Share via

Creating dynamic groups using custom security attributes

BWill77 0 Reputation points
2026-02-05T20:09:43.98+00:00

I'm wondering if it is possible to create a dynamic user security group using the value of a custom security attribute.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Matthews Msawenkosi Mhlwazi 26 Reputation points
    2026-02-06T02:45:20.8633333+00:00

    Hi BWill77. Please refer to the primary documentation titled "What are custom security attributes in Microsoft Entra ID?".

    "You can use custom security attributes to define dynamic membership rules for security groups or Microsoft 365 groups. For example, you can create a group that includes all users who have a specific custom security attribute value."

    Source Link: Custom security attributes overview - Microsoft Learn

    Since custom security attributes are categorized into "Attribute Sets," you must use a specific syntax in the Rule Editor (as they do not always appear in the simple dropdown builder). The format is:

    user.customSecurityAttributes.<AttributeSet>.<AttributeName> -eq "<Value>"

    Example: If you have an attribute set called HumanResources with an attribute named Clearance, the rule would look like this: user.customSecurityAttributes.HumanResources.Clearance -eq "Secret"

    Essential Requirements

    To successfully implement this, Microsoft Learn specifies the following prerequisites:

    • Licensing: You must have a Microsoft Entra ID P1 or P2 license.
    • Permissions: Even Global Administrators cannot manage these by default. You must be assigned the Attribute Definition Administrator or Attribute Assignment Administrator role to create or assign these attributes.
    • Object Type: Currently, these attributes can be assigned to Users and Enterprise Applications, allowing you to create dynamic user groups based on these values.

    Entra ID Custom Security Attributes Overview This video provides a visual demonstration of how to create and assign these attributes within the Entra ID portal.

     

    0 comments
  2. VEMULA SRISAI 9,265 Reputation points Microsoft External Staff Moderator
    2026-02-05T20:32:41.3933333+00:00

    Hello BWill77,

    At this time, Microsoft Entra ID does not support using Custom Security Attributes in dynamic group membership rules. These attributes whether single‑valued or multi‑valued—are not exposed to the dynamic group evaluation engine, so they cannot be referenced in a dynamic user security group rule.

    Dynamic membership rules can be found here - Supported properties.

    If you'd like this feature to be implemented, I'd recommend leveraging our User Voice forum and creating a feature request, so our engineering team can look into implementing this.

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments
  3. Vasil Michev 125.2K Reputation points MVP Volunteer Moderator
    2026-02-05T20:28:48.29+00:00

    Assuming you are referring to custom security attributes as detailed in this article, no, this is not currently possible. It is a common ask though, so Microsoft might add support at some point. For now, best leave feedback over at the Feedback portal: https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.