Cyber SecurityMicrosoft Entra ID

Step-by-Step Guide: Configure Entra ID lifecycle workflow to use Custom Security Attributes

In my previous blog post, I explained how to use Entra ID lifecycle workflow to trigger actions based on user attribute changes. You can find the step-by-step guide here: Configure Entra ID lifecycle workflow to trigger mover task on user profile changes. In that post, I used an attribute assigned to a set of users to define the workflow scope. Now, we can also use Custom Security Attributes values of users to further customise the workflow scope.

Custom Security Attributes

In Microsoft Entra ID, Custom Security attributes are used to store information, group objects, or provide fine-grained access control to Azure resources. These attributes can be used not only with cloud-only users but also with directory-synced users from on-premises Active Directory. To add a custom security attribute to Entra ID users, follow the guide on adding or deactivating custom security attribute definitions in Microsoft Entra ID.

Use Case

In this demo I am trying to cover the following use case. I already has an Entra ID lifecycle workflow for Rebeladmin Engineering Team. In their workflow scope is based on department attribute value.

Entra ID lifecycle workflow execution condition

I am going to extend this further by using a Custom Security Attribute to filter users who are in the engineering department and also part of the Project A engineering team. To achieve this, I will use the ProjectA custom attributes set and the ProjectTeam Custom Security Attribute that I have already set up.

Custom security attributes set
Custom Security attribute

Prerequisites

  1. To create or modify an Entra ID lifecycle workflow, you need the Lifecycle Workflow Administrator role. 
  2. To view or use Custom Security attributes values, you need the Attribute Assignment Administrator role, which is not assigned to Global Administrators by default.
  3. Existing Entra ID lifecycle workflow – Custom Security attributes can be used to further customise the user scope. However, they cannot be used as the primary attribute for the workflow scope. A Lifecycle workflow cannot rely solely on a Custom Security attribute value; it must be used in conjunction with another primary attribute value. For example, in my demo, I will use a workflow lifecycle that already uses the department attribute value to scope users.

Configuration

Let’s go ahead and see how we can configure the Entra ID lifecycle workflow to use Custom Security Attributes

  1. Log into the Entra ID portal at https://entra.microsoft.com/ with the roles of Lifecycle Workflow Administrator and Attribute Assignment Administrator.
  2. Navigate to Identity Governance > Lifecycle Workflows.
  3. Open the Entra ID Lifecycle Workflow by selecting it to access its properties.
existing Entra ID lifecycle workflow
  1. Go to Execution Conditions and select Scope Details.
Entra ID lifecycle workflow scope details
  1. Click on + Add Expression.
Entra ID lifecycle workflow add expression
  1. From the list, choose the Custom Security Attribute value. For this demo, it’s set to customSecurityAttributes/ProjectA/ProjectTeam.
Custom Security Attribute
  1. Set the value according to your requirements. In this example, we’re targeting users in the Project A Engineering team.
Custom Security Attribute value
  1. Click Save to apply your changes.

Testing

The Entra ID Lifecycle Workflow is now configured to use Custom Security Attributes. Let’s see it in action:

  • I have a user with the Custom Security Attributes value assigned as defined in the workflow.
assigned custom security attribute
  • This user is also a member of the Engineering department.
department value

Once the workflow is processed, let’s go to Lifecycle Workflows and select the workflow we modified. Under Workflow History, we can verify that the user has been successfully added to the group.

processed Entra ID Lifecycle Workflow

I hope you now have a better understanding of how to use Entra ID Lifecycle Workflow with custom security attributes. If you have any questions, feel free to contact me at rebeladm@live.com.

Related posts
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Process Entra ID Entitlement Management Access Package on-behalf of another user (preview)

Entra ID Entitlement Management access packages enable administrators to offer a self-service…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide: Configure Entra ID lifecycle workflow to trigger mover task on user profile changes

The Entra ID lifecycle workflow is a feature of Microsoft Entra ID identity governance and Microsoft…
Read more
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide: How to setup Entra ID Restricted management Administrative Units ?

In my previous blog post, I discussed what Entra ID Administrative Units are and how they can be…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

Leave a Reply

Your email address will not be published. Required fields are marked *