Entra ID User Properties - Dynamic Groups

as of August 2025 Microsoft hasn’t added “generic new” user properties for dynamic group rules, and custom security attributes are still not supported in dynamic membership rules; what does work today are the built-in user/device attributes, the legacy extensionAttribute1–15, and custom extension properties (directory schema extensions) created via an app registration and exposed as user.extension_<AppId>_<AttributeName>..all of which you can use in dynamic rules without depending on on-prem AD going forward. The official dynamic-groups doc lists supported properties and explicitly documents using extensionAttributeX and user.extension_<GUID>_<Attr> syntax; it also now surfaces a “Get custom extension properties” helper in the rule builder to pull your app’s extensions, which is the cleanest path if you want cloud-only, tenant-scoped attributes you control (example rule: user.extension_c272a57b722d4eb29bfe327874ae79cb_CostCenter -eq "US-1001").

If you’re moving away from on-prem, define a small set of directory extension properties via Graph, populate them from your source of truth, and refactor your rules to use those; reserve extensionAttribute1–15 for compatibility only. For completeness, Microsoft’s own guidance confirms the above and the FAQ on custom security attributes still says “No” for dynamic group rules, so there’s no public roadmap item to switch that on yet; watch the Entra “What’s new” page for changes.

Press like if you accept the response.