Why is it not possible to update extension attributes of former hybrid users via Graph API?

Question

Why is it not possible to update extension attributes of former hybrid users via Graph API?

Lehmann, Oliver 20

We want to update extension attributes (extensionAttribute1 … extensionAttribute15) via Graph API but on a specific set of users we get the following error message:

User's image

In our tenant are two different types of users:

Native cloud users
Former hybrid users that were fully migrated to cloud users (approved by Microsoft support)

The latter look like this in Entra ID and their extension attributes can not be updated via Graph API:
User's image

According to Graph API documentation: "If a cloud-only user was previously synced from on-premises Active Directory, these properties can't be managed via the Microsoft Graph API. Instead, they can be managed through the Exchange Admin Center or the Exchange Online V2 module in PowerShell."
https://learn.microsoft.com/en-us/graph/api/resources/onpremisesextensionattributes?view=graph-rest-1.0

So there is a workaround but you have to use another module (Exchange Online V2) and manually check each user before updating if they are native cloud users or former hybrid users.

Why does this limitation exist for fully migrated cloud users? Should these users not act like native cloud users? Is it possible to remove this limitation so we can handle all cloud users (native and migrated) identically?

Thank you very much in advance for an answer.

Kind regards

Accepted answer

1 additional answer

Your answer

Answer 1

Vasil Michev 115.6K MVP

"Because Microsoft hasn't put the work into enabling this scenario" is the best answer I can give you. The are several hybrid/source of authority scenarios they need to address, but progress on that front is being made very slowly (it is a complex task).

In addition, said attributes have traditionally been part of the Exchange schema, thus are not "native" to Entra/Graph API. So for the time being, you need to use ExO PowerShell to manage them.

Lehmann, Oliver 20 Reputation points

2024-08-02T09:02:00.0933333+00:00

Thank you @Vasil Michev for your answer.

That’s precisely what I was apprehensive about. Do you think there will be a chance that Microsoft will ever implement this feature in Graph API? The limitations of ExO PowerShell module (3 sessions per account, 5 sessions per tenant) are causing us issues.

Because of these limitations we opened a Microsoft support ticket. Following the suggestion from Microsoft Support, I submitted this request.
Vasil Michev 115.6K Reputation points MVP

2024-08-02T12:29:06.4233333+00:00

Microsoft has repeatedly stated that they acknowledge these gaps and are looking for address then, but they've also reiterated on the difficulties involved in the process... so it's not something that going to happen overnight.

In any case, support should not be passing you around like that, and do their job instead. If they meant submitting a feature request, the place to do that is over at the Feedback portal: https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789
Lehmann, Oliver 20 Reputation points

2024-08-02T14:03:04.4966667+00:00

I fully understand. That's nothing you change overnight because ther are a lot of dependencies to be considered.

Thank you very much for your quick responses. Since I did not find such a feature request in the Feedback portal I created a new one: https://feedback.azure.com/d365community/idea/51542dea-d550-ef11-b4ad-000d3add4ccc

Answer 2

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

Why is it not possible to update extension attributes of former hybrid users via Graph API?

1 additional answer

Your answer