitive customer data – only Attribute Assignment Administrators can view/modify
  • Microsoft Graph Filtering: Generate customer reports, billing data, and service catalogs via API queries

More information can be found here:
What are custom security attributes in Microsoft Entra ID?

Requirements

  • Licensing: Free – included with all Microsoft Entra ID subscriptions
  • Admin Roles:
    • Attribute Definition Administrator to create attribute definitions
    • Attribute Assignment Administrator to assign attributes to objects

NOTE: Global Administrator does NOT have permissions by default

Configuration

This section will guide you through creating custom security attributes and assigning them to users. We’ll use a real-world MSP scenario: tagging customer users and applications to enable customer-based access control and automated billing reports.

Step 1: Create an Attribute Set

Attribute sets are logical containers for related attributes. All custom security attributes must belong to an attribute set.

  1. Sign in to the Microsoft Entra admin center as Attribute Definition Administrator.
  2. Navigate to Identity > Custom security attributes.
  3. Click Add attribute set.
  4. Fill in the required fields:
    • NameCustomerData (32 characters max, no spaces or special characters—cannot be renamed later)
    • DescriptionCustomer identification and service tier attributes for MSP clients
    • Maximum number of attributes25 (optional limit)
  5. Click Add.

Step 2: Define Custom Security Attributes

Now we’ll create the actual attributes within the attribute set.

  1. In the Custom security attributes page, select the CustomerData attribute set.
  2. Click Add attribute to create the first attribute:
    • Attribute nameCustomerName
    • DescriptionCustomer organization name
    • Data typeString
    • Allow multiple valuesNo
    • Only allow predefined valuesYes
    • Predefined valuesMicrosoftSalesforceAdobeCisco
  3. Click Add attribute again to create a second attribute:
    • Attribute nameServiceTier
    • DescriptionCustomer service level agreement tier
    • Data typeString
    • Allow multiple valuesNo
    • Only allow predefined valuesYes
    • Predefined valuesBasicStandardPremium
  4. Click Add attribute for a third attribute:
    • Attribute nameDataRegion
    • DescriptionRequired data residency region for compliance
    • Data typeString
    • Predefined valuesEU-WestNL-CentralEU-North
  5. Click Save.

MSP Tip: Create separate attributes for billing code, technical contact email, and monthly license allocation to automate reporting.

Step 3: Assign Attributes to Users or Applications

Now we’ll assign the custom security attribute to users.

  1. Navigate to Identity > Users > All users.
  2. Select a user (e.g., AdeleV@M365x84127945.OnMicrosoft.com).
  3. In the left navigation, click Custom security attributes.
  4. Click Add assignment.
  5. Assign multiple attributes:
    • Attribute setCustomerData
    • Attribute nameCustomerName → ValueMicrosoft
    • Click Add assignment again
    • Attribute nameServiceTier → ValuePremium
    • Click Add assignment again
    • Attribute nameDataRegion → ValueEU-West
  6. Click Save.

Repeat for users from other customers (e.g., Salesforce users get CustomerName=SalesforceServiceTier=Standard).

Step 4: Use Attributes for Filtering and Reporting

he real power of Custom Security Attributes is using them to filter and manage users programmatically. As an MSP, you can now query Microsoft Graph to generate customer-specific reports.

Example Queries via Microsoft Graph:

  1. List all Microsoft users (for monthly billing):
    GET https://graph.microsoft.com/v1.0/users?$filter=customSecurityAttributes/CustomerData/CustomerName eq 'Microsoft'&$count=true
  2. Count Premium tier customers (for revenue reporting):
    GET https://graph.microsoft.com/v1.0/users?$filter=customSecurityAttributes/CustomerData/ServiceTier eq 'Premium'&$count=true
  3. Find all users in a specific data region (for compliance audits):
    GET https://graph.microsoft.com/v1.0/users?$filter=customSecurityAttributes/CustomerData/DataRegion eq 'NL-Central'

Logic App Integration:

  • Create scheduled flow to count users per customer each month
  • Export to Excel for billing team
  • Send customer usage reports automatically
  • Alert when customer exceeds license allocation

What this enables: Instead of manually exporting CSVs from your PSA tool and counting users, you can automate monthly billing reports, customer usage tracking, and compliance reporting directly from Entra ID.

Advanced Scenarios: Business-Driven Access Control

Custom Security Attributes enable sophisticated workflows that align access control with business processes, not just identity properties.

Scenario 1: Vendor Company Tracking for Contractors

Business Challenge: You manage an Entra ID tenant with 3,000 FTE employees plus 800 contractors from different staffing agencies (Accenture, Deloitte, Randstad). When security incidents occur or vendor contracts change, you need to quickly answer: “Which contractors work for Accenture?” or “How many Deloitte contractors do we have?”. Currently, this data lives in spreadsheets, making it impossible to quickly identify and act on vendor-specific populations.

Solution with Custom Security Attributes: Tag contractors with their vendor company, then query by vendor via Microsoft Graph API for instant reporting.

Implementation:

  1. Create Attribute SetContractorData
  2. Define AttributeVendorCompany with predefined values:
    • “Accenture”
    • “Deloitte”
    • “Randstad”
    • “Direct” (direct hires, not through vendor)
  3. Assign to Contractor Users:
    • Accenture contractors: VendorCompany=Accenture
    • Deloitte contractors: VendorCompany=Deloitte
    • Direct contractors: VendorCompany=Direct
  4. Query Contractors by Vendor via Microsoft Graph:
# Get all Accenture contractors
GET /users?$filter=customSecurityAttributes/ContractorData/VendorCompany eq 'Accenture'

# Count Deloitte contractors for budget review
GET /users?$filter=customSecurityAttributes/ContractorData/VendorCompany eq 'Deloitte'&$count=true

Real-World Use Cases:

  • Security Incident: Accenture reports data breach → Query all Accenture contractors → Force password reset in minutes
  • Contract Renegotiation: Finance reviewing Deloitte contract → Export all Deloitte users → Show actual headcount vs contracted capacity
  • Vendor Performance Review: HR asks “How many contractors from each vendor?” → Run Graph query → Generate report in seconds

Scenario 2: Employee Type and Cost Center Tracking

Business Challenge: You manage Salesforce’s Entra ID tenant with 8,000 employees (FTE) plus 2,000 contractors and vendors. Finance needs monthly reports: “How many contractors per cost center?”, “Which external identities have Premium licenses?”, “Total license costs per business unit for chargeback”. Currently, this data is scattered across HR systems, manually reconciled each month.

Solution with Custom Security Attributes: Tag users with employee type and cost center, then generate automated reports via Microsoft Graph API—no manual reconciliation needed.

Implementation:

  1. Create Attribute SetEmployeeData
  2. Define Attributes:
    • EmployeeType: “FTE”, “Contractor”, “Vendor”, “Intern”
    • CostCenter: “Sales-US”, “Engineering-Global”, “Marketing-EMEA”, “Support-APAC”
    • LicenseTier: “E3” (36/month),”E5″(36/month),”E5″(57/month), “F3” ($8/month)
    • Manager: Email of direct manager for approval workflows
  3. Assign to Users:
    • FTE employeesEmployeeType=FTECostCenter=Engineering-GlobalLicenseTier=E5
    • ContractorsEmployeeType=ContractorCostCenter=Sales-USLicenseTier=E3
    • VendorsEmployeeType=VendorCostCenter=Support-APACLicenseTier=F3
  4. Assign to Applications (Service Principals):
    • Engineering GitHub Enterprise AppCostCenter=Engineering-Global
    • Sales Salesforce ConnectorCostCenter=Sales-US
  5. Generate Monthly Chargeback Report via Microsoft Graph:
# Count E5 licenses in Engineering cost center
GET /users?$filter=customSecurityAttributes/EmployeeData/CostCenter eq 'Engineering-Global' 
    and customSecurityAttributes/EmployeeData/LicenseTier eq 'E5'&$count=true

# Get all contractors for compliance review
GET /users?$filter=customSecurityAttributes/EmployeeData/EmployeeType eq 'Contractor'

# Calculate cost center chargeback
GET /users?$filter=customSecurityAttributes/EmployeeData/CostCenter eq 'Sales-US'

Automated Chargeback Workflow:

  1. Power Automate scheduled flow (runs 1st of each month)
  2. Query Microsoft Graph for user counts per cost center + license tier
  3. Calculate chargeback: Engineering-Global (150 users × 57E5)=57E5)=8,550
  4. Export to SAP/Oracle ERP for internal billing automatically
  5. Generate VP dashboard showing license consumption by business unit

Scenario 3: Location-Based Access Control

Business Challenge: You manage Spotify’s Entra ID tenant with employees in 30+ countries. Some teams work from multiple locations (remote workers, traveling executives), while others are office-based. Currently, you track employee locations in HR systems, but can’t easily query “Who are our US-based employees?” or “Which contractors are in Sweden?” for compliance reporting.

Solution with Custom Security Attributes: Tag users with their primary work location, then generate location-based reports and access policies.

Implementation:

  1. Create Attribute SetEmployeeData
  2. Define Attributes:
    • WorkLocation: “US-NewYork”, “US-LosAngeles”, “Sweden-Stockholm”, “UK-London”, “Remote”
    • OfficeType: “HQ”, “Regional”, “Remote”
  3. Assign to Users:
    • New York employeesWorkLocation=US-NewYorkOfficeType=HQ
    • Remote workersWorkLocation=RemoteOfficeType=Remote
    • Stockholm employeesWorkLocation=Sweden-StockholmOfficeType=HQ
  5. Generate Location Reports via Microsoft Graph:
# Count all US-based employees
GET /users?$filter=customSecurityAttributes/EmployeeData/WorkLocation eq 'US-NewYork'&$count=true

# Get all remote workers for equipment audit
GET /users?$filter=customSecurityAttributes/EmployeeData/OfficeType eq 'Remote'

# List all Stockholm employees for office space planning
GET /users?$filter=customSecurityAttributes/EmployeeData/WorkLocation eq 'Sweden-Stockholm'
  1. Automated Workflows:
    • Monthly location report for HR (headcount per country)
    • Remote worker equipment audit (laptop/phone assignments)
    • Office space planning (assign desks based on location attribute)
    • Conditional Access policies requiring VPN for remote workers

Demo of Administrator Experience

Conclusion

For Managed Service Providers, Custom Security Attributes bridge the gap between your business systems (PSA tools, CRM, billing platforms) and Microsoft Entra ID. Instead of maintaining customer metadata in disconnected spreadsheets, you tag users and applications with customer names, service tiers, and compliance requirements—then automate reporting and workflows directly from Entra ID.

The billing automation scenario demonstrates this perfectly: instead of exporting CSVs from Jira every month and manually counting users per customer, Power Automate/Logic Apps or other automation queries Microsoft Graph for user counts per service tier and generates invoices automatically. When your Microsoft customer adds 10 new users, they appear in next month’s invoice automatically without any manual intervention.

The data residency tracking enables compliance at scale. For MSPs managing customers with GDPR, SOC2, and HIPAA requirements, Custom Security Attributes provide a centralized place to document which customers require specific regional data storage. Compliance reports become Graph API queries instead of spreadsheet archaeology.

Most importantly, Custom Security Attributes make customer context visible where it matters—in Entra ID. When your help desk looks at a user profile, they instantly see “CustomerName=Microsoft, ServiceTier=Premium” without opening your PSA tool. When your automation runs, it can filter by customer attribute without complex lookups. Customer metadata becomes a first-class citizen in your identity platform.

Next in the Series: Part 4 shines a spotlight on Intune’s Custom Compliance Policies, highlighting an essential yet often overlooked capability that enables more granular and effective management.

Related Posts