Forum Discussion
Entra ID User Properties - Dynamic Groups
Does anyone now if MS is planning on added more properties that can be used to create dynamic groups. It would be great to have a number of generic properties that can be set.
Currently I am using the ExtensionAttributes from On-Prem, but would like to get away from them.
3 Replies
Will you consider migrating logic from extensionAttributes to Custom Security Attributes
Hi adm_lawrimore,
Anecdotally, nothing's likely to change any time soon as the dynamic rule builder engine hasn't changed in many years in the context of leveraging more existing attributes or adding new ones for customer data. Additionally, nothing's been announced that specifically relates to the rule engine, either - at least not where I'd expect it to be, which is here:
You could look at using directory extensions but that's not really improving your position if you're already getting by using the extensionAttribute1-15 set. It's worth noting that extensionAttribute1-15 are also natively part of Azure AD, meaning you don't lose them if you cut over to being Azure-native.
Cheers,
Lain
as of August 2025 Microsoft hasn’t added “generic new” user properties for dynamic group rules, and custom security attributes are still not supported in dynamic membership rules; what does work today are the built-in user/device attributes, the legacy extensionAttribute1–15, and custom extension properties (directory schema extensions) created via an app registration and exposed as user.extension_<AppId>_<AttributeName>..all of which you can use in dynamic rules without depending on on-prem AD going forward. The official dynamic-groups doc lists supported properties and explicitly documents using extensionAttributeX and user.extension_<GUID>_<Attr> syntax; it also now surfaces a “Get custom extension properties” helper in the rule builder to pull your app’s extensions, which is the cleanest path if you want cloud-only, tenant-scoped attributes you control (example rule: user.extension_c272a57b722d4eb29bfe327874ae79cb_CostCenter -eq "US-1001").
If you’re moving away from on-prem, define a small set of directory extension properties via Graph, populate them from your source of truth, and refactor your rules to use those; reserve extensionAttribute1–15 for compatibility only. For completeness, Microsoft’s own guidance confirms the above and the FAQ on custom security attributes still says “No” for dynamic group rules, so there’s no public roadmap item to switch that on yet; watch the Entra “What’s new” page for changes.
Press like if you accept the response.
