Dynamic group with schema extensions on user objects?

Question

Dynamic group with schema extensions on user objects?

Keennon, Mike 126

We use schema extensions on user objects across multiple applications and would like to be able to build dynamic groups based on schema extension attribute values.

Note there are multiple types of extensions. I'm referring to Schema Extensions from https://learn.microsoft.com/en-us/graph/extensibility-overview. Not Open Extensions or on-premise AD extension attributes.

I see the option to "Get custom extension properties" by identifying an application ID. It appears this is for Open Extensions. I try using the applicationID of the application that owns the Schema Extension but no attributes are loaded. I try just scripting a rule using the attribute name user.<domain>_myschema.attribute but get message that property does not exist.

Is it possible to create a dynamic group based on Schema Extensions?

Deva-MSFT 2,271 Reputation points Microsoft Employee

2021-02-03T07:33:44.733+00:00

Adding right tags/teams to assist!!

Accepted answer

0 additional answers

Your answer

Deva-MSFT 2,271 Reputation points Microsoft Employee

2021-02-03T07:33:44.733+00:00

Adding right tags/teams to assist!!

Answer 1

Dan Kershaw 416 Microsoft Employee

@Keennon, Mike - unfortunately many Identity/Azure AD capabilities (dynamic membership, custom token claims, provisioning, change tracking) do not yet support schema extensions. You'll need to use Directory Extensions instead. It's a similar but earlier version of schema extensions but only for directory. Management of the directory extension definitions and extension values is also exposed through Microsoft Graph. See Create extensions.

We're also in the process of writing a topic that compares and contrasts the different extensibility options in Microsoft Graph, along with examples.

Hope this helps.

Keennon, Mike 126 Reputation points

2021-02-12T15:13:33.497+00:00

We are pretty much committed to Schema Extensions. Is the dynamic group capability for Schema Extensions anywhere on the roadmap?

What are the lifecycle plans for Schema Extensions vs Directory Extensions?
We thought using the latest capability was the best choice.
Would it make sense to switch to Directory Extensions for the long term?
I don't mean just for dynamic groups but for all the graph capabilities that can use custom attributes. Switching is painful so we want to make the right long term choice.

Would it make sense to do both and have duplicate attributes?

I know... lots of questions... but this is Q&A right?
Dan Kershaw 416 Reputation points Microsoft Employee

2021-02-12T16:34:43.927+00:00

We're working on a plan now for improvements to schema extensions, including support in all Identity features. However at this time, this work is not committed I'm sorry to say.

As such, the only recommendation I can make at this time is to use Directory Extensions (through Microsoft Graph), if support for the other identity features like dynamic memberships is key for your app. There are no plans AFAIK to deprecate support for Directory Extensions (through Microsoft Graph).

You could do both and keep them in sync - but that's kind of painful and doubly eats into one of the limits - https://learn.microsoft.com/en-us/graph/known-issues?context=graph%2Fapi%2F1.0&view=graph-rest-1.0#limit-of-100-schema-extension-property-values-allowed-per-resource-instance. But at least it might future proof you if we ever commit to the work I alluded to above.

Hope this helps - and yes it's Q & A :)

Share via

Dynamic group with schema extensions on user objects?

0 additional answers

Your answer