You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/fundamentals/custom-security-attributes-overview.md
+11-5Lines changed: 11 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -56,13 +56,19 @@ Currently, you can add custom security attributes for the following Azure AD obj
56
56
- Azure AD enterprise applications (service principals)
57
57
- Managed identities for Azure resources
58
58
59
-
## How do custom security attributes compare with directory extensions?
59
+
## How do custom security attributes compare with extensions?
60
60
61
-
Here are some ways that custom security attributes compare with [directory extensions](../develop/active-directory-schema-extensions.md):
61
+
While both extensions and custom security attributes can be used to extend objects in Azure AD and Microsoft 365, they are suitable for fundamentally different custom data scenarios. Here are some ways that custom security attributes compare with [extensions](/graph/extensibility-overview):
62
62
63
-
- Directory extensions cannot be used for authorization scenarios and attributes because the access control for the extension attributes is tied to the Azure AD object. Custom security attributes can be used for authorization and attributes needing access control because the custom security attributes can be managed and protected through separate permissions.
64
-
- Directory extensions are tied to an application and share the lifecycle of an application. Custom security attributes are tenant wide and not tied to an application.
65
-
- Directory extensions support assigning a single value to an attribute. Custom security attributes support assigning multiple values to an attribute.
| Extend Azure AD and Microsoft 365 objects | Yes | Yes |
66
+
| Supported objects | Depends on the extension type | Users and service principals |
67
+
| Restricted access | No. Anyone with permissions to read the object can read the extension data. | Yes. Read and write access is restricted through a separate set of permissions and RBAC. |
68
+
| When to use | Store data to be used by an application <br/> Store non-sensitive data | Store sensitive data <br/> Use for authorization scenarios |
69
+
| License requirements | Available in all editions of Azure AD | Requires an Azure AD Premium P1 or P2 license |
70
+
71
+
For more information about working with extensions, see [Add custom data to resources using extensions](/graph/extensibility-overview).
0 commit comments