Microsoft Entra ID · Identity Governance

Attribute Provisioning Administrator

Reads and edits provisioning configuration of custom security attributes for applications.

Scope: Configure how custom security attributes flow to provisioned applications

Permissions

  • Read custom security attributes in sync schema
  • Update attribute mappings in sync schema
  • Read provisioning logs for attributes

Common use cases

  • Setting up attribute provisioning
  • Mapping attributes to target systems
  • Troubleshooting attribute sync

Best practices

  • Test attribute mappings in dev first
  • Document attribute flows
  • Monitor provisioning logs

Security considerations

  • Cannot create attribute definitions
  • Cannot directly assign attribute values
  • Privileged role - can expose sensitive attributes

Common questions

When should I assign the Attribute Provisioning Administrator role?

Assign Attribute Provisioning Administrator when you need to: Setting up attribute provisioning; Mapping attributes to target systems; and Troubleshooting attribute sync. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Attribute Provisioning Administrator role do?

The Attribute Provisioning Administrator role grants permissions including: Read custom security attributes in sync schema; Update attribute mappings in sync schema; and Read provisioning logs for attributes. See the Permissions section above for the full list.

What are the security risks of the Attribute Provisioning Administrator role?

Key considerations when assigning Attribute Provisioning Administrator: Cannot create attribute definitions; Cannot directly assign attribute values; and Privileged role - can expose sensitive attributes. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →