Dynamic group with schema extensions on user objects?

Question

We use schema extensions on user objects across multiple applications and would like to be able to build dynamic groups based on schema extension attribute values.

Note there are multiple types of extensions. I'm referring to Schema Extensions from https://learn.microsoft.com/en-us/graph/extensibility-overview. Not Open Extensions or on-premise AD extension attributes.

I see the option to "Get custom extension properties" by identifying an application ID. It appears this is for Open Extensions. I try using the applicationID of the application that owns the Schema Extension but no attributes are loaded. I try just scripting a rule using the attribute name user.<domain>_myschema.attribute but get message that property does not exist.

Is it possible to create a dynamic group based on Schema Extensions?

Answer 1

@Keennon, Mike - unfortunately many Identity/Azure AD capabilities (dynamic membership, custom token claims, provisioning, change tracking) do not yet support schema extensions. You'll need to use Directory Extensions instead. It's a similar but earlier version of schema extensions but only for directory. Management of the directory extension definitions and extension values is also exposed through Microsoft Graph. See Create extensions.

We're also in the process of writing a topic that compares and contrasts the different extensibility options in Microsoft Graph, along with examples.

Hope this helps.