ActiveDirectory - custom attribute addition

Question

Hello Team,

We would like to add custom attribute in AD and also those attributes hast to syn with entra ID using entra ID connect. the attribute willbe added in AD thenin the entra ID we have to add the attrbiute to sync to entra ID . do we need to create any other rules apart from this. Could you also share a reference blog or the steps for this? this attribute will be used by few apps liek workday etc

Answer 1

Hi santhosh SME,

I’m following up to check whether the issue has been resolved. Feel free to reply if you need further information. If the information provided was helpful, please click "Accept Answer" to help others in the community. Thank you!

Answer 2

Hi santhosh SME,

The good news is that this is possible, but there are a few important steps to follow. First, you’ll need to extend the AD schema to add the custom attribute. Once the attribute exists in AD, you can configure Entra ID Connect to include it in the synchronization process. This usually involves creating or editing a synchronization rule so that the attribute flows from AD to Entra ID.

In most cases, you don’t need to create additional rules beyond mapping the attribute correctly, but you should verify that the attribute is marked as “directory sync enabled” and that it’s included in the outbound rules. If the attribute will be consumed by applications like Workday, make sure it’s exposed in Entra ID and available in the app’s claims or provisioning configuration. Testing the sync in a lab environment first is always a good idea.

Microsoft has documentation and blogs that walk through the process of extending the schema and configuring Entra ID Connect rules. I recommend reviewing the official Entra ID Connect custom attribute sync guide, which provides step‑by‑step instructions and examples. This will help ensure you don’t miss any prerequisites, such as permissions or schema updates.

I hope this gives you a clear direction. If you find this answer helpful, please consider clicking Accept Answer so others can benefit too.

Jason.

Answer 3

To sync a new custom attribute from on-premises Active Directory (AD) to Microsoft Entra ID and make it usable by apps like Workday, the high-level steps are:

1. Add the custom attribute in on-premises AD
   • Extend the AD schema and add the new attribute to the user (or group/contact) object class as required.
   • Populate the attribute for the relevant objects.
2. Expose the attribute as a directory extension in Microsoft Entra ID
   With Microsoft Entra Connect cloud sync, custom on-prem attributes are surfaced as directory extensions in Entra ID:
   • Ensure the attribute is added to the AD schema and visible on user objects.
   • In the Microsoft Entra admin center, go to Entra ID > Entra Connect > Cloud sync and open your AD to Microsoft Entra configuration.
   • Go to Attribute mapping and select the correct object type (for example, user).
   • Select Add attribute mapping. Cloud sync will discover extended AD attributes so they appear in the Source attribute drop-down.
   • Choose the new AD attribute as the Source attribute and map it to a directory extension (or another target attribute) in Entra ID.
   • Choose mapping type (Direct is typical for a 1:1 copy) and when to apply (Always or Only during creation).
   • Select Apply.
   For directory extensions specifically:
   • When you extended AD, those attributes can be selected as directory extensions and mapped to users via Add attribute mapping. Once mapped, they are available on the Entra user object as extension properties and can be consumed by downstream apps.
3. Confirm the attribute is present in Entra ID
   • After sync runs, verify that the attribute value appears on the Entra user object (for example, via Microsoft Graph using the user resource type and its extension properties).
   • If the attribute is created via Graph or PowerShell instead of AD, use the documented methods such as Create extensionProperty or New-MgApplicationExtensionProperty to define the extension in Entra ID, then map it using cloud sync.
4. Use the attribute in downstream apps (for example, Workday, other SaaS apps)
   • In any provisioning configuration where Entra ID is the source (for example, provisioning from Entra ID to an application), edit user attribute mappings for that app.
   • The extension attribute will appear in the Source attribute list in the format <attributename> (extension_<appID>_<attributename>).
   • Map this source attribute to the target app attribute.
   • Ensure users assigned to the app have the attribute populated before enabling or running provisioning.
5. Additional rules or configuration
   • Beyond the attribute mapping itself, no extra sync rules are strictly required if the attribute is already in AD and you simply want to flow it to Entra ID. The key items are:
     • Attribute exists and is populated in AD.
     • Attribute is selected as a directory extension (if needed) and mapped in cloud sync.
     • For apps like Workday or others, configure their provisioning mappings to use the new Entra extension attribute as a source.
   • If the attribute originates in an HR system (like Workday) and flows into AD or Entra ID, configure the HR-to-AD or HR-to-Entra mappings accordingly, then let Entra Connect/cloud sync propagate it.

For your scenario (AD → Entra ID → apps like Workday), the critical steps are: extend AD, configure cloud sync attribute mapping (AD to Entra ID), verify the extension on the Entra user, then configure each application’s provisioning mappings to consume that extension.

---

References:

• Attribute mapping - Active Directory to Microsoft Entra ID
• Cloud sync directory extensions and custom attribute mapping
• Syncing extension attributes for Microsoft Entra Application Provisioning
• Custom attributes for Microsoft Entra Domain Services