This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We created a multi-tenant application in tenant A, we then added several extensionProperties. If we then create a new Dynamic Membership group (in Tenant A) and press the Get custom extension properties link, and then input the Application ID. We get to pick the created extension properties, as shown in this screenshot: ![13590-custom-extension-properties.png][1] Now we try the same in tenant B, the admin did do the admin consent for our application. 1. Admin consent for our app 2. Create some users with a value in the extension properties 3. Create dynamic group 4. Click Get custom extension properties 5. Enter the application ID and press Refresh properties 6. Tumbleweed (eg. nothing happens) When executing these steps in Tenant A, I see that it does a network reqeust to https://main.iam.ad.ext.azure.com/api/groups/c28ed0...697/GetExtensionPropertiesByApp (with the correct application ID). The response is a json file with an array of extension properties like:
[{ "appDisplayName": "", "name": "extension_c28ed0xxxc697_Subject", "dataType": "String", "isSyncedFromOnPremises": false, "objectType": "ExtensionProperty", "targetObjects": [ "User", "Group" ] }]
When executing the same steps on Tenant B, I see the same request but the response is empty [] I've made sure that we actually have users with a value set for those extension properties. And was wondering how to enable these extension properties on third-party tenants, that use our multi-tenant appliction. Is it not working by design, or is it a bug? ## Would this work? Do we just need to execute these extra steps to enable it in every other tenant: 1. Ask for the scope Application.ReadWrite.All 2. Create the extension properties in every tenant, at time of enrollment? ## Bug or not implemented? I'm guessing it is either a bug, or extension attributes aren't meant to be used in multi-tenant applications. [1]: /api/attachments/13590-custom-extension-properties.png?platform=QnA
Extension properties can only be managed and accessed from the application home tenant.
Is there a way to tell the third-party tenant to “import” or “load” the extensions? Having them in the UI is only a nice to have, but at this moment we cannot save the group when we add it to the text query editor.
If we could just input the following we can live with that, but for now it complains it isn't a correct query.
(user.extension_guid_extensionName -eq "My Value")
Or are extension attributes not to be used with multi-tenant applications?
Do you maybe have a suggestion how to solve this problem?
Extension attributes can only be used with applications within the same tenant. You must create an application and extension properties on each tenant where you want to use them.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 55.00000000000001%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIA%3C/text%3E%3C/svg%3E)
We have the same use case as described above.
We use a multi tenant app and extension properties can be used in other tenants.
We have no problem setting the extension property on a user in other tenant:
$params = @{
ObjectId = $user.Id
ExtensionName = "extension_guid_MyProperty"
ExtensionValue = $true
}
Set-AzureADUserExtension @params
The only problem we have is trying to use the extension property in a dynamic group.
As setting the property on a user is supported, using it on a dynamic group should also be supported. (at least via PowerShell)