Microsoft Entra ID · Identity Governance
Attribute Assignment Administrator
Assign custom security attribute keys and values to supported Microsoft Entra objects like users, service principals, and devices.
Scope: Assignment of custom security attribute values to Entra objects
Permissions
- Assign custom security attributes to users
- Assign attributes to service principals
- Assign attributes to devices
- Update attribute values
- Remove attribute assignments
Common use cases
- Tagging users with security classifications
- Assigning project attributes
- Setting compliance attributes
- Device classification tagging
- Application sensitivity labeling
Best practices
- Follow defined attribute standards
- Validate attribute values
- Document assignment decisions
- Coordinate with definition admins
- Audit attribute changes
Security considerations
- Attribute changes can affect access
- Bulk assignment needs careful review
- Audit all attribute modifications
- Consider automation for consistency
Common questions
When should I assign the Attribute Assignment Administrator role?
Assign Attribute Assignment Administrator when you need to: Tagging users with security classifications; Assigning project attributes; Setting compliance attributes; Device classification tagging; and Application sensitivity labeling. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Attribute Assignment Administrator role do?
The Attribute Assignment Administrator role grants permissions including: Assign custom security attributes to users; Assign attributes to service principals; Assign attributes to devices; Update attribute values; and Remove attribute assignments. See the Permissions section above for the full list.
What are the security risks of the Attribute Assignment Administrator role?
Key considerations when assigning Attribute Assignment Administrator: Attribute changes can affect access; Bulk assignment needs careful review; Audit all attribute modifications; and Consider automation for consistency. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.