Updated: Extension attributes in Azure AD

Page content

This week I had a customer that has some data in their on-premises Active directory that we needed to use for a custom application in SharePoint Online. This data was placed in the ExtensionAttribute field of the user. With the latest version of Azure AD Connect we have the option to select attributes to sync to Azure Active Directory and that is what the customer did. https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-feature-directory-extensions/

This screenshot has selected division and employeeID, but in the complete list of available attributes there are also the ExtensionAttributes. When you do not select them here, the extension attributes will be in the synchronization.

This results that the data should be available in Azure AD and when we take a look in the Synchronization Service Manager and search for a user with an ExtensionAttribute we see that it is synced to Azure AD.

So that is good news that we have confirmation that the properties are coming to Azure AD, but the question now is how can we use this data?

How to receive the Extension attributes?

Some of the custom properties like the employeeID in the first screenshot are available in the Graph API, but the ExtensionAttributes are not. When you try this with PowerShell you see that there is a property called ExtensionData, but you are not able to see what is inside it. So both options will not give you the data of the ExtensionAttributes.

With PowerShell there is a way around it is to get the Exchange mailbox or recipient. When you connect to Exchange online and get the mailbox for the user the ExtensionAttributes are available thru the CustomAttributes. Get-Mailbox -Identity Get-Recipient -Identity

How to get them in the Graph API?

To get the extensionattribute in the Graph API you need to select the attributes in the wizard from the first screenshot. That way the attributes get explicitly registered in Azure AD in the form of “extension__extensionAttribute14”. In Azure AD you also get an extra application called “Tenant Schema Extension App”. The id of this app is the guid in the extension attribute in Azure AD.

These attributes are only available in the beta endpoint of the Graph API

Conclusion

When you update to the latest version of the synchronization client you have the option to select extension attributes. These attributes are only visible in the beta endpoint of the Graph API. When you do not have the option to update to the latest version you can only use PowerShell and connecting to Exchange Online to access the extension attributes.

When you want to use these attributes in SharePoint we need to find a way to get them imported into the SharePoint user profile. There are a few solutions on the internet that uses PowerShell to read the mailbox or recipient and place the values in a custom SharePoint user profile property.

http://blog.intucio.com/blog/synchronizing-microsoft-azure-active-directory-extension-attributes-with-sharepoint-online-user-profile-properties https://github.com/OfficeDev/PnP/tree/master/Samples/Core.UserProfiles.Sync

Because the extension attributes are default attributes in the on-premises active directory and are used by several customers, my opinion is that these attributes should be available thru the Graph API by default. For this I have created an idea on the Office UserVoice: https://officespdev.uservoice.com/forums/224641-general/suggestions/15482145-expose-extensionattributes-in-azure-ad-with-the-of