⭐ Benefits of Azure Custom Security Attributes

Microsoft Entra Custom Security Attributes are business‑specific key–value attributes that can be assigned to users, service principals, and applications. They enable deeper governance, data organization, and fine‑grained access control.

Below are the major benefits:

1. Store Business‑Specific Information

Custom security attributes let you extend identity profiles with additional fields tailored to your organization—without altering the base schema. In HP Authentication Managers Case we store users Card/Badge identities' and other user specific custom values.
[learn.microsoft.com]

2. Fine‑Grained Access Control with Azure ABAC

Custom attributes integrate with Azure Attribute-Based Access Control (ABAC), enabling conditional, attribute‑driven permissions.

Benefits include:

• Restrict access to resources such as Azure Storage blobs based on project or classification tags.
• Reduce the number of role assignments by using attribute‑based conditions.
• Improve security posture by tying access to identity attributes instead of shared keys or SAS tokens.    [thetechtrails.com], [techcommun…rosoft.com]

3. Scoped and Secure Storage of Sensitive Information

Unlike extension attributes, custom security attributes can be locked down so only authorized administrators can view or modify them.

This enables storing sensitive information safely inside Entra ID.    [techcommun…rosoft.com]

4. Better Organizational Governance & Attribute Management

Custom attributes support:

• Grouping into attribute sets for organized administration.
• Role‑based governance using dedicated attribute management roles (e.g., Attribute Definition Administrator, Attribute Assignment Administrator).
• Assigning roles at tenant or attribute‑set scope for granular delegation.    [docs.azure.cn]

5. Flexible Data Types & Structures

Custom security attributes support:

• Multiple data types (Boolean, integer, string)
• Single or multi‑value formats
• Predefined or free‑form values

This flexibility makes it easier to model real business scenarios.    [learn.microsoft.com]

6. Enhanced Filtering & Reporting

You can query Azure AD/Entra objects using custom attribute filters, enabling:

• Cleaner application inventory management
• Easier auditing
• Category‑based reporting of applications & identities    [learn.microsoft.com]

7. Supports On‑Prem AD Synced Users

If your environment uses hybrid identity, custom security attributes can also be assigned to directory‑synced users.    [learn.microsoft.com]

Summary

1. Are there any Security risks of not being able to delete Attribute Set Names?

The inability to delete attribute sets (or their contained custom security attribute definitions) does not introduce security risks. Microsoft Entra’s design relies on deactivation rather than deletion to preserve the integrity and traceability of directory data.

2. Why this poses no security risk

• Deactivated attributes cannot be used going forward.
  Once an attribute or attribute set is deactivated, it is completely unavailable for assignment or operational use. This prevents any new references from being created while still retaining historical consistency. [learn.microsoft.com]

• Historical references remain intact for audit and integrity.
  If attributes could be deleted outright, any historical event logs, audit trails, or existing identity records referencing that attribute could become inconsistent or corrupted. Maintaining these references is essential for regulatory compliance and troubleshooting. [learn.microsoft.com]

• Directory schema stability is critical.
  Custom attributes can be tied to policies, service principals, API connectors, and preview features. Deleting them could break these dependencies unexpectedly. Deactivation ensures the attribute no longer functions without destabilizing the directory. [learn.microsoft.com]

In short: deactivation removes future risk while preserving past accuracy—a principle aligned with identity governance best practices.

The HP Authentication Manager Enterprise service principal is the only identity that needs permission to write a user’s Card ID into the Custom Security Attributes. When a user adds or updates a card, the HP Authentication Manager Enterprise app performs the update on the user’s behalf after the user successfully completes Azure AD authentication.

This ensures that card updates always originate from authenticated user actions and that the application remains the single trusted source for attribute changes.

Assigning the Custom Attribute Assignment Administrator role to a standard (non‑Global Admin) user is optional and should only be considered if the business requires the ability to manually delete a user’s Card ID—for example, when managing lost, stolen, or reused cards.

Even then, this role can be granted temporarily, only access for the duration needed to perform the cleanup.

However, assigning this role to a general user is not recommended.

If the organization uses other vendors or third‑party applications that also rely on Custom Security Attributes, a user with this role could accidentally modify or delete attributes belonging to those other systems.

To avoid this risk, it is best not to assign this role to any human user and instead rely exclusively on the HP Authentication Manager Enterprise application, which is specifically coded to interact only with the correct, designated attribute set.

It’s also important to note that a Global Administrator can always assign this role to themselves. While a Global Admin could manually delete Card ID attributes, this is not a security risk: if a Global Admin removes a user’s Card ID, the next time the user signs in, the HP Authentication Manager Enterprise app will automatically detect the missing value and recreate it.