Troubleshoot custom security attributes in Azure AD (Preview)

Important

Custom security attributes are currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Symptom - Custom security attributes page is disabled

When signed in to the Azure portal as Global Administrator and you try to access the Custom security attributes page, it is disabled.

Custom security attributes page disabled in Azure portal.

Cause

Custom security attributes requires an Azure AD Premium P1 or P2 license.

Solution

Open Azure Active Directory > Overview and check the license for your tenant.

Symptom - Add attribute set is disabled

When signed in to the Azure portal as Global Administrator and you try to click the Custom security attributes > Add attribute set option, it is disabled.

Add attribute set option disabled in Azure portal.

Cause

You don't have permissions to add an attribute set. To add an attribute set and custom security attributes, you must be assigned the Attribute Definition Administrator role. By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes.

Solution

Make sure that you are assigned the Attribute Definition Administrator role at either the tenant scope or attribute set scope. For more information, see Manage access to custom security attributes in Azure AD.

Symptom - Error when you try to assign a custom security attribute

When you try to save a custom security attribute assignment, you get the message:

Insufficient privileges to save custom security attributes
This account does not have the necessary admin privileges to change custom security attributes

Cause

You don't have permissions to assign custom security attributes. To assign custom security attributes, you must be assigned the Attribute Assignment Administrator role. By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes.

Solution

Make sure that you are assigned the Attribute Assignment Administrator role at either the tenant scope or attribute set scope. For more information, see Manage access to custom security attributes in Azure AD.

Symptom - Cannot filter custom security attributes for users or applications

Cause 1

You don't have permissions to filter custom security attributes. To read and filter custom security attributes for users or enterprise applications, you must be assigned the Attribute Assignment Reader or Attribute Assignment Administrator role. By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes.

Solution 1

Make sure that you are assigned one of the following Azure AD built-in roles at either the tenant scope or attribute set scope. For more information, see Manage access to custom security attributes in Azure AD.

Cause 2

You are assigned the Attribute Assignment Reader or Attribute Assignment Administrator role, but you have not been assigned access to an attribute set.

Solution 2

You can delegate the management of custom security attributes at the tenant scope or at the attribute set scope. Make sure you have been assigned access to an attribute set at either the tenant scope or attribute set scope. For more information, see Manage access to custom security attributes in Azure AD.

Cause 3

There are no custom security attributes defined and assigned yet for your tenant.

Solution 3

Add and assign custom security attributes to users or enterprise applications. For more information, see Add or deactivate custom security attributes in Azure AD, Assign or remove custom security attributes for a user, or Assign or remove custom security attributes for an application.

Symptom - Custom security attributes cannot be deleted

Cause

Currently, you can only activate and deactivate custom security attribute definitions. Deletion of custom security attributes is not supported. Deactivated definitions do not count towards the tenant wide 500 definition limit.

Solution

Deactivate the custom security attributes you no longer need. For more information, see Add or deactivate custom security attributes in Azure AD.

Symptom - Cannot add a role assignment at an attribute set scope using PIM

When you try to add an eligible Azure AD role assignment using Azure AD Privileged Identity Management (PIM), you cannot set the scope to an attribute set.

Cause

PIM currently does not support adding an eligible Azure AD role assignment at an attribute set scope.

Symptom - Insufficient privileges when using Graph Explorer

When you try to use Graph Explorer to call Microsoft Graph APIs for custom security attributes, you see a message similar to the following:

Forbidden - 403. You need to consent to the permissions on the Modify permissions (Preview) tab
Authorization_RequestDenied
Insufficient privileges to complete the operation.

Screenshot of Graph Explorer displaying an insufficient privileges error message.

Cause 1

You have not consented to the required custom security attribute permissions to make the API call.

Solution 1

Open the Permissions panel, select the appropriate custom security attribute permission, and click Consent. In the Permissions requested window that appears, review the requested permissions.

Screenshot of Graph Explorer Permissions panel with CustomSecAttributeDefinition selected.

Cause 2

You are not assigned the required custom security attribute role to make the API call. By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes.

Solution 2

Make sure that you are assigned the required custom security attribute role. For more information, see Manage access to custom security attributes in Azure AD.

Next steps