Issues reading custom security attributes with Entra id and graph api

Robert Desbiens 40 Reputation points
2024-05-24T11:56:00.86+00:00

I am trying to access the custom attributes of my users with graph api. I've created an attribute set with attributes and I've set a few of them on my users for testing purpose. This is the code I'm using, I tried both the current and the beta version of the graph api nugget. The application I'm using to access the information has User.ReadWrite.All for both app and delegate. But when I execute this code, the property is always null.

        var users = await graphClient.Users

            .GetAsync(config =>

            {

                config.QueryParameters.Select = new[] { "Id", "DisplayName", "CustomSecurityAttributes" };

            });  

Also, I may be wrong but I've noticed that the endpoint doesn't match the model of the nugget library, the attribute is a IDictionnary<string, object> but in the documentation, we can see there is a list of attribute sets that contains the attribute list (Engineering attribute set, Project attribute), here is an example from the patch documentation from learn.microsoft.com:


PATCH https://graph.microsoft.com/v1.0/users/{id}
{
    "customSecurityAttributes":
    {
        "Engineering":
        {
            "@odata.type":"#Microsoft.DirectoryServices.CustomSecurityAttributeValue",
            "Project@odata.type":"#Collection(String)",
            "Project":["Baker","Cascade"]
        }
    }
}

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,468 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,414 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 109.4K Reputation points MVP
    2024-05-24T16:22:53.7733333+00:00

    The User.ReadWrite.All permission on its own is not sufficient, you must also have the CustomSecAttributeAssignment.Read.All or equivalent permission. Details are here: https://learn.microsoft.com/en-us/graph/custom-security-attributes-examples?tabs=http#prerequisites


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.