This week I had a customer that has some data in their on-premises Active directory that we needed to use for a custom application in SharePoint Online.
This data was placed in the ExtensionAttribute field of the user.
With the latest version of Azure AD Connect we have the option to select attributes to sync to Azure Active Directory and that is what the customer did.
https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-feature-directory-extensions/


This screenshot has selected division and employeeID, but in the complete list of available attributes there are also the ExtensionAttributes. When you do not select them here, the extension attributes will be in the synchronization.

This results that the data should be available in Azure AD and when we take a look in the Synchronization Service Manager and search for a user with an ExtensionAttribute we see that it is synced to Azure AD.

So that is good news that we have confirmation that the properties are coming to Azure AD, but the question now is how can we use this data?

How to receive the Extension attributes?

Some of the custom properties like the employeeID in the first screenshot are available in the Graph API, but the ExtensionAttributes are not. When you try this with PowerShell you see that there is a property called ExtensionData, but you are not able to see what is inside it. So both options will not give you the data of the ExtensionAttributes.

With PowerShell there is a way around it is to get the Exchange mailbox or recipient. When you connect to Exchange online and get the mailbox for the user the ExtensionAttributes are available thru the CustomAttributes.
Get-Mailbox -Identity
Get-Recipient -Identity

How to get them in the Graph API?

To get the extensionattribute in the Graph API you need to select the attributes in the wizard from the first screenshot. That way the attributes get explicitly registered in Azure AD in the form of “extension_<GUID>_extensionAttribute14”.
In Azure AD you also get an extra application called “Tenant Schema Extension App”. The id of this app is the guid in the extension attribute in Azure AD.

These attributes are only available in the beta endpoint of the Graph API

Conclusion

When you update to the latest version of the synchronization client you have the option to select extension attributes. These attributes are only visible in the beta endpoint of the Graph API. When you do not have the option to update to the latest version you can only use PowerShell and connecting to Exchange Online to access the extension attributes.

When you want to use these attributes in SharePoint we need to find a way to get them imported into the SharePoint user profile.
There are a few solutions on the internet that uses PowerShell to read the mailbox or recipient and place the values in a custom SharePoint user profile property.

http://blog.intucio.com/blog/synchronizing-microsoft-azure-active-directory-extension-attributes-with-sharepoint-online-user-profile-properties
https://github.com/OfficeDev/PnP/tree/master/Samples/Core.UserProfiles.Sync

Because the extension attributes are default attributes in the on-premises active directory and are used by several customers, my opinion is that these attributes should be available thru the Graph API by default.
For this I have created an idea on the Office UserVoice:
https://officespdev.uservoice.com/forums/224641-general/suggestions/15482145-expose-extensionattributes-in-azure-ad-with-the-of

10 thoughts on “Updated: Extension attributes in Azure AD”

  1. Hello,

    Can you supply an example of usage of the beta Graph API to get the extension attributes?

    Thanks
    Miguel

    1. Hello Miguel,

      I do not have an personal example, but take a look at https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-feature-directory-extensions/ and then the screenshot at the bottom of that page gives you an idea.
      You can find these attributes in the application that AAD Connect creates during the configuration. This application is called “Tenant Schema Extension App”.
      To see the values of these properties you can create a REST call to https://graph.windows.net//users/

      Regards,
      Arjan

  2. Can I add one or more on premise custom AD attribute to Azure AD connect through wizard you shown above and Azure AD connect will directly sync it to cloud with its value?
    OR
    I need some more configuration as well ?

    Mahesh

    1. Hello Mahesh,

      You only need to use the wizard to add the custom attributes. After that you should run a initial sync, but the wizard will ask you for that as well.
      To see the new attributes you should see the application and with the beta endpoint you should be able to see the custom attributes

      Regards,
      Arjan

    1. Hello James,

      As far as I can see in the configuration this is only from the on-premises AD to Azure AD.
      If you look at the screenshot from Microsoft, they say that the extension attributes are synchronized from on-premises to Azure AD

      Regards,
      Arjan

      1. There is no user write back from azure ad to on premises ad – hence there is no sync of attribute values from Azure AD back to AD either.

  3. We added a custom attribute to our schema and changed ADconnect to sync it up (not extensionAttributes, but a homemade attribute). I see it in azure under app registrations. Using graph, I can see that my test user did get the value sync’d from on-premise AD to Azure. I was trying to use that attribute to build a dynamic group in Azure, but it won’t populate my test user into that group. Our other dynamic groups using the baked-in extensionAttributes populate fine. Is what I’m trying to do possible?

Leave a Reply

%d bloggers like this: