Azure AD Provisionning - How to create a dynamic custom attribute based on dropdown list of values

Jessica MacDonald 0 Reputation points
2023-06-12T21:19:21.2733333+00:00

I am trying to create new Custom Attributes or properties so I can assign a group of organizational divisions.

I.E.

user 1 => division 1, division 2

user 2 => division 2, division 3

user 4 => division 1

I want to be able to choose from a key-value pair where there would be a division name and a divisionId associated with it.

I want to be able to assign this to any user who needs access to a certain Enterprise App.

Once this attribute is created and assigned to users, I want to be able to pass the values in either a comma-deliminated list of ids or an array of key-value pairs.

I've tried to create Custom Attributes in provisioning using schema urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:CustomAttribute , but it looks like those Custom attributes can't be referential attributes, multi-value or complex-typed attributes.

I've also tried to create External Entities > Custom User Attributes but those also don't seem to be accessible in the UI. Meaning I can't seem to assign a value for users within the UI. Only through a User flow or through the Graph API

For context, I'm trying to build a Custom Auto Provisioning app for clients to set SCIM with our product, and for this we need to be able to created these custom attributes and pass them through SCIM mapping.

Thanks in advance.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

1 answer

Sort by: Most helpful
  1. Danny Zollner 10,801 Reputation points Microsoft Employee Moderator
    2023-06-13T19:08:18.5933333+00:00

    I think you can reach your end goal, but maybe not using either of the options you've described.

    You are correct that AAD Provisioning doesn't support custom complex-typed, multi-value or referential attributes. When you mention an array of key:value pairs, that isn't a thing when it comes to attribute data types in SCIM. What aligns with that the closest in the SCIM spec is a complex-typed attribute.

    One thing to note - for complex attributes, the sub-attributes must be defined in the schema, so a complex attribute would only work if all of the sub-attributes ("keys") were fixed and already known ahead of time rather than being defined dynamically.

    What exactly you'd be representing with the keys isn't clear, but if this was possible with AAD Provisioning a few approaches are outlined below.

    Custom single-valued complex attribute:

    "customAttribute": {

    "subAttribute1":"value1",

    "subAttribute2":"value2",

    "subAttribute3":"value3"

    }

    Custom multi-valued complex attribute:

    "customAttribute": [ {

    "subAttribute1":"value1",

    "subAttribute2":"value2"

    },

    {

    "subAttribute1":"value1",

    "subAttribute2":"value2"

    }

    ]

    Custom multi-valued string attribute:

    "customAttribute": [

    "value1",

    "value2",

    "value3"

    ]

    UNFORTUNATELY.. custom complex and/or multi-valued attributes aren't supported today. If you have your data source figured out already - one or more attributes on the user object in Azure AD presumably - then there are a few approaches with one or more single-valued string attributes that may work, such as:

    One custom single-valued string attribute with comma delimited values:

    "customAttribute":"value1,value2,value3"

    Multiple custom single-valued attributes, each containing a single value (useful for something like "Division 1" and "Division 2" attributes)

    "customAttribute1":"value1",

    "customattribute2":"value2"

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.