![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 60%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Managing external identities to enable secure access for partners, customers, and other non-employees
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
To create a new custom security attribute definition:
- Sign in to the Microsoft Entra admin center as a Global Administrator, Attribute Administrator, or Privileged Role Administrator.
- Navigate to: Identity -> Custom security attributes -> + Add attribute set
- Define an attribute set name (used to group related attributes).
- Within that set, select + Add attribute to create a new attribute definition.
- Specify the attribute name, data type (string, integer, boolean), multi-valued or not, and allowed values if applicable.
- Choose whether the attribute is mutable or non-mutable and whether it can be assigned to users, applications, or service principals.
- Save your changes.
Once created, you can assign these attributes to directory objects via Graph API, PowerShell, or portal interfaces.
More at https://learn.microsoft.com/en-us/entra/fundamentals/custom-security-attributes-overview and https://learn.microsoft.com/en-us/entra/fundamentals/custom-security-attributes-define
To safely deactivate or remove attributes that are no longer required:
- Before removal, review whether any objects currently have values assigned for the attribute. Removing an attribute that’s still assigned can cause data loss and may affect dependent apps or policies.
- To deactivate:
- Go to the specific attribute in the Entra portal.
- Select Deactivate to make it unavailable for new assignments while retaining existing data.
- This is recommended when you may need the attribute later or want to transition assignments gradually.
- To delete:
- Ensure no assignments exist for that attribute (remove them first).
- In the portal, select Delete for the attribute definition or its entire attribute set.
- Once deleted, the attribute and its values are permanently removed.
Details at https://learn.microsoft.com/en-us/entra/fundamentals/custom-security-attributes-manage
To follow best practices, consider the following:
- Use attribute sets to logically group related attributes (e.g., HR, Finance) for easier management.
- Avoid deleting attributes immediately—deactivate first, confirm no dependencies, then remove.
- Audit periodically using Microsoft Graph to check where custom attributes are assigned.
- Document schema changes and communicate them to teams using those attributes in provisioning or access policies.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin