How can I see/use synced Directory Extension attributes?

Question

How can I see/use synced Directory Extension attributes?

David Pettitt 51

I am unable to view directory extension attributes on user objects in AAD.

I have followed the guide to sync Directory extensions from on-prem AD to Azure AD using Azure AD Connect: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions
The Tenant Schema Extension App has appeared in my list of Enterprise applications.
While editing the Attributes & Claims for SAML-based Sign-on for an Enterprise app, I now see the two new attributes in the list of available attributes: extension_<app ID>_<attribute name>

However, I am unable to actually view/use the attribute values:

The SAML token does not include the directory extension attribute(s)
I tried (Get-AzureADUser -ObjectId <object id>).ExtensionProperty, and the attributes are not listed
I tried (Get-AzureADUserExtension -objectid <object id>).get_item("extension_<app id>_<attribute name>"), and get the error "The given key was not present in the dictionary
I tried a Microsoft Graph API call to https://graph.microsoft.com/beta/users/<user id>?$select=extension_<appid>_<attribute name> and received the error "Term 'extension_<appid>_<attribute name>' is not valid in a $select or $expand expression."

What am I missing/doing wrong?

Answer 1

@David Pettitt

As we discussed and troubleshooted on the call, Issue was with the AD connector account permissions. AD connector account did not have the permissions to read both extension attributes.
Post giving necessary permissions and running sync, you are now able to see these directory extension attributes in Azure AD.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hello @David Pettitt

Thank you for sharing this question on this community space.

I would like to gather the next articles which fit into your case scenario based on the error logs shared above .... So please direct yourself down below:

https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping

https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping#security-considerations

Furthermore, I came across with this link https://developer.microsoft.com/en-us/graph/graph-explorer and just wanted to provide it as well.

I hope you can find this useful to address your concern.

Looking forward to your feedback,

Cheers,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

David Pettitt 51 Reputation points

2022-10-24T17:58:07.45+00:00

Thanks for trying. Those links about AD Claims Mapping might be useful, once I can actually see and confirm the attribute values are present in AAD.

As per my comment on the other response, Microsoft Graph user queries are currently not showing the new Directory Extension attributes.

Answer 3

@David Pettitt

You can run the graph query as https://graph.microsoft.com/beta/users/<User's UPN>. You will get below result and you will be able to see the extension attribute in Azure AD user properties,

Now, to pass this attribute as claim for SAML application you will have to use Azure AD policy. You will have to create new Azure AD policy to include this extension attribute.
Once you create the policy you will have to link the policy to application service principal.

You can follow the steps mentioned below:

Create an AzureADPolicy.

New-AzureADPolicy -Definition @('{
"ClaimsMappingPolicy": {
"Version": 1,
"IncludeBasicClaimSet": "true",
"ClaimsSchema": [{
"Source": "user",
"ID": "extension_fe465646bca7445882882a8ac953af3e_employeeID",
"SamlClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/employeeid",
}
]
}
}') -DisplayName "CustomClaimsPolicy1" -Type "ClaimsMappingPolicy"

Attach the newly created AzureADPolicy to a specific AzureAD App's Serviceprincipal for which the token would be requested for.
Add-AzureADServicePrincipalPolicy -Id {object id of service principal} -RefObjectId {object id of policy}

To check if the policy is successfully added to the ServicePrincipal or not:
Get-AzureADServicePrincipalPolicy -Id "{object id of service principal}"

Once the policy is attached you can try accessing the application. Now you will be able to see the directory extension attribute as claim in the SAML token.

Do let me know if you have any further questions on this.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

David Pettitt 51 Reputation points

2022-10-24T17:52:29.29+00:00

You can run the graph query as https://graph.microsoft.com/beta/users/<User's UPN>. You will get below result and you will be able to see the extension attribute in Azure AD user properties,

That's exactly my problem here. If I run a Microsoft Graph query, it doesn't include any extension_<App ID>_<attribute name> attributes.
David Pettitt 51 Reputation points

2022-11-04T18:23:01.117+00:00

The issue was that the directory extension attributes in on-prem AD had extra security on them, and were not visible by default. I needed to grant the MSOL_* AADC sync account access to view the attributes.

Thanks for the assist, @Sandeep G-MSFT !
Sandeep G-MSFT 11,331 Reputation points Microsoft Employee

2022-11-06T04:44:16.513+00:00

@David Pettitt

As we discussed and troubleshooted on the call, Issue was with the AD connector account permissions. AD connector account did not have the permissions to read both extension attributes.
Post giving necessary permissions and running sync, you are now able to see these directory extension attributes in Azure AD.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

How can I see/use synced Directory Extension attributes?

2 additional answers

Activity