English / Microsoft Entra

New Attribute Provisioning admin roles in Microsoft Entra

2. January 2025

Microsoft Entra has been updated with two new admin roles. Both roles can be useful if an organization uses Custom Security Attributes and HR systems such as SAP.

Custom Security Attributes
Custom Security Attributes

The documentation for admin roles was extended with the roles in October 2024.

Attribute Provisioning Administrator

Template ID ecb2c6bf-0ab6-418e-bd87-7986f8d63bbe

Assign the Attribute Provisioning Administrator role to users who need to do the following tasks:

  • Read and write attribute mappings for custom security attributes when provisioning in an application.
  • Read and write provisioning and auditing logs for custom security attributes when provisioning in an application.

Users with this role cannot read audit logs for other events. This role must be used in conjunction with the Cloud Application Administrator or Application Administrator roles (from least to most privileged) to read provisioning configurations. This role is considered privileged because one or more of its permissions are privileged.

Attribute Provisioning Reader

Template ID 422218e4-db15-4ef9-bbe0-8afb41546d79

Assign the Attribute Provisioning Reader role to users who need to do the following tasks:

  • Read the attribute mappings for custom security attributes when provisioning in an application.
  • Read the provisioning and auditing logs for custom security attributes when provisioning in an application.

Users with this role cannot read audit logs for other events. This role must be used in conjunction with the Cloud Application Administrator or Application Administrator roles (from least to most privileged) to read provisioning configurations. This role is considered privileged because one or more of its permissions are privileged.


The roles relate to HR-driven provisioning and the Public Preview of “Provision custom security attributes from HR sources“.

Custom security attribute provisioning enables customers to set custom security attributes automatically using Microsoft Entra inbound provisioning capabilities. With this public preview, you can source values for custom security attributes from authoritative sources, such as those from HR systems. Custom security attribute provisioning supports the following sources: Workday, SAP SuccessFactors, and other integrated HR systems that use API-driven provisioning. The provisioning target is your Microsoft Entra ID tenant.

According to the documentation, accounts with the Attribute Provisioning Administrator role do not have permissions to create or modify Azure Enterprise applications. This task also requires the Application Administrator (or Cloud Application Administrator) role.

  • Application Administrator is required to create and update the provisioning app.
  • Attribute Provisioning Administrator is required to add or remove custom security attributes in the attribute mapping section of the provisioning app.
Provisioning in Azure Enterprise App
Provisioning in Azure Enterprise App

Tags:

Share
Avatar photo

Tobias Asböck

Tobias is a Senior System Engineer with around ten years of professional experience with Microsoft 365 products such as SharePoint Online, OneDrive for Business, Teams Collaboration, Entra ID, Information Protection, Universal Print, and Microsoft 365 Licensing. He also has 15+ years of experience planning, administering, and operating SharePoint Server environments. Tobias is a PowerShell Scripter with certifications for Microsoft 365 products. In his spare time, Tobias is busy with updates in the Microsoft 365 world or on the road with his road bike and other sports activities. If you have additional questions, please contact me via LinkedIn or [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *