CustomSecurityAttributes null when loaded via /met endpoint

Jonah Jordan 5 Reputation points
2023-03-09T18:25:37.15+00:00

Hi,

We are trying to load the custom security attributes through the /me endpoint:
https://graph.microsoft.com/beta/me?$select=customSecurityAttributes

This is returning the following response:


{
"customSecurityAttributes": null
}

When we are querying on the specific user with his ID, the custom security attributes are correctly returned.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
864 questions
Microsoft Graph Users API
Microsoft Graph Users API
A Microsoft API that allows you to build compelling app experiences based on users, their relationships with other users and groups, and the resources they access for example their mails, calendars, files, administrative roles, group memberships.
641 questions
Microsoft Graph SDK
Microsoft Graph SDK
A Microsoft software developer kit designed to simplify building high-quality, efficient, and resilient applications that access Microsoft Graph.
811 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. HarmeetSingh-MSFT 3,871 Reputation points Microsoft Vendor
    2023-03-22T22:12:55.87+00:00

    Hello Jonah Jordan,

    Thanks for reaching out!

    Custom security attributes can be assigned to the following objects by using the customSecurityAttributes property. Directory synced users from an on-premises Active Directory can also be assigned custom security attributes.

    To assign, update, or remove custom security attribute assignments, the calling principal must be assigned the following Azure AD role. By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes.

    Also, the calling principal must be granted the following permissions.

    Permissions to read, assign, update, or remove custom security attribute assignments for an application is granted by CustomSecAttributeAssignment.ReadWrite.All. Permissions to read the resource object, such as users, is granted separately using resource object permissions, such as User.Read.All.

    To list or read custom security attribute assignments, the calling principal must be assigned one of the following Azure AD roles. By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes.

    Also, the calling principal must be granted the following permissions.

    Permissions to read custom security attribute assignments for an application is granted by CustomSecAttributeAssignment.Read.All. Permissions to read the resource object, such as users, is granted separately using resource object permissions, such as User.Read.All.

    Note: The custom security attributes feature is currently in preview.

    If there are no custom security attributes assigned to the user or if the calling principal does not have access, the following will be the response:

    HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#users(customSecurityAttributes)/$entity",
    "customSecurityAttributes": null
}

    References:

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.