Share via

How can I map Custom Security Attributes on a user in Entra to an external attribute in Snowflake via SCIM user provisioning?

Ben Levy 0 Reputation points
2026-05-05T00:43:13.6+00:00

My overall goal is to have a single user attribute in Entra that can both be used for dynamic groups and also mapped to a tag when provisioning users in Snowflake. What I'm currently trying to use is a CSA, but I'm not sure how to access its value in my snowflake provisioning app. Can this be done? and if not, is there an alternative way to achieve the same end?

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-05-05T00:43:27.7133333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Custom security attributes (CSAs) can be used in dynamic group rules and can also be flowed through SCIM-based provisioning, but they are exposed via a specific SCIM extension namespace and must be explicitly mapped in the Snowflake provisioning app.

    To achieve the goal (one attribute in Entra used for both dynamic groups and Snowflake tags), use a CSA and then surface it in the Snowflake SCIM app as a custom attribute mapping.

    1. Use the CSA directly in Entra for dynamic groups

    Once a custom security attribute set and attributes are defined (for example, attribute set HRConfidentialData with attributes like PayGrade, EmployeeLevel, etc.), they can be referenced in dynamic group rules. This satisfies the “dynamic groups” part of the requirement and is already supported.

    2. Understand how CSAs appear in SCIM

    For provisioning scenarios, CSAs are carried in SCIM payloads under the extension namespace:

    urn:ietf:params:scim:schemas:extension:microsoft:entra:csa

    The sample SCIM bulk payload in the documentation shows custom fields under this extension that can be mapped to custom security attributes.

    In inbound scenarios, the mapping table looks like this (example):

    • urn:ietf:params:scim:schemas:extension:microsoft:entra:csa:PayGradeCustomSecurityAttributes.HRConfidentialData_PayGrade

    This same pattern applies in reverse for outbound provisioning: the CSA is represented by a SCIM attribute with the …:csa: prefix, and the provisioning app can map that SCIM attribute to a target app attribute.

    3. Map the CSA into the Snowflake SCIM app

    In the Snowflake enterprise application’s ProvisioningAttribute mappings (Users), add a new mapping that exposes the CSA as a source attribute and maps it to a Snowflake custom extension attribute:

    1. In Entra admin center, open Enterprise applications → Snowflake app → Provisioning.
    2. Open Attribute mappings for Users.
    3. Select Add new mapping.
    4. In the source attribute list, select the CSA in the CustomSecurityAttributes.<AttributeSetName>_<AttributeName> form (for example, CustomSecurityAttributes.HRConfidentialData_PayGrade).
    5. In the target attribute, choose or define the Snowflake SCIM custom attribute that should receive this value (for example, a Snowflake custom extension attribute used as a tag or role indicator, following the pattern used for Snowflake’s custom SCIM attributes like DEFAULT_ROLE, DEFAULT_WAREHOUSE, etc.).
    6. Save the mapping.

    This causes Entra provisioning to read the CSA from the user object and send it to Snowflake in the SCIM payload, where Snowflake can interpret it as a tag or other metadata.

    4. Alternative if CSA cannot be used directly

    If the Snowflake app schema editor does not expose CSAs as selectable source attributes, use an intermediate Entra attribute that is supported as a source in the Snowflake app and mirror the CSA value into it via inbound provisioning or other processes. For example:

    • Map the SCIM extension attribute (for inbound HR → Entra) to both:
      • CustomSecurityAttributes.<Set>_<Name> (for dynamic groups), and
      • A standard or extension attribute (for example, extensionAttribute1) that is then mapped in the Snowflake app.

    The documentation shows this pattern for custom attributes:

    • A SCIM extension attribute like urn:ietf:params:scim:schemas:extension:contoso:1.0:User:HireDate is mapped to employeeHireDate.
    • Another extension attribute is combined into jobTitle using an expression.

    The same approach can be used to ensure the same logical value is available both as a CSA (for dynamic groups) and as a “regular” attribute that the Snowflake provisioning app can map.

    5. Summary

    • Yes, the scenario is supported: a single logical value can be used both as a CSA (for dynamic groups) and as a SCIM-mapped attribute to Snowflake.
    • Prefer mapping the CSA directly in the Snowflake provisioning app if it appears in the CustomSecurityAttributes.<Set>_<Name> list.
    • If it does not appear, mirror the CSA value into another Entra attribute that is supported as a source for the Snowflake app and map that attribute to a Snowflake custom SCIM attribute used as a tag.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.