Microsoft Entra Delegated Permissions - Allow user to modify only their own custom security attributes

Jack 20 Reputation points
2024-05-23T20:36:07.3166667+00:00

My javascript client application needs to read/modify custom security attributes via the Graph API using delegated permissions. This works if I assign the "Attribute Assignment Administrator" and "Attribute Assignment Reader" role to the respective user.

However, with this role the users can read the custom security attributes of all users.

I want to have the permissions such that the users can only read/modify their own custom security attributes.

Futher information: I also granted the delegated "API Permissions" "CustomSecAttributeAssignment.ReadWrite.All". This permissions is not enough though. The Graph API returns either zero customSecurityAttributes (read) or denies the PATCH request with authorization denied.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,188 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 98,676 Reputation points MVP
    2024-05-24T06:21:14.85+00:00

    Managing custom security attributes is an admin-level operation, you cannot delegate it to the end users themselves. Well you can, but you cannot restrict it as you've already noticed.


0 additional answers

Sort by: Most helpful