Powershell Command to retrieve extension attributes of a locally logged on Azure AD user

Question

Hi, We currently use a PowerShell script that retrieves device and user information and then creates a system tray icon to allow users to check things like their computer name, email address and printer PIN code easily. In order to allow users to get extended information about their AD account without using the Active Directory PowerShell module, or having admin rights, we currently use the following command: $ADUserObj = ([ADSISearcher]"(&(objectCategory=User)(SamAccountName=$env:USERNAME))").FindAll().Properties Now this works fine for AD users, however we are moving more devices to InTune / AzurwAD and this method does not work for AzureAD users on a local device. I have tried to use the Get-LocalUser approach, however AAD users are not considered local so do not show in any results. Accessing the user's UPN is possible via whoami or the registry - but the 2 extension attributes Pager and employeeNumber are the ones I am really after. I cannot seem to find any information on how to grab these details from the local AAD account though. If I run the following command against the user as an Azure admin: (Get-AzureADUser -SearchString $user).ToJson() Then I can see that these attributes are present in AAD and are syncing; but I cannot figure out a way to get them once they are on a local device. Any suggestions on which method / approach is best to find these attributes would be much appreciated. I am open to different methods (e.g. reading the registry /WMI etc); the only requirements I have is that it needs to be able to be run by a non admin user silently in the background without requiring additional PS modules to be installed.

Answer 1

Hi,

The eventual solution for this I ended up implementing was to:

1. Create an Azure AD service user account with Directory Reader permissions only
2. Create a new script that runs as a scheduled task (under system contect) on logon that connects to Azure AD PS using the service account (credentials are encrypted to a key file and kept in a hidden folder which only admins can access) - this script checks the upn of the current logged on user and uses the commands that @MarileeTurscak recommended to output the value of the attribute we want to a file in the local user's account
3. The original script now uses an IF statement; if it detects that it is on a domain it uses the ADSI command in the original post; if it is not on a domain it looks for the value in the text file outputted in step 2.

Note: The sript uses a local exported copy of the AzureAD PS module to cut out the need for background downloading; this is also stored away in a folder that non-admins can't access.

Seems to work OK so far (been out in the wild for about a week). If I do discover any issues with this method I'll update this post accordingly.

Answer 2

This article goes through the available commands to retrieve extension attributes. As far as I am aware, like you said you need to use an Azure AD admin account to retrieve these.

There's also Get-AzureADUserExtension, which "retrieves all extension attributes that have a value assigned to them for the user identified by $UserId." https://learn.microsoft.com/en-us/powershell/module/azuread/get-azureaduserextension?view=azureadps-2.0

PS C:\> $UserId = (Get-AzureADUser -Top 1).ObjectId  
PS C:\> Get-AzureADUserExtension -ObjectId $UserId  

And there is the graph query for getting the signed in user info, but it only returns a limited number of properties.

It looks like what you are requesting would not be available out of the box.