Setting Up Custom Security Attributes with Microsoft Graph in Azure

Untitled design - 1

So, you’ve probably heard about custom security attributes in Azure AD, right? If not, let me break it down for you. Azure AD lets the cool tech folks (like you and me) craft our own attributes in the directory. Think of it as putting a custom sticker or label on certain users. Maybe you’ve got people working in specific departments or on particular projects? These custom attributes are like those name tags at networking events but way less awkward. And the best part? These can be a game-changer when you’re setting up stuff like conditional access policies.

Before diving deep, you’ll need the Microsoft.Graph module. It’s your gateway to all things Microsoft Graph when you’re in the PowerShell realm.

Alright, setting up a custom attribute. Graph isn’t going to hand-deliver this one, but here’s a workaround:

# First things first, connect to Graph
Connect-MgGraph


# Details for our new attribute
$attributeDetails = @{
     id = “customExtension_DepartmentCode”
     dataType = “String”
     targetObjects = [“User”]
} | ConvertTo-Json


# Now, make it real
Invoke-MgGraphRequest -Method POST -Uri “https://graph.microsoft.com/v1.0/schemaExtensions” -Body $attributeDetails

Setting Conditional Access with Microsoft Graph in PowerShell

Let’s figure out who’s in the “Finance Department” first:

# Ensure you’re riding the Graph train
Connect-MgGraph


# Snag the Finance folks
$financeGroup = Get-MgGroup -Filter “displayName eq ‘Finance Department'”
$groupId = $financeGroup.Id

Time to pinpoint our office’s IP:

$officeIP = @{
     displayName = “OfficeLocation”
     isTrusted = $true
     ipRanges = @{
         cidr = @(“192.168.1.0/24”)
     }
} | ConvertTo-Json


$officeSpot = Invoke-MgGraphRequest -Method POST -Uri “https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations” -Body $officeIP

Now, for the grand finale: ensuring our Finance pals can only peek into Azure stuff when they’re at the office:

$policyDetails = @{
     displayName = “FinanceTeamOfficeAccess”
     conditions = @{
         users = @{
             include = @($groupId)
         }
         locations = @{
             include = @($officeSpot.id)
         }
     }
     grantControls = @{
         operator = “OR”
         builtInControls = @(“block”)
     }
     state = “enabled”
} | ConvertTo-Json


# Roll out the red carpet for our new policy
Invoke-MgGraphRequest -Method POST -Uri “https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies” -Body $policyDetails

That’s it! With some PowerShell magic and a dash of Microsoft Graph, you’re all set to rock custom attributes and conditional access in Azure. Go you!

Joao Paulo Costa

Author: João Paulo Costa

MCP, MCT, MCSA, MCITP, MCTS, MS, Azure Solutions Architect, Azure Administrator, Azure Network Engineer, Azure Fundamentals, Microsoft 365 Enterprise Administrator Expert, Microsft 365 Messaging Administrator, ITIL v3.

Leave a comment