Microsoft Entra ID · Identity Governance

Attribute Definition Administrator

Define and manage the definition of custom security attributes that can be assigned to supported Microsoft Entra objects.

Scope: Definition and schema management for custom security attributes

Permissions

  • Create attribute sets
  • Define custom security attributes
  • Activate/deactivate attributes
  • Manage attribute definitions
  • Configure attribute properties

Common use cases

  • Custom attribute schema design
  • Security classification attributes
  • Project-based access control attributes
  • Regulatory compliance tagging
  • Data residency classification

Best practices

  • Plan attribute schema carefully
  • Use consistent naming conventions
  • Document attribute purposes
  • Consider attribute lifecycle
  • Coordinate with assignment admins

Security considerations

  • Attributes can drive access decisions
  • Schema changes may impact policies
  • Global Admins cannot see attributes by default
  • Separate from assignment permissions

Common questions

When should I assign the Attribute Definition Administrator role?

Assign Attribute Definition Administrator when you need to: Custom attribute schema design; Security classification attributes; Project-based access control attributes; Regulatory compliance tagging; and Data residency classification. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Attribute Definition Administrator role do?

The Attribute Definition Administrator role grants permissions including: Create attribute sets; Define custom security attributes; Activate/deactivate attributes; Manage attribute definitions; and Configure attribute properties. See the Permissions section above for the full list.

What are the security risks of the Attribute Definition Administrator role?

Key considerations when assigning Attribute Definition Administrator: Attributes can drive access decisions; Schema changes may impact policies; Global Admins cannot see attributes by default; and Separate from assignment permissions. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →