Microsoft Entra ID · Identity Governance
Attribute Provisioning Administrator
Reads and edits provisioning configuration of custom security attributes for applications.
Scope: Configure how custom security attributes flow to provisioned applications
Permissions
- Read custom security attributes in sync schema
- Update attribute mappings in sync schema
- Read provisioning logs for attributes
Common use cases
- Setting up attribute provisioning
- Mapping attributes to target systems
- Troubleshooting attribute sync
Best practices
- Test attribute mappings in dev first
- Document attribute flows
- Monitor provisioning logs
Security considerations
- Cannot create attribute definitions
- Cannot directly assign attribute values
- Privileged role - can expose sensitive attributes
Common questions
When should I assign the Attribute Provisioning Administrator role?
Assign Attribute Provisioning Administrator when you need to: Setting up attribute provisioning; Mapping attributes to target systems; and Troubleshooting attribute sync. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Attribute Provisioning Administrator role do?
The Attribute Provisioning Administrator role grants permissions including: Read custom security attributes in sync schema; Update attribute mappings in sync schema; and Read provisioning logs for attributes. See the Permissions section above for the full list.
What are the security risks of the Attribute Provisioning Administrator role?
Key considerations when assigning Attribute Provisioning Administrator: Cannot create attribute definitions; Cannot directly assign attribute values; and Privileged role - can expose sensitive attributes. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.