Note: The implementation of this feature will require advanced technical skills and administrative access. Please consult a member of your IT team with administrative privileges to carry out the instructions detailed below.
You can view (and confirm the names of) your Custom Security Attributes in the Entra admin center: Entra ID → Protection → Custom security attributes.
For background, prerequisites, and how custom security attributes work in Entra ID (including PowerShell examples), see Microsoft’s documentation: https://learn.microsoft.com/en-us/entra/identity/users/users-custom-security-attributes?tabs=ms-powershell
To enable Teamflect to synchronize custom security attributes from Microsoft Entra ID, you'll need to assign specific application roles to the Teamflect service principal. This process involves using PowerShell to connect to Microsoft Graph and assign the required permissions.
Below is a step-by-step guide to help you through this setup.
Step-by-Step Guide:
Step 1: Install PowerShell
If PowerShell isn’t installed on your system, follow Microsoft’s instructions here: Install PowerShell.
Step 2: Install the Microsoft Graph PowerShell SDK
The Microsoft Graph PowerShell SDK is required to interact with Microsoft Graph via PowerShell. Follow the installation guide here: Install Microsoft Graph PowerShell SDK.
Step 3: Run the PowerShell Script
• Ensure that the person executing the script has administrative permissions within your Microsoft Azure environment, specifically the Application.ReadWrite.All and AppRoleAssignment.ReadWrite.All permissions. These permissions are necessary to manage applications and their roles within your organization.
• Save the script provided below to a file named TeamflectPermissions.ps1.
• Open PowerShell, navigate to the directory containing the script and run it by typing: ./TeamflectPermissions.ps1
Script Content
$appDisplayName = "Teamflect"
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Application.ReadWrite.All AppRoleAssignment.ReadWrite.All"
# Retrieve the client app's service principal and the Microsoft Graph service principal
$appServicePrincipal = Get-MgServicePrincipal -Filter "displayName eq '$($appDisplayName)'"
$graphServicePrincipal = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'"
# Add the app role assignment
$customSecAssignment = $graphServicePrincipal.AppRoles | Where-Object { $_.Value -eq "CustomSecAttributeAssignment.Read.All" }
$customSecDefinition = $graphServicePrincipal.AppRoles | Where-Object { $_.Value -eq "CustomSecAttributeDefinition.Read.All" }
# check if the app role exists
if (-not $customSecAssignment) { Write-Host "CustomSecAttributeAssignment.Read.All app role not found" return }
if (-not $customSecDefinition) { Write-Host "CustomSecAttributeDefinition.Read.All app role not found" return }
# add the app role assignment
$params = @{
"PrincipalId" = $appServicePrincipal.Id
"ResourceId" = $graphServicePrincipal.Id
"AppRoleId" = $customSecAssignment.Id
}
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $appServicePrincipal.Id -BodyParameter $params |
Format-List Id, AppRoleId, CreatedDateTime, PrincipalDisplayName, PrincipalId, PrincipalType, ResourceDisplayName
$params = @{
"PrincipalId" = $appServicePrincipal.Id
"ResourceId" = $graphServicePrincipal.Id
"AppRoleId" = $customSecDefinition.Id
}
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $appServicePrincipal.Id -BodyParameter $params |
Format-List Id, AppRoleId, CreatedDateTime, PrincipalDisplayName, PrincipalId, PrincipalType, ResourceDisplayName
Additional Notes
• This script checks for the existence of the specified application and the Microsoft Graph service principal before attempting to assign roles. It ensures that the necessary permissions are properly assigned only if both entities are correctly identified in your Azure environment.
• The output will detail the result of each role assignment, helping you confirm that the necessary permissions are set up correctly.
Note: To learn more about how to manage custom attributes in Teamflect, please visit this article here.
For any technical assistance, please contact your IT support or refer to the Microsoft Graph documentation for further details on permissions and SDK usage.
Use Cases
Custom employee segments: Sync attributes like Job Family or Grade Level to target surveys or reviews.
Regional compliance tracking: Use synced location attributes for filtering users in compliance or policy acknowledgement surveys.
Leadership programs: Sync custom fields such as High Potential or Leadership Track for targeted development initiatives.
Granting Teamflect permissions to sync custom security attributes from Entra ID allows your organization to fully leverage tailored data in reviews, surveys, and analytics. With IT support, you can enable more accurate targeting and richer insights across the platform.