When trying to manage extension attribute via Graph Powershell getting error: Update-MgUser : Unable to update the specified properties for objects that have originated within an external service.

Question

We are trying to populate ExtensionAttribute2 via Graph powershell "Update-MgUser" for several cloud only accounts.

But for many of them it doesn`t work and we receive an error message:
Update-MgUser : Unable to update the specified properties for objects that have originated within an external service.

All impacted accounts are cloud only and never was synced via AD connect even doesn`t have a mailbox, so we cant use Exchange powershell to populate this attribute.

All attributes are empty:
On-premises sync = No
On-premises last sync date time
On-premises distinguished name

Extension attributes
On-premises immutable ID
On-premises provisioning errors
On-premises SAM account name
On-premises security identifier
On-premises user principal name
On-premises domain name

Does have someone some way how to fix this issue, or some way how to bypass it. Or at least what is the root cause of the issue?

Answer 1

Hi Miroslav,

The restriction of being able to update extension attributes (OnPremisesExtensionAttributes) via the Graph API applies also to objects created in Exchange Online. Even if the user doesn't have a mailbox, he can be a valid Exchange recipient (i.e. a MailUser), in which case you must use the Exchange cmdlets. To verify the user's status in Exchange, you can run the Get-Recipient or Get-User cmdlet.

Basically, if the user in question does not show in the output of the Get-Recipient cmdlet, you will be able to change the extension attributes via Graph. If it does, use the corresponding Exchange cmdlet (Set-Mailbox, Set-MailUser, etc).

Another way to check is via the Get-User cmdlet, by filtering based on the RecipientTypeDetails value of "User":

Get-User -RecipientTypeDetails User

Every user returned by the above should be OK to manage via Graph.