Troubleshoot custom security attributes in Microsoft Entra ID
Symptom - Add attribute set is disabled
When signed in to the Microsoft Entra admin center and you try to select the Custom security attributes > Add attribute set option, it's disabled.
Cause
You don't have permissions to add an attribute set. To add an attribute set and custom security attributes, you must be assigned the Attribute Definition Administrator role. By default, Global Administrator and other administrator roles don't have permissions to read, define, or assign custom security attributes.
Solution
Make sure that you're assigned the Attribute Definition Administrator role at either the tenant scope or attribute set scope. For more information, see Manage access to custom security attributes in Microsoft Entra ID.
Symptom - Error when you try to assign a custom security attribute
When you try to save a custom security attribute assignment, you get the message:
Insufficient privileges to save custom security attributes
This account does not have the necessary admin privileges to change custom security attributes
Cause
You don't have permissions to assign custom security attributes. To assign custom security attributes, you must be assigned the Attribute Assignment Administrator role. By default, Global Administrator and other administrator roles don't have permissions to read, define, or assign custom security attributes.
Solution
Make sure that you're assigned the Attribute Assignment Administrator role at either the tenant scope or attribute set scope. For more information, see Manage access to custom security attributes in Microsoft Entra ID.
Symptom - Cannot filter custom security attributes for users or applications
Cause 1
You don't have permissions to filter custom security attributes. To read and filter custom security attributes for users or enterprise applications, you must be assigned the Attribute Assignment Reader or Attribute Assignment Administrator role. By default, Global Administrator and other administrator roles don't have permissions to read, define, or assign custom security attributes.
Solution 1
Make sure that you're assigned one of the following Microsoft Entra built-in roles at either the tenant scope or attribute set scope. For more information, see Manage access to custom security attributes in Microsoft Entra ID.
Cause 2
You're assigned the Attribute Assignment Reader or Attribute Assignment Administrator role, but you haven't been assigned access to an attribute set.
Solution 2
You can delegate the management of custom security attributes at the tenant scope or at the attribute set scope. Make sure you have been assigned access to an attribute set at either the tenant scope or attribute set scope. For more information, see Manage access to custom security attributes in Microsoft Entra ID.
Cause 3
There are no custom security attributes defined and assigned yet for your tenant.
Solution 3
Add and assign custom security attributes to users or enterprise applications. For more information, see Add or deactivate custom security attribute definitions in Microsoft Entra ID, Assign, update, list, or remove custom security attributes for a user, or Assign, update, list, or remove custom security attributes for an application.
Symptom - Custom security attributes cannot be deleted
Cause
You can only activate and deactivate custom security attribute definitions. Deletion of custom security attributes isn't supported. Deactivated definitions don't count toward the tenant wide 500 definition limit.
Solution
Deactivate the custom security attributes you no longer need. For more information, see Add or deactivate custom security attribute definitions in Microsoft Entra ID.
Symptom - Cannot add a role assignment at an attribute set scope using PIM
When you try to add an eligible Microsoft Entra role assignment using Microsoft Entra Privileged Identity Management (PIM), you cannot set the scope to an attribute set.
Cause
PIM currently doesn't support adding an eligible Microsoft Entra role assignment at an attribute set scope.