Azure AD Connect sync: Directory extensions

Directory extensions allows you to extend the schema in Azure AD with your own attributes from on-premises Active Directory. This feature allows you to build LOB apps consuming attributes you continue to manage on-premises. These attributes can be consumed through Azure AD Graph directory extensions or Microsoft Graph. You can see the attributes available using Azure AD Graph explorer and Microsoft Graph explorer respectively.

At present no Office 365 workload consumes these attributes.

You configure which additional attributes you want to synchronize in the custom settings path in the installation wizard. Schema Extension Wizard
The installation shows the following attributes, which are valid candidates:

  • User and Group object types
  • Single-valued attributes: String, Boolean, Integer, Binary
  • Multi-valued attributes: String, Binary


While Azure AD Connect supports synchronizing multi-valued AD attributes to Azure AD as multi-valued directory extensions, there are currently no features in Azure AD that support the use of multi-valued directory extensions.

The list of attributes is read from the schema cache created during installation of Azure AD Connect. If you have extended the Active Directory schema with additional attributes, then the schema must be refreshed before these new attributes are visible.

An object in Azure AD can have up to 100 directory extensions attributes. The max length is 250 characters. If an attribute value is longer, then it is truncated by the sync engine.

During installation of Azure AD Connect, an application is registered where these attributes are available. You can see this application in the Azure portal.
Schema Extension App

These attributes are now available through Graph:

The attributes are prefixed with extension_{AppClientId}_. The AppClientId has the same value for all attributes in your Azure AD tenant.

Next steps

Learn more about the Azure AD Connect sync configuration.

Learn more about Integrating your on-premises identities with Azure Active Directory.