The User.ReadWrite.All permission on its own is not sufficient, you must also have the CustomSecAttributeAssignment.Read.All or equivalent permission. Details are here: https://learn.microsoft.com/en-us/graph/custom-security-attributes-examples?tabs=http#prerequisites
Issues reading custom security attributes with Entra id and graph api
I am trying to access the custom attributes of my users with graph api. I've created an attribute set with attributes and I've set a few of them on my users for testing purpose. This is the code I'm using, I tried both the current and the beta version of the graph api nugget. The application I'm using to access the information has User.ReadWrite.All for both app and delegate. But when I execute this code, the property is always null.
var users = await graphClient.Users
.GetAsync(config =>
{
config.QueryParameters.Select = new[] { "Id", "DisplayName", "CustomSecurityAttributes" };
});
Also, I may be wrong but I've noticed that the endpoint doesn't match the model of the nugget library, the attribute is a IDictionnary<string, object> but in the documentation, we can see there is a list of attribute sets that contains the attribute list (Engineering attribute set, Project attribute), here is an example from the patch documentation from learn.microsoft.com:
PATCH https://graph.microsoft.com/v1.0/users/{id}
{
"customSecurityAttributes":
{
"Engineering":
{
"@odata.type":"#Microsoft.DirectoryServices.CustomSecurityAttributeValue",
"Project@odata.type":"#Collection(String)",
"Project":["Baker","Cascade"]
}
}
}