Extension attributes offer a convenient way to extend your Azure AD directory with new attributes that you can use to store attribute values for objects in your directory.
You can attach an extension attribute to the following object types:. Additionally, extension properties are accessible by any consented application in an organization, not just for the application to which they are registered.
Other consented applications in that organization can read or write values for the new extension property if they have sufficient permissions. If the extension is deleted by the application, it also becomes inaccessible on the target directory object. The only way to remove the property value from consideration once it has been set is to explicitly set it to null. You cannot do this if the extension property is inaccessible. You can read more about extension properties in this article.
In these examples we'll be using a user object and work with extension properties. We'll first find the ObjectId of the user so we can easily refer to it later:. Extension properties are always created for a specific application.
If you just want to add generic properties to your directory, you can create a placeholder application:. Note that you need to create a service principal for this application in your directory as well, so you can create a new extension property:. The exact value of the name will therefore be different for different applications you create. Note that you can assign a property to more than one object type.
In our example we only used one TargetObject, "User", but you could also have specified "User","Group", this would assign the object to both user and group objects. Setting values for extension properties Using the extension property we used in the previous example, we can now assign a value to it:. Skip to main content. Exit focus mode. Examples In these examples we'll be using a user object and work with extension properties.
User thumbnailPhoto odata. Yes No. Any additional feedback?This week I had a customer that has some data in their on-premises Active directory that we needed to use for a custom application in SharePoint Online. This data was placed in the ExtensionAttribute field of the user. With the latest version of Azure AD Connect we have the option to select attributes to sync to Azure Active Directory and that is what the customer did.
This screenshot has selected division and employeeID, but in the complete list of available attributes there are also the ExtensionAttributes. When you do not select them here, the extension attributes will be in the synchronization. This results that the data should be available in Azure AD and when we take a look in the Synchronization Service Manager and search for a user with an ExtensionAttribute we see that it is synced to Azure AD.
So that is good news that we have confirmation that the properties are coming to Azure AD, but the question now is how can we use this data?
When you try this with PowerShell you see that there is a property called ExtensionData, but you are not able to see what is inside it.
So both options will not give you the data of the ExtensionAttributes. With PowerShell there is a way around it is to get the Exchange mailbox or recipient. When you connect to Exchange online and get the mailbox for the user the ExtensionAttributes are available thru the CustomAttributes. To get the extensionattribute in the Graph API you need to select the attributes in the wizard from the first screenshot. The id of this app is the guid in the extension attribute in Azure AD.
When you update to the latest version of the synchronization client you have the option to select extension attributes.
Azure AD cmdlets for working with extension attributes
These attributes are only visible in the beta endpoint of the Graph API. When you want to use these attributes in SharePoint we need to find a way to get them imported into the SharePoint user profile. There are a few solutions on the internet that uses PowerShell to read the mailbox or recipient and place the values in a custom SharePoint user profile property.
Because the extension attributes are default attributes in the on-premises active directory and are used by several customers, my opinion is that these attributes should be available thru the Graph API by default. You can find these attributes in the application that AAD Connect creates during the configuration. Can I add one or more on premise custom AD attribute to Azure AD connect through wizard you shown above and Azure AD connect will directly sync it to cloud with its value?
OR I need some more configuration as well? You only need to use the wizard to add the custom attributes. After that you should run a initial sync, but the wizard will ask you for that as well.This feature enables you to build LOB apps by consuming attributes that you continue to manage on-premises. These attributes can be consumed through extensions. You can see the available attributes by using Microsoft Graph Explorer. You can also use this feature to create dynamic groups in Azure AD.
You configure which additional attributes you want to synchronize in the custom settings path in the installation wizard. The list of attributes is read from the schema cache that's created during installation of Azure AD Connect. If you have extended the Active Directory schema with additional attributes, you must refresh the schema before these new attributes are visible.
An object in Azure AD can have up to attributes for directory extensions. The maximum length is characters. If an attribute value is longer, the sync engine truncates it.
During installation of Azure AD Connect, an application is registered where these attributes are available. You can see this application in the Azure portal. Its name is always Tenant Schema Extension App. ApplicationId has the same value for all attributes in your Azure AD tenant. You will need this value for all other scenarios in this topic.
Use Custom Attributes for automatically populate Azure AD Dynamic Group Memberships
For more information, see Microsoft Graph: Use query parameters. One of the more useful scenarios is to use these attributes in dynamic security or Office groups.
Create a new group in Azure AD. Give it a good name and make sure the Membership type is Dynamic User.
Working with Azure AD Extension Attributes with Azure AD PowerShell v2
Select to Add dynamic query. If you look at the properties, then you will not see these extended attributes. You need to add them first. Complete the expression to suit your requirements. In our example, the rule is set to user. After the group has been created, give Azure AD some time to populate the members and then review the members.
Learn more about the Azure AD Connect sync configuration.Your Azure Active Directory Azure AD B2C directory user profile comes with a built-in set of attributes, such as given name, surname, city, postal code, and phone number.
You can extend the user profile with your own application data without requiring an external data store. You should not use built-in or extension attributes to store sensitive personal data, such as account credentials, government identification numbers, cardholder data, financial account data, healthcare information, or sensitive background information.
You can also integrate with external systems. For example, you can use Azure AD B2C for authentication, but delegate to an external customer relationship management CRM or customer loyalty database as the authoritative source of customer data.
For more information, see the remote profile solution. The table below lists the user resource type attributes that are supported by the Azure AD B2C directory user profile.
It gives the following information about each attribute:. Azure AD B2C extends the set of attributes stored on each user account. Extension attributes extend the schema of the user objects in the directory.
The extension attributes can only be registered on an application object, even though they might contain data for a user. The extension attribute is attached to the application called b2c-extensions-app. You can find this application under Azure Active Directory App registrations. You may also leave feedback directly on GitHub. Skip to main content. Exit focus mode. Learn at your own pace. See training modules. Dismiss alert. Important You should not use built-in or extension attributes to store sensitive personal data, such as account credentials, government identification numbers, cardholder data, financial account data, healthcare information, or sensitive background information.
Change your preferences any time. Stack Overflow for Teams is a private, secure spot for you and your coworkers to find and share information. It works, but how can I remove the same extensionattribute? I can't find anything similar to -remove. I have struggled a long time to modify the extension attributes in our domain. Then I wrote a powershell script and created an editor with a GUI to set and remove extAttributes from an account.
I use this script on a regular basis in our domain and it never deleted anything or did any other harm. I provide no guarantee, that this script works as expected in your domain. But as I provide the source, you can and should have a look at it, before you run it.
Extension attributes are added by Exchange. According to this Technet article something like this should work:. Learn more. Adding and removing extensionattribute to AD object Ask Question. Asked 7 years ago. Active 3 years, 9 months ago. Viewed k times. I'm using powershell to modify some AD extensionattribute. Naigel Naigel 6, 13 13 gold badges 55 55 silver badges 93 93 bronze badges.This blog post is a summary of tips and commands, and also some curious things I found.
There is a link to a Gist with all the PowerShell Commands at the end of the blog post if you prefer to skip to that. ToJsonwhich also will show me the value of the extension attributes:. From there I can see that that the Extension Property, which is of type System. Dictionary supports Get and Set. So lets look into how to update those extension attributes. This obviously only work on cloud homed users, as synchronized users must be updated in local Active Directory.
This series of commands shows how to add extension attributes for cloud users:. The next thing I thought about, was how can I make a list of all users with their extension attributes?Deploy Azure AD Domain Service and Join a Server to the Domain
I ended up with the following, where you either can get all users or make a filtered collection, and from there loop through and read any extension attributes:. When I look into my extended users list object, I can list the users and values with extension values:. So to some curios things I found. In another Azure AD tenant I tested on that, but using the commands above I never could list out the extensionAttribute I never found a way to validate and check those values, but if I created a Dynamic Group using for example extensionAttribute1 or 2, members would be populated!
For example by querying:. Strange thing, hopefully I will find out some more on this, and please comment if you have any ideas. I will also ask this from the Azure AD team. Yes, use device. Very good article! You are commenting using your WordPress. You are commenting using your Google account. You are commenting using your Twitter account. You are commenting using your Facebook account. Notify me of new comments via email. Notify me of new posts via email. ToJsonwhich also will show me the value of the extension attributes: I can look into and explore the user object with Get-Member: From there I can see that that the Extension Property, which is of type System.
This series of commands shows how to add extension attributes for cloud users: The next thing I thought about, was how can I make a list of all users with their extension attributes?
I ended up with the following, where you either can get all users or make a filtered collection, and from there loop through and read any extension attributes: When I look into my extended users list object, I can list the users and values with extension values: So to some curios things I found.
Here is the gist with all the commands:. Share this: Twitter LinkedIn. Like this: Like Loading Can we get other attributes like ipPhone? Leave a Reply Cancel reply Enter your comment here Fill in your details below or click an icon to log in:.
Here is the summary:. In the test is used Graph API beta. The user resource type has a property named onPremisesExtensionAttributes with a complex type which contains the extensionAttribute1 - extensionAttribute Remark: we do not sync on premise AD.
I suppose you can't use the built-in powershell to do that. If you want to use powershell to do that, your option is to call the MS Graph in powershell with Invoke-RestMethoda sample here.
Learn more. Is it possible to list extensionAttribute1 - extensionAttribute15 via PowerShell command? Ask Question. Asked 6 months ago.
AD: How To Populate extensionAttribute using PowerShell?
Active 5 months ago. Viewed times. How can we set the extensionAttribute1 - extensionAttribute15 with a PowerShell command? Joy Wang Denitsa Denitsa 23 2 2 bronze badges. Jessen Oct 3 '19 at Active Oldest Votes. Joy Wang Joy Wang HI Joy the information you provided was very useful.
Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog.
Q2 Community Roadmap. The Unfriendly Robot: Automatically flagging unwelcoming comments. Featured on Meta. Community and Moderator guidelines for escalating issues via new response…. Feedback on Q2 Community Roadmap. Triage needs to be fixed urgently, and users need to be notified upon…. Technical site integration observational experiment live on Stack Overflow.
Dark Mode Beta - help us root out low-contrast and un-converted bits. Related Hot Network Questions.