Hello, 

I have some questions after going through the great post from @Greg Gibbs - Cisco ISE with Microsoft Active Directory, Entra ID, and Intune - Cisco Community Specifically, about the section of User attributes from Entra ID. 

1) There it is stated that starting with ISE 3.2 version patch 4, all those users attributes are available to use in Authorization policies. I have a working setup using ISE 3.3 version patch 2 where I followed exactly Configure Cisco ISE 3.2 EAP-TLS with Microsoft Azure Active Directory However the only information I see coming from Entra-ID is the groups the user belongs to. What is additionally required to configure so ISE can receive more information via Graph API from Entra-ID to match in the Authorization policies anything from the list you mention? Note: Entra-ID permissions are exactly the ones as shown in the guide. 

2) Additionally, I am exploring user attributes to see if we can use one of those on the list, or even a custom attribute in Entra-ID, to receive from Entra-ID the IP address assigned to a user so it can be sent towards an ASA via RADIUS. This is to mirror what is explained in Configure a Static IP Address on an AnyConnect Remote Access VPN with ISE and AD - Cisco but instead using AD, using Azure Entra-ID. Do you recommend any documents to fill the gaps to achieve this with Entra-ID? (meaning how to build this custom attribute and then map it through ISE dictionaries?).

Thank you in advance!