Entra External Identities vs. Custom Security Attributes (Formerly Extension Attributes)

As organizations increasingly adopt cloud technologies, managing identities and access controls efficiently becomes crucial. Microsoft Entra, which includes Azure Active Directory (Azure AD), provides robust tools for identity management. Two essential features within this ecosystem are Entra External Identities and Custom Security Attributes (formerly known as Extension Attributes). This article explores the differences, use cases, and best practices for using Entra External Identities and Custom Security Attributes to enhance your identity management strategy.

1. Overview of Entra External Identities

Entra External Identities enable organizations to securely collaborate with external partners, customers, and vendors. By leveraging Azure AD, businesses can extend their identity and access management capabilities beyond their internal users, ensuring seamless and secure access for external stakeholders.

Key Features:

- B2B Collaboration: Invite external users to your Azure AD and grant them access to resources.

- B2C Solutions: Build customer-facing applications with authentication mechanisms using Azure AD B2C.

- Secure Access: Apply policies and controls to external identities similar to internal users.

- Self-Service Capabilities: Allow external users to manage their profiles and reset their passwords.

2. Overview of Custom Security Attributes (Formerly Extension Attributes)

Custom Security Attributes in Azure AD provide a way to store additional information about directory objects. Previously known as Extension Attributes, these attributes allow administrators to add custom fields to user profiles, groups, or other directory objects to meet specific organizational needs.

Key Features:

- Customization: Create custom attributes to store organization-specific data.

- Enhanced User Profiles: Add additional information fields to user profiles for better categorization and management.

- Flexible Integration: Use custom attributes in conjunction with conditional access policies and other Azure AD features.

- API Access: Access and manage custom attributes through Microsoft Graph API.

3. Comparing Entra External Identities and Custom Security Attributes

Purpose and Use Cases

- Entra External Identities: Designed primarily for managing external users and providing them with secure access to resources. Ideal for scenarios involving partner collaborations, customer portals, or vendor access.

- Custom Security Attributes: Used to store additional information about directory objects within the organization. Suitable for scenarios where additional user data is needed for internal processes, compliance, or integration with other systems.

Management and Administration

- Entra External Identities: Managed through Azure AD with a focus on providing secure access and collaboration features for external users. Includes features like invitation management, access reviews, and multi-factor authentication (MFA).

- Custom Security Attributes: Managed by administrators who define and populate these attributes as needed. Custom attributes can be created and modified through the Azure portal or via PowerShell and Graph API.

Security and Compliance

- Entra External Identities: Offers robust security features such as conditional access policies, identity protection, and MFA specifically tailored for external users. Ensures that external users adhere to the same security standards as internal users.

- Custom Security Attributes: Enhance user profiles with additional data, which can be leveraged in security policies and compliance reporting. Useful for tagging users with specific attributes for detailed access control and compliance tracking.

Integration with Applications

- Entra External Identities: Seamlessly integrates with applications that require external user access, such as SharePoint, Teams, and custom web apps. Supports a wide range of identity providers for external user authentication.

- Custom Security Attributes: Can be integrated into applications and workflows that need additional user data. Custom attributes can be used in application logic, reporting, and personalized user experiences.

4. Integration with Microsoft Graph

Entra External Identities and Microsoft Graph

Microsoft Graph is a powerful API that provides access to a wide range of Microsoft 365 services. Entra External Identities can be managed and automated through Microsoft Graph, allowing for programmatic control over external user interactions.

Key Integrations:

- User Management: Create, update, and delete external users programmatically.

- Access Controls: Apply conditional access policies and monitor user activities.

- Reporting: Fetch detailed reports on external user access and activities.

Example: Adding an External User

{

    "uri": "https://graph.microsoft.com/v1.0/invitations",

    "method": "POST",

    "body": {

        "invitedUserEmailAddress": "[email protected]",

        "inviteRedirectUrl": "https://myapp.com",

        "sendInvitationMessage": true

    }

}        

Custom Security Attributes and Microsoft Graph

Custom Security Attributes can also be managed through Microsoft Graph, allowing for dynamic and automated management of user profile data.

Key Integrations:

- Attribute Management: Create, update, and delete custom security attributes.

- Data Retrieval: Fetch and filter user data based on custom attributes.

- Policy Enforcement: Use custom attributes in conditional access policies.

Example: Updating a Custom Attribute

{

    "uri": "https://graph.microsoft.com/v1.0/users/{user-id}",

    "method": "PATCH",

    "body": {

        "extension_customAttribute": "value"

    }

}        

5. Integration with Power Apps and Other Microsoft Tools

Entra External Identities in Power Apps

Power Apps allows organizations to build custom applications that can leverage Entra External Identities for authentication and access management. This enables seamless user experiences for both internal and external users.

Key Integrations:

- User Authentication: Use Azure AD B2C for external user sign-in within Power Apps.

- Role-Based Access: Control access to different app features based on user roles.

- Data Access: Securely provide external users with access to data stored in Microsoft Dataverse or other connected services.

Custom Security Attributes in Power Apps

Custom Security Attributes can be utilized within Power Apps to enhance user profiles and personalize app experiences based on user-specific data.

Key Integrations:

- Profile Personalization: Display personalized content or features based on custom attributes.

- Conditional Logic: Implement app logic that changes behavior based on user attributes.

- Data Filtering: Filter data displayed to users based on their custom attributes.

Example: Using Custom Attributes in Power Apps

// Fetch user attribute in Power Apps

Set(userProfile, Office365Users.UserProfile(User().Email));

Set(customAttributeValue, userProfile.'extension_customAttribute');

// Use the custom attribute value in app logic

If(customAttributeValue = "specificValue", Navigate(Screen1), Navigate(Screen2))        

Summary

Both Entra External Identities and Custom Security Attributes play vital roles in Azure AD's comprehensive identity management framework. Entra External Identities focus on securely managing external user access, enhancing collaboration, and ensuring compliance. On the other hand, Custom Security Attributes provide flexibility for storing additional information about directory objects, supporting enhanced user profiles, and improving internal processes. By understanding and leveraging these features, along with their integration capabilities with Microsoft Graph and Power Apps, organizations can create a more secure, efficient, and customizable identity management strategy.