This week I had a customer that has some data in their on-premises Active directory that we needed to use for a custom application in SharePoint Online.
This data was placed in the ExtensionAttribute field of the user.
With the latest version of Azure AD Connect we have the option to select attributes to sync to Azure Active Directory and that is what the customer did.

This screenshot has selected division and employeeID, but in the complete list of available attributes there are also the ExtensionAttributes. When you do not select them here, the extension attributes will be in the synchronization.

This results that the data should be available in Azure AD and when we take a look in the Synchronization Service Manager and search for a user with an ExtensionAttribute we see that it is synced to Azure AD.

So that is good news that we have confirmation that the properties are coming to Azure AD, but the question now is how can we use this data?

How to receive the Extension attributes?

Some of the custom properties like the employeeID in the first screenshot are available in the Graph API, but the ExtensionAttributes are not. When you try this with PowerShell you see that there is a property called ExtensionData, but you are not able to see what is inside it. So both options will not give you the data of the ExtensionAttributes.

With PowerShell there is a way around it is to get the Exchange mailbox or recipient. When you connect to Exchange online and get the mailbox for the user the ExtensionAttributes are available thru the CustomAttributes.
Get-Mailbox -Identity
Get-Recipient -Identity

How to get them in the Graph API?

To get the extensionattribute in the Graph API you need to select the attributes in the wizard from the first screenshot. That way the attributes get explicitly registered in Azure AD in the form of “extension_<GUID>_extensionAttribute14”.
In Azure AD you also get an extra application called “Tenant Schema Extension App”. The id of this app is the guid in the extension attribute in Azure AD.

These attributes are only available in the beta endpoint of the Graph API


When you update to the latest version of the synchronization client you have the option to select extension attributes. These attributes are only visible in the beta endpoint of the Graph API. When you do not have the option to update to the latest version you can only use PowerShell and connecting to Exchange Online to access the extension attributes.

When you want to use these attributes in SharePoint we need to find a way to get them imported into the SharePoint user profile.
There are a few solutions on the internet that uses PowerShell to read the mailbox or recipient and place the values in a custom SharePoint user profile property.

Because the extension attributes are default attributes in the on-premises active directory and are used by several customers, my opinion is that these attributes should be available thru the Graph API by default.
For this I have created an idea on the Office UserVoice:

12 Responses

  • Miguel Isidoro


    Can you supply an example of usage of the beta Graph API to get the extension attributes?


  • Mahesh

    Can I add one or more on premise custom AD attribute to Azure AD connect through wizard you shown above and Azure AD connect will directly sync it to cloud with its value?
    I need some more configuration as well ?


    • Hello Mahesh,

      You only need to use the wizard to add the custom attributes. After that you should run a initial sync, but the wizard will ask you for that as well.
      To see the new attributes you should see the application and with the beta endpoint you should be able to see the custom attributes


  • Is it possible to do a two-way sync between Azure AD and on-prem AD for Extension Attributes?

    • Hello James,

      As far as I can see in the configuration this is only from the on-premises AD to Azure AD.
      If you look at the screenshot from Microsoft, they say that the extension attributes are synchronized from on-premises to Azure AD


      • Rob de Jong

        There is no user write back from azure ad to on premises ad – hence there is no sync of attribute values from Azure AD back to AD either.

        • Thanks Rob for clarifying that

  • Joel

    We added a custom attribute to our schema and changed ADconnect to sync it up (not extensionAttributes, but a homemade attribute). I see it in azure under app registrations. Using graph, I can see that my test user did get the value sync’d from on-premise AD to Azure. I was trying to use that attribute to build a dynamic group in Azure, but it won’t populate my test user into that group. Our other dynamic groups using the baked-in extensionAttributes populate fine. Is what I’m trying to do possible?

  • Ricky Singh

    This is a really good information. I have an extension attribute that is synchronizing from On-Prem AD to AzureAD. I am able to see this attribute and its value using the following Powershell command:

    Get-AzureADUser -ObjectID “” | Select -expandproperty extensionproperty

    The issue is that we need to get this property crawled in SharePoint Online and use this crawled property in one of our solutions. The problem is that this extension property is not being crawled. Do you know what will need to be done to get this extension property (extension__extensionAttribute2) crawled?

    • Hello Ricky,

      Sorry about the late response, but as far as I know there is no option to crawl these properties from SharePoint.
      I have solved this by creating a profile property in the SharePoint profile and have a script running in Azure Automation that will populate this property into the SharePoint UserProfile using the Office dev PnP PowerShell CmdLet.
      See this post about this

      Hope this helps


Leave a Reply to Arjan Cancel reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.