CustomSecAttributeDefinition.ReadWrite.All

Allows the app to read and write custom security attribute definitions for the tenant on behalf of a signed in user.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the CustomSecAttributeDefinition.ReadWrite.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	12338004-21f4-4896-bf5e-b75dfaf1016d	8b0160d4-5743-482b-bb27-efc0a485ca4a
DisplayText	Read and write custom security attribute definitions	Read and write custom security attribute definitions
Description	Allows the app to read and write custom security attribute definitions for the tenant without a signed in user.	Allows the app to read and write custom security attribute definitions for the tenant on behalf of a signed in user.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /directory/attributeSets
	GET /directory/attributeSets/{attributeSetId}
	GET /directory/customSecurityAttributeDefinitions
	GET /directory/customSecurityAttributeDefinitions/{customSecurityAttributeDefinitionId}
	GET /directory/customSecurityAttributeDefinitions/{customSecurityAttributeDefinitionId}/allowedValues
	GET /directory/customSecurityAttributeDefinitions/{customSecurityAttributeDefinitionId}/allowedValues/{allowedValueId}
	PATCH /directory/attributeSets/{attributeSetId}
	PATCH /directory/customSecurityAttributeDefinitions/{customSecurityAttributeDefinitionId}
	PATCH /directory/customSecurityAttributeDefinitions/{customSecurityAttributeDefinitionId}/allowedValues/{allowedValueId}
	POST /directory/attributeSets
	POST /directory/customSecurityAttributeDefinitions
	POST /directory/customSecurityAttributeDefinitions/{customSecurityAttributeDefinitionId}/allowedValues

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /directory/attributeSets
	GET /directory/attributeSets/{attributeSetId}
	GET /directory/customSecurityAttributeDefinitions
	GET /directory/customSecurityAttributeDefinitions/{customSecurityAttributeDefinitionId}
	GET /directory/customSecurityAttributeDefinitions/{customSecurityAttributeDefinitionId}/allowedValues
	GET /directory/customSecurityAttributeDefinitions/{customSecurityAttributeDefinitionId}/allowedValues/{allowedValueId}
	PATCH /directory/attributeSets/{attributeSetId}
	PATCH /directory/customSecurityAttributeDefinitions/{customSecurityAttributeDefinitionId}
	PATCH /directory/customSecurityAttributeDefinitions/{customSecurityAttributeDefinitionId}/allowedValues/{allowedValueId}
	POST /directory/attributeSets
	POST /directory/customSecurityAttributeDefinitions
	POST /directory/customSecurityAttributeDefinitions/{customSecurityAttributeDefinitionId}/allowedValues

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgDirectoryAttributeSet
	Get-MgDirectoryCustomSecurityAttributeDefinition
	Get-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue
	New-MgDirectoryAttributeSet
	New-MgDirectoryCustomSecurityAttributeDefinition
	New-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue
	Update-MgDirectoryAttributeSet
	Update-MgDirectoryCustomSecurityAttributeDefinition
	Update-MgDirectoryCustomSecurityAttributeDefinitionAllowedValue

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaDirectoryAttributeSet
	Get-MgBetaDirectoryCustomSecurityAttributeDefinition
	Get-MgBetaDirectoryCustomSecurityAttributeDefinitionAllowedValue
	New-MgBetaDirectoryAttributeSet
	New-MgBetaDirectoryCustomSecurityAttributeDefinition
	New-MgBetaDirectoryCustomSecurityAttributeDefinitionAllowedValue
	Update-MgBetaDirectoryAttributeSet
	Update-MgBetaDirectoryCustomSecurityAttributeDefinition
	Update-MgBetaDirectoryCustomSecurityAttributeDefinitionAllowedValue

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: allowedValue

Property	Type	Description
id	String	Identifier for the predefined value. Can be up to 64 characters long and include Unicode characters. Can include spaces, but some special characters aren't allowed. Can't be changed later. Case sensitive. Inherited from entity.
isActive	Boolean	Indicates whether the predefined value is active or deactivated. If set to `false`, this predefined value can't be assigned to any other supported directory objects.

Graph reference: attributeSet

Property	Type	Description
description	String	Description of the attribute set. Can be up to 128 characters long and include Unicode characters. Can be changed later.
id	String	Identifier for the attribute set that is unique within a tenant. Can be up to 32 characters long and include Unicode characters. Cannot contain spaces or special characters. Cannot be changed later. Case insensitive. Inherited from entity.
maxAttributesPerSet	Int32	Maximum number of custom security attributes that can be defined in this attribute set. Default value is `null`. If not specified, the administrator can add up to the maximum of 500 active attributes per tenant. Can be changed later.

Graph reference: customSecurityAttributeDefinition

Property	Type	Description
attributeSet	String	Name of the attribute set. Case insensitive.
description	String	Description of the custom security attribute. Can be up to 128 characters long and include Unicode characters. Can be changed later.
id	String	Identifier of the custom security attribute that is a combination of the attribute set name and the custom security attribute name separated by an underscore (`attributeSet`_`name`). The id property is auto generated and cannot be set. Case insensitive. Inherited from entity.
isCollection	Boolean	Indicates whether multiple values can be assigned to the custom security attribute. Cannot be changed later. If type is set to `Boolean`, isCollection cannot be set to `true`.
isSearchable	Boolean	Indicates whether custom security attribute values are indexed for searching on objects that are assigned attribute values. Cannot be changed later.
name	String	Name of the custom security attribute. Must be unique within an attribute set. Can be up to 32 characters long and include Unicode characters. Cannot contain spaces or special characters. Cannot be changed later. Case insensitive.
status	String	Specifies whether the custom security attribute is active or deactivated. Acceptable values are: `Available` and `Deprecated`. Can be changed later.
type	String	Data type for the custom security attribute values. Supported types are: `Boolean`, `Integer`, and `String`. Cannot be changed later.
usePreDefinedValuesOnly	Boolean	Indicates whether only predefined values can be assigned to the custom security attribute. If set to `false`, free-form values are allowed. Can later be changed from `true` to `false`, but cannot be changed from `false` to `true`. If **t

Table of Contents

CustomSecAttributeDefinition.ReadWrite.All

Graph Methods

Resources