You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| Read attribute assignments for users and applications (service principals) |||:heavy_check_mark:||:heavy_check_mark:|
63
63
| Add or edit attribute sets ||:heavy_check_mark:||||
64
64
| Add, edit, or deactivate attribute definitions ||:heavy_check_mark:||||
@@ -101,8 +101,8 @@ Once you have a better understanding of how your attributes will be organized an
101
101
| <ul><li>Read attribute definitions in a scoped attribute set</li><li>Read attribute assignments that use attributes in a scoped attribute set for users</li><li>Read attribute assignments that use attributes in a scoped attribute set for applications (service principals)</li><li>[Assign attributes in a scoped attribute set to users](../enterprise-users/users-custom-security-attributes.md)</li><li>[Assign attributes in a scoped attribute set to applications (service principals)](../manage-apps/custom-security-attributes-apps.md)</li><li>[Author Azure role assignment conditions that use the Principal attribute for all attributes in a scoped attribute set](../../role-based-access-control/conditions-format.md#attributes)</li><li>**Cannot** read attributes in other attribute sets</li><li>**Cannot** read attribute assignments that use attributes in other attribute sets</li></ul> | [Attribute Assignment Administrator](../roles/permissions-reference.md#attribute-assignment-administrator) | <br/>Attribute set |
102
102
| <ul><li>Read all attribute sets in a tenant</li><li>Read all attribute definitions in a tenant</li></ul> |[Attribute Definition Reader](../roles/permissions-reference.md#attribute-definition-reader)|<br/>Tenant |
103
103
| <ul><li>Read attribute definitions in a scoped attribute set</li><li>**Cannot** read other attribute sets</li></ul> |[Attribute Definition Reader](../roles/permissions-reference.md#attribute-definition-reader)|<br/>Attribute set |
104
-
| <ul><li>Read all attribute sets in a tenant</li><li>Read all attribute assignments in a tenant for users</li><li>Read all attribute assignments in a tenant for applications (service principals)</li></ul> |[Attribute Assignment Reader](../roles/permissions-reference.md#attribute-assignment-reader)|<br/>Tenant |
105
-
| <ul><li>Read attribute assignments that use attributes in a scoped attribute set for users</li><li>Read attribute assignments that use attributes in a scoped attribute set for applications (service principals)</li><li>**Cannot** read attribute assignments that use attributes in other attribute sets</li></ul> |[Attribute Assignment Reader](../roles/permissions-reference.md#attribute-assignment-reader)|<br/>Attribute set |
104
+
| <ul><li>Read all attribute sets in a tenant</li><li>Read all attribute definitions in a tenant</li><li>Read all attribute assignments in a tenant for users</li><li>Read all attribute assignments in a tenant for applications (service principals)</li></ul> |[Attribute Assignment Reader](../roles/permissions-reference.md#attribute-assignment-reader)|<br/>Tenant |
105
+
| <ul><li>Read attribute definitions in a scoped attribute set</li><li>Read attribute assignments that use attributes in a scoped attribute set for users</li><li>Read attribute assignments that use attributes in a scoped attribute set for applications (service principals)</li><li>**Cannot** read attributes in other attribute sets</li><li>**Cannot** read attribute assignments that use attributes in other attribute sets</li></ul> |[Attribute Assignment Reader](../roles/permissions-reference.md#attribute-assignment-reader)|<br/>Attribute set |
106
106
107
107
## Step 6: Assign roles
108
108
@@ -128,9 +128,6 @@ To grant access to the appropriate people, follow these steps to assign one of t
128
128
129
129
> [!NOTE]
130
130
> If you are using Azure AD Privileged Identity Management (PIM), eligible role assignments at attribute set scope currently aren't supported. Permanent role assignments at attribute set scope are supported, but the **Assigned roles** page for a user doesn't list the role assignments.
131
-
132
-
> [!NOTE]
133
-
> Users with attribute set scope role assignments currently can see other attribute sets and custom security attribute definitions.
@@ -77,19 +77,36 @@ To use principal (user) attributes, you must have all of the following: Azure AD
77
77
You don't meet the prerequisites. To use principal attributes, you must have **all** of the following:
78
78
79
79
- Azure AD Premium P1 or P2 license
80
-
- Azure AD permissions for signed-in user, such as the [Attribute Assignment Administrator](../active-directory/roles/permissions-reference.md#attribute-assignment-administrator) role
80
+
- Azure AD permissions for the signed-in user to read at least one attribute set
81
81
- Custom security attributes defined in Azure AD
82
82
83
-
> [!IMPORTANT]
84
-
> By default, [Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator) and other administrator roles do not have permissions to read, define, or assign custom security attributes.
85
-
86
83
**Solution**
87
84
88
-
1. Open **Azure Active Directory** > **Overview** and check the license for your tenant.
85
+
1. Open **Azure Active Directory** > **Custom security attributes**.
86
+
87
+
If the **Custom security attributes** page is disabled, you don't have an Azure AD Premium P1 or P2 license. Open **Azure Active Directory** > **Overview** and check the license for your tenant.
88
+
89
+
90
+
91
+
If you see the **Get started** page, you don't have permissions to read at least one attribute set or custom security attributes haven't been defined yet.
92
+
93
+
94
+
95
+
1. If custom security attributes have been defined, assign one of the following roles at tenant scope or attribute set scope. For more information, see [Manage access to custom security attributes in Azure AD](../active-directory/fundamentals/custom-security-attributes-manage.md).
> By default, [Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator) and other administrator roles do not have permissions to read, define, or assign custom security attributes.
104
+
105
+
1. If custom security attributes haven't been defined yet, assign the [Attribute Definition Administrator](../active-directory/roles/permissions-reference.md#attribute-definition-administrator) role at tenant scope and add custom security attributes. For more information, see [Add or deactivate custom security attributes in Azure AD](../active-directory/fundamentals/custom-security-attributes-add.md).
89
106
90
-
1. Open **Azure Active Directory** > **Users** > *user name* > **Assigned roles** and check if the Attribute Assignment Administrator role is assigned to you. If not, ask your Azure AD administrator to you assign you this role. For more information, see [Assign Azure AD roles to users](../active-directory/roles/manage-roles-portal.md).
107
+
When finished, you should be able to read at least one attribute set. **Principal** should now appear in the **Attribute source** list when you add a role assignment with a condition.
91
108
92
-
1. Open **Azure Active Directory** > **Custom security attributes** to see if custom security attributes have been defined and which ones you have access to. If you don't see any custom security attributes, ask your Azure AD administrator to add an attribute set that you can manage. For more information, see [Manage access to custom security attributes in Azure AD](../active-directory/fundamentals/custom-security-attributes-manage.md) and [Add or deactivate custom security attributes in Azure AD](../active-directory/fundamentals/custom-security-attributes-add.md).
109
+
93
110
94
111
### Symptom - Principal does not appear in Attribute source when using PIM
0 commit comments