| title | Attribute Provisioning Administrator |
|---|---|
| description | Attribute Provisioning Administrator |
| ms.topic | include |
| ms.date | 01/26/2026 |
| ms.custom | include file |
This is a privileged role. Assign the Attribute Provisioning Administrator role to users who need to do the following tasks:
- Read and write attribute mappings for custom security attributes when provisioning in an application.
- Read and write provisioning and auditing logs for custom security attributes when provisioning in an application.
Users with this role cannot read audit logs for other events. This role must be used in conjunction with the Cloud Application Administrator or Application Administrator roles (from least to most privileged) to read provisioning configurations.
Important
This role does not have the ability to create custom security attribute sets or to directly assign or update custom security attribute values for the user object. This role can only configure the flow of the custom security attributes in the provisioning app.
[!div class="mx-tableFixed"]
Actions Description microsoft.directory/servicePrincipals/synchronization.customSecurityAttributes/schema/read Read all custom security attributes in the synchronization schema microsoft.directory/servicePrincipals/synchronization.customSecurityAttributes/schema/update Update custom security attribute mappings in the synchronization schema