Microsoft Entra ID · Identity Governance

Attribute Assignment Administrator

Assign custom security attribute keys and values to supported Microsoft Entra objects like users, service principals, and devices.

Scope: Assignment of custom security attribute values to Entra objects

Permissions

  • Assign custom security attributes to users
  • Assign attributes to service principals
  • Assign attributes to devices
  • Update attribute values
  • Remove attribute assignments

Common use cases

  • Tagging users with security classifications
  • Assigning project attributes
  • Setting compliance attributes
  • Device classification tagging
  • Application sensitivity labeling

Best practices

  • Follow defined attribute standards
  • Validate attribute values
  • Document assignment decisions
  • Coordinate with definition admins
  • Audit attribute changes

Security considerations

  • Attribute changes can affect access
  • Bulk assignment needs careful review
  • Audit all attribute modifications
  • Consider automation for consistency

Common questions

When should I assign the Attribute Assignment Administrator role?

Assign Attribute Assignment Administrator when you need to: Tagging users with security classifications; Assigning project attributes; Setting compliance attributes; Device classification tagging; and Application sensitivity labeling. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Attribute Assignment Administrator role do?

The Attribute Assignment Administrator role grants permissions including: Assign custom security attributes to users; Assign attributes to service principals; Assign attributes to devices; Update attribute values; and Remove attribute assignments. See the Permissions section above for the full list.

What are the security risks of the Attribute Assignment Administrator role?

Key considerations when assigning Attribute Assignment Administrator: Attribute changes can affect access; Bulk assignment needs careful review; Audit all attribute modifications; and Consider automation for consistency. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →