Extension attributes for Azure Active Directory

Question

Hello,

We are a Microsoft Partner and have an integration with Microsoft that primarily uses the Microsoft Graph API. We have customers that would like to sync custom data fields from their Azure AD tenant to our application. In some cases, they are using AzureAD Connect to sync data from their on-prem AD to their Azure AD in the cloud.

We have read lots of documentation regarding custom data coming from Azure via the Graph API. It appears there are 3 possible solutions:

1. AzureAD Graph extension attributes: https://learn.microsoft.com/en-us/powershell/azure/active-directory/using-extension-attributes-sample?view=azureadps-2.0
2. Azure AD Open extensions: https://learn.microsoft.com/en-us/graph/extensibility-overview#open-extensions
3. Azure AD Schema extensions: https://learn.microsoft.com/en-us/graph/extensibility-overview#schema-extensions

I understand the different between Open and Schema extensions, but I would like to know more about whether the Azure AD extension attributes (#1 above) is being deprecated or if its required for Azure AD connect or any other nuances about this format.

Or, in other words: when a tenant uses AzureAD Connect to sync custom data attributes, how will these appear via the graph api? Do these appear as extension attributes(1), open extensions(2), or schema extensions(3)

Answer 1

Hi @MarileeTurscak ,

Thanks for your response.

After much research and experimentation, the confusion we had is that we've learned that really there are two top level ways to create schema extensions: AD Connect Schema Extensions and Microsoft Graph Schema Extensions. There are also MS Graph Open Extensions, but I won't get into that as they are untyped.

AD Connect extensions come in the form as described above extension_(ApplicationID)_(AttributeName) and are listed as attributes in the top level of the User resource just like all the other attributes.

MS Graph schema extensions lead to a nested schema on the User resource and have a schema ID in the form similar to (appdomain)_(schemaName). This schema has attributes including a nested "properties" collection which describes the typed extension attributes in the schema.

It's very straightforward to work with the MS Graph schema extensions through the Graph API. Our trouble is that our customers mostly use AD Connect Schema Extensions and the structuring of AD Connect Schema Extensions is significantly different to MS Graph Schema Extensions. This means we need to maintain two branches of code to support both cases as the differences are non-trivial. Further, this makes it very difficult to test short of having an AD Forest with AD Connect setup with our Azure.

Hopefully this helps someone else in the future as it's not well explained in the docs.

Answer 2

Hi @Peter Philips ,

As you mentioned, Azure AD Graph is being deprecated, but the Graph API has a beta version that also returns the extension attributes. https://learn.microsoft.com/en-us/graph/api/resources/synchronization-configure-with-directory-extension-attributes?view=graph-rest-beta&tabs=http

You can customize which attributes to synchronize with Azure AD.

During installation of Azure AD Connect, an application is registered where these attributes are available. You can see this application in the Azure portal. Its name is always "Tenant Schema Extension App."

The attributes are prefixed with extension_{ApplicationId}_.

Then you could select the attributes through Microsoft Graph like this: GET https://graph.microsoft.com/beta/users/{object id}?$select=extension_{ApplicationId}_employeeID.

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions

See also, this similar question:https://stackoverflow.com/questions/54584746/querying-extensionattributes-in-microsoft-graph-api