Share via

Can't edit extension attributes with graph-api

n1dy4t 51 Reputation points
2021-06-29T13:25:56.487+00:00

Hello,

i've been trying to solve this issue the past couple days with little success.
Our users are located in Azure AD. Some of the older accounts were synchronized from our old on-prem AD
last year. The sync has since been deactivated and the users have been converted to Cloud-only users.

Important note: All users have extensionAttributes that we use to save data! The old users as well as the new ones.

The past days we've been trying to update the onPremisesExtensionAttributes through the Graph-API. It works very well for users that we created fresh in Azure AD. But it doesn't work with the old sync-ed users!

When i make a http-call editing an old accounts onPremisesExtensionAttributes i get the following error:

"code": "Request_BadRequest",
"message": "Unable to update the specified properties for objects that have originated within an external service."

I've checked a lot. All users are displayed as Cloud-only users.
onPremisesSyncEnabled, onPremisesImmutableId and onPremisesLastSyncDateTime were cleared and are null.

Only onPremisesDomainName contains the old domain (with the sync-ed accounts, not the newly created ones).

"onPremisesSyncEnabled": null,
"onPremisesImmutableId": null,
"onPremisesLastSyncDateTime": null,
"onPremisesDomainName": "xyz.com"

Am i missing anything? What else can i check?

I appreciate any help and time! Thanks..

Microsoft Security Microsoft Entra Microsoft Entra ID
Accepted answer
  1. VipulSparsh-MSFT 16,311 Reputation points Microsoft Employee
    2021-07-02T02:38:36.897+00:00

    @n1dy4t If they were originally the on-prem users, the onPremisesExtensionAttributes attribute authority is Exchange in which case MS Graph wont be able to fetch them.

    This behavior is expected by design. Updating OnPremisesExtensionAttributes through Graph is only possible for user objects that are, and have always been managed and mastered in AAD.
    OnPremisesExtensionAttributes (AKA Exchange Custom attributes 1-15) are mastered in AD (Active Directory on-prem) for synchronized users and you will not be able to update these attributes through Graph.

    Even if a synchronized is disconnected from AD, converted to managed, you will still not be able to update these attributes for those objects.
    The same limitation is applicable if the user is managed but is "Exchange Mastered". (ie. objects that have been created in Exchange Online and subsequently synced to AAD).

    Try to check the custom attributes from the exchange admin portal for those users.

    1 – Go to your admin portal:

    https://admin.microsoft.com/Adminportal#/homepage

    2 – On the left Tab, click “Show all” and, under “Admin Centers”, go to Exchange.

    3 – Here, select “recipients”, select one of your failing users and click the Edit button.

    111110-image.png

    4 – When the popup appears, click “More Options…” and edit the section of the Custom Attributes.

    111162-image.png

    You can also use Exchange PowerShell module for this.

    -----------------------------------------------------------------------------------------------------------------

    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 119.5K Reputation points MVP Volunteer Moderator
    2021-06-29T17:11:46.88+00:00

    Do they have an ImmutableId value (onPremisesImmutableId)? If so, try clearing that.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.