What is the user.ExtensionAttribute1-15 available as a source attribute in Azure AD SAML? How do I populate it?

Question

Seems like a simple answer. The Microsoft documentation says this:

Extension Attributes 1-15: On-premises extension attributes used to extend the Azure AD Schema.

Well, that sounds peachy, but there is zero documentation on how I populate those specific attributes from my on-premise AD. I do not see these particular attributes in my on-premise AD.

Instead, I find numerous references for creating new custom attributes which are called "directory extensions." The process is discussed here. However, the documentation linked above makes a distinct difference between "Directory extensions," which involve extending the AD schema and modifying our Azure AD Connect settings, and "Extension Attributes 1-15." Yet, I find only how to create directory extensions.

So, how do I populate user.ExtensionAttribute1-15 from on-prem AD?

Answer 1

It appears that "ExtensionAttribute1" thru "ExtensionAttribute15" are Microsoft Exchange AD attributes. If you're not running hybrid / on-prem Microsoft Exchange, these attributes do not exist in the on-prem AD schema. However, they can be seen in Exchange Online when editing a recipient's mailbox settings (under 'More Options'):

If you are syncing your on-premise AD to Office 365 with Azure AD Connect, then these attributes are synchronized automatically (if they exist). However, you can not modify these values in Exchange Online when you are syncing your on-prem AD. Therefore, they are not usable if you are not running a hybrid / on-prem Exchange scenario, unless you manually extend the on-prem AD schema to include them.

I will instead have to choose different attributes and turn on directory extension syncing in Azure AD Connect as detailed here: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions

Answer 2

Hi @Appleoddity · If you want to use the extension attribute only for cloud-only users, you may consider extending the Azure AD Schema.

Please refer to my blog post Azure AD Schema extension for users in 10 easy steps.

Once the schema is extended and a value is assigned to the extension attribute, you can use Claim Mapping policy to pass the extension attribute as claim in SAML token.

In below example, I am using ExtID extension attribute, which is always in extension_<App ID of app-for-schema-extension>_attributeName format.

 New-AzureADPolicy -Definition @('{  
     "ClaimsMappingPolicy": {  
         "Version": 1,  
         "IncludeBasicClaimSet": "true",  
         "ClaimsSchema": [  
             {  
                 "Source": "user",  
                 "ExtensionID": "extension_a90abxxxxxxxxxxxxxa5f1072c3810bc_ExtID",  
                 "SamlClaimType": "http://schemas.microsoft.com/identity/claims/ExtID",  
                 "JwtClaimType": "ExtID"  
             },  
             {  
                 "Source": "user",  
                 "ID": "onpremisessamaccountname",  
                 "SamlClaimType": "samaccountname",  
                 "JwtClaimType": "samAccountName"  
             },  
             {  
                 "Source": "user",  
                 "ID": "department",  
                 "SamlClaimType": "http://schemas.microsoft.com/identity/claims/department",  
                 "JwtClaimType": "department"  
             }  
         ]  
     }  
 }') -DisplayName "MyClaimsPolicy" -Type "ClaimsMappingPolicy"  
 Add-AzureADServicePrincipalPolicy -Id <Object ID of Enterprise App> -RefObjectId <object ID of the Policy created above>  

Note: Once claim mapping policy is assigned using PowerShell, you cannot map claims using Azure Portal.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.