Azure AD User - Clear extensionAttribute

Henrique Carvalho 1 Reputation point
2020-06-24T10:49:49.22+00:00

Hi,

I need to clear Azure AD User extensionAttribute10 (on quite some users)

The only way I found to do it programmatically is via Graph Api beta version. Do you know any other way?

My script works well if I just read users details.
If I try an update (via patch verb) it simple blocks on the 3th iteration .
I also tried to update the AccountEnabled field this way and the same issue occurs (but this one I have it resolved doing the "updates" via AzureAD module and Set-AzureAdUser)

10586-clearx10ps1.txt

Script file in attachment. Any clue on the issue?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,606 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2020-06-24T16:11:29.58+00:00

    Hi @HenriqueCarvalho-4095

    The cmdlets to get token and patch call are correct. I tested you script in my test tenant with a single user account (by removing foreach loop) and confirmed that it is clearing the value of extensionAttribute for that user.

    The only problem I can think of is, missing required permissions to perform that patch call. Since you are using client_credentials flow, the patch operation is being performed under application context. If the application don't have required permissions to perform the patch operation, the call would fail.

    The minimum permission required for this purpose is user.readwrite.all. You can assign this permissions by following below steps:

    1. Navigate to Azure AD > App Registration
    2. Select the Application whose client id you are using in the script.
    3. Go to API Permissions blade.
    4. Click on Add a permission.
    5. Click on Microsoft Graph and add User.ReadWrite.All under Application permissions and NOT under Delegated permissions.
    6. Click on Grant admin consent for Azure Active Directory button.
    7. Make sure you see the green check under status column.

    Refer to below screenshot, where I have highlighted these steps:

    10634-untitled.png

    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

  2. AmanpreetSingh-MSFT 56,311 Reputation points
    2020-06-25T10:19:08.137+00:00

    Hi @HenriqueCarvalho-4095,

    Yes, Directory.ReadWrite.All permission would also work. If there are too many requests and throttling is needed, http 429 error is thrown. Which I don't think is the issue here. You don't need to move the Get-OauthToken inside the loop as well.

    What is the value of $mail in $ApiUrl = "https://graph.microsoft.com/beta/users/$($mail)"? Is it Email Address or UPN of the users? If the value of email address and UPN attributes is different, then you need to update your input file with UPNs of the users.

    I tested the script with foreach loop and I didn't encounter any issues while setting and removing value of extensionAttribute10. Below is how my loop and csv file looks:

     $users = Get-Content -Path C:\test\user.csv
 foreach($user in $users){
 $ApiUrl = "https://graph.microsoft.com/beta/users/$($user)"

    10635-capture.jpg

    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.