Azure AD Extension Attributes for Custom User Data

Azure AD Extension Attributes for Custom User Data allow you to store additional information about your users. This is particularly useful for storing information that isn't covered by the standard Active Directory attributes.

You can store up to 100 extension attributes per user, which is a significant increase from the standard 15 attributes provided by Active Directory. This flexibility is a major advantage of using Azure AD Extension Attributes.

To use Azure AD Extension Attributes, you'll need to create a custom attribute schema, which defines the structure and data types for each attribute. This schema is then used to store and retrieve the custom data.

Custom attributes can be added to Azure AD objects such as users, groups, and devices to store additional information. This can be done by creating a custom extension attribute on an application object (app registration).

You can add custom extension attributes of different types, including binary, boolean, date and time, string, integer, and large integer. For example, you can create a string attribute named "ObjectLifeCycleState" for user and group objects.

To add a custom extension attribute, you can use the Microsoft Graph API. You can do a GET request to the application object's URI to retrieve its details, and then change the method to POST and add a request body with the attribute's name, data type, and target objects.

The attribute name will consist of "extension_" followed by the application's client ID and the attribute name. For instance, if the application's client ID is "cde0e9a5d3f44a81b81097334dbb9f66" and the attribute name is "ObjectLifeCycleState", the full attribute name would be "extension_cde0e9a5d3f44a81b81097334dbb9f66_ObjectLifeCycleState".

Here are some examples of custom extension attribute types:

To create an Azure AD app registration, you'll need to follow a few simple steps. Go to the Azure AD Portal, click Azure Active Directory and App registrations, and then click New registration.

You'll be asked to give the app a name, which should be something like IAM Custom Extension Attributes. Keep the other settings default and click Register. Make a note of the app registration's Object ID, as you'll need this value later.

The app registration's Object ID is essential for adding custom extension attributes using Microsoft Graph via Graph Explorer.

To create a new app registration in Azure AD, you need to follow these steps. Go to the Azure AD Portal, click Azure Active Directory and App registrations. Click New registration and give the app a name, keeping the other settings default and clicking Register.

You'll receive an Object ID for the app registration, which you'll need later. Make a note of it as we'll use it when creating the extension attributes. Note the Object ID is essential for the next steps.

Creating a new app registration is a good choice for implementing custom extension attributes. If you need to learn how to work with Microsoft Graph and Graph Explorer, check out my blogpost series Getting started with Microsoft Graph.

You can use Azure AD Powershell or Microsoft Graph Powershell SDK instead of Graph Explorer, but we'll be using Graph Explorer in this example.

Registering a new app registration in Azure AD is a good choice for implementing custom extension attributes. This involves creating a new app registration in the Azure AD Portal, which can be done by clicking on "Azure Active Directory" and then "App registrations". From there, click on "New registration" and give the app a name.

To create a new app registration, you'll need to provide a name and keep the other settings default. Once you've done this, make a note of the app registration's Object ID, as you'll need this value later.

You can use Microsoft Graph via Graph Explorer to add custom extension attributes to the app registration. Graph Explorer is a tool that allows you to interact with Microsoft Graph, which is a REST API that provides access to Microsoft cloud services.

Custom extension attributes can be of various types, including Binary, Boolean, DateTime, String, Integer, and LargeInteger. To add a custom extension attribute, you'll need to use the POST method in Graph Explorer and provide a Request body with the attribute name, data type, and target objects.

Here's a summary of the types of custom extension attributes:

Once you've added a custom extension attribute, you can use it to store and retrieve data using Microsoft Graph. You can also use directory extensions to sync data into them from on-premises using Microsoft Entra Connect.

Creating a Conditional Access Policy is a crucial step in securing your Azure AD App Registration. You can create a Conditional Access policy using Extension Attributes.

To do this, go to Microsoft Endpoint Manager > Endpoint Security > Conditional Access and create a new policy.

Under Conditions, you can select the extension attributes as the basis for including or excluding specific devices. This allows you to tailor your access policy to specific device attributes.

Custom extension attributes can be used to populate values on Azure AD objects like users and groups, but there are specific object types that support this feature, including User, Group, Organization, Device, and Application.

You can add custom extension attributes to an Application object (app registration) and then populate the attributes with values on objects in Azure AD. This can be useful for storing object lifecycle state values, like Active, Inactive, or PendingDeletion, for use in reports and identity automation tasks.

To add a custom extension attribute, you can use Graph Explorer and perform a POST request to the application's resource URI, specifying the attribute name, data type, and target objects. The attribute name consists of "extension_" + Application (client) ID + attribute name.

Here are the supported data types for custom extension attributes: Binary, Boolean (true/false), DateTime (2021-10-16T18:01:29), String (“Some Value”), Integer (12345), and LargeInteger.

To retrieve a custom user attribute in Azure AD, you can use the Microsoft Graph API. You can make a GET request to the resource Uri https://graph.microsoft.com/v1.0/users/{user objectId or upn}, where {user objectId or upn} is the object ID or UserPrincipalName of the user you want to retrieve the attribute for. This is shown in Example 3.

You can add the custom extension attribute name to the select query parameter, like this: https://graph.microsoft.com/v1.0/users/e600712c-2132-455f-8d9f-ae0fc5ac9abe?$select=id,displayName,userprincipalname,extension_cde0e9a5d3f44a81b81097334dbb9f66_ObjectLifeCycleState.

The extension attribute name consists of "extension_" + Application (client) ID + attribute name, as shown in Example 7. Make sure to use the correct case when specifying the attribute name, as case consistency is important when setting directory extension attributes on objects.

Here is an example of the correct syntax to retrieve a custom user attribute: GET https://graph.microsoft.com/v1.0/users/e600712c-2132-455f-8d9f-ae0fc5ac9abe?$select=id,displayName,userprincipalname,extension_cde0e9a5d3f44a81b81097334dbb9f66_ObjectLifeCycleState.

To create a dynamic device group, you can use Extension Attributes as the basis for group membership. This is done by going to Microsoft Endpoint Manager > Groups > New group and creating a new dynamic device group.

You can also use Extension Attributes to create a dynamic device group in Microsoft Endpoint Manager. This involves going to Groups > New group and selecting a dynamic device group template.

Extension Attributes can be used as the basis for group membership in Microsoft Endpoint Manager. This allows you to create dynamic device groups based on specific criteria.

To create a dynamic device group, you need to use the Extension Attributes as the basis for group membership. This involves creating a new dynamic device group in Microsoft Endpoint Manager.

Creating dynamic device groups using Extension Attributes is a powerful feature in Microsoft Endpoint Manager. It allows you to create groups based on specific criteria, such as device attributes.