CustomSecurityAttributes null when loaded via /met endpoint

Jonah Jordan 10 Reputation points
2023-03-09T18:25:37.15+00:00

Hi,

We are trying to load the custom security attributes through the /me endpoint:
https://graph.microsoft.com/beta/me?$select=customSecurityAttributes

This is returning the following response:


{
"customSecurityAttributes": null
}

When we are querying on the specific user with his ID, the custom security attributes are correctly returned.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,292 questions
{count} votes

1 answer

Sort by: Most helpful
  1. HarmeetSingh7172 4,886 Reputation points
    2023-03-22T22:12:55.87+00:00

    Hello Jonah Jordan,

    Thanks for reaching out!

    Custom security attributes can be assigned to the following objects by using the customSecurityAttributes property. Directory synced users from an on-premises Active Directory can also be assigned custom security attributes.

    To assign, update, or remove custom security attribute assignments, the calling principal must be assigned the following Azure AD role. By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes.

    Also, the calling principal must be granted the following permissions.

    Permissions to read, assign, update, or remove custom security attribute assignments for an application is granted by CustomSecAttributeAssignment.ReadWrite.All. Permissions to read the resource object, such as users, is granted separately using resource object permissions, such as User.Read.All.

    To list or read custom security attribute assignments, the calling principal must be assigned one of the following Azure AD roles. By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes.

    Also, the calling principal must be granted the following permissions.

    Permissions to read custom security attribute assignments for an application is granted by CustomSecAttributeAssignment.Read.All. Permissions to read the resource object, such as users, is granted separately using resource object permissions, such as User.Read.All.

    Note: The custom security attributes feature is currently in preview.

    If there are no custom security attributes assigned to the user or if the calling principal does not have access, the following will be the response:

    HTTP/1.1 200 OK
    Content-type: application/json
    
    {
        "@odata.context": "https://graph.microsoft.com/beta/$metadata#users(customSecurityAttributes)/$entity",
        "customSecurityAttributes": null
    }
    
    

    References:

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.