Syncing extension attributes for Azure Active Directory Application Provisioning

Article
01/26/2023
7 minutes to read

Azure Active Directory (Azure AD) must contain all the data (attributes) required to create a user profile when provisioning user accounts from Azure AD to a SaaS app or on-premises application. When customizing attribute mappings for user provisioning, you might find the attribute you want to map doesn't appear in the Source attribute list. This article shows you how to add the missing attribute.

Determine where the extensions need to be added

Adding missing attributes needed for an application will start in either on-premises Active Directory or in Azure AD, depending on where the user accounts reside.

First, identify which users in your Azure AD tenant will need access to the application and therefore are going to be in scope of being provisioned into the application.

Note

For users in on-premises Active Directory, you must sync the users to Azure AD. You can sync users and attributes using Azure AD Connect or Azure AD Connect cloud sync. Both of these solutions automatically synchronizes certain attributes to Azure AD, but not all attributes. Furthermore, some attributes (such as SAMAccountName) that are synchronized by default might not be exposed using the Graph API. In these cases, you can use the Azure AD Connect directory extension feature to synchronize the attribute to Azure AD or use Azure AD Connect cloud sync. That way, the attribute will be visible to the Graph API and the Azure AD provisioning service.

Check with the on-premises Active Directory domain admins whether the required attributes are part of the AD DS schema, and if they are not, extend the AD DS schema in the domains where those users have accounts.
Configure Azure AD Connect or Azure AD Connect cloud sync to synchronize the users with their extension attribute from Active Directory to Azure AD. Azure AD Connect automatically synchronizes certain attributes to Azure AD, but not all attributes. Furthermore, some attributes (such as sAMAccountName) that are synchronized by default might not be exposed using the Graph API. In these cases, you can use the Azure AD Connect directory extension feature to synchronize the attribute to Azure AD. That way, the attribute will be visible to the Graph API and the Azure AD provisioning service.
If the users in on-premises Active Directory do not already have the required attributes, you will need to update the users in Active Directory. This can be done either by reading the properties from Workday, from SAP SuccessFactors, or if you are using a different HR system, using Microsoft Identity Manager (MIM).
Wait for Azure AD Connect to synchronize those updates you made in the Active Directory schema and the Active Directory users into Azure AD.

Alternatively, if none of the users that will need access to the application originate in on-premises Active Directory, then you will need to create schema extensions using PowerShell or Microsoft Graph in Azure AD, before configuring provisioning to your application.

Next, if one or more of the users that will need access to the application do not originate in on-premises Active Directory, then you will need to populate those cloud users in Azure AD with the required attribute, before enabling provisioning to your application. There are four ways to populate the users in bulk:

If the properties originate in a cloud HR system, you can configure Azure AD to read the properties from Workday or SAP SuccessFactors.
If the properties originate in an on-premises system, you can configure the MIM Connector for Microsoft Graph to create or update Azure AD users.
If the properties originate from the users themselves, then you can ask the users to supply the values of the attribute when they request access to the application, by including the attribute requirements in entitlement management catalog.
For all other situations, a custom application can update the users via the Microsoft Graph API.

The following sections outline how to create extension attributes for a tenant with cloud only users, and for a tenant with Active Directory users.

Create an extension attribute in a tenant with cloud only users

You can use Microsoft Graph and PowerShell to extend the user schema for users in Azure AD. This is necessary if you do not have any users who need that attribute and originate in on-premises Active Directory. (If you do have Active Directory, then continue reading below in the section on how to use the Azure AD Connect directory extension feature to synchronize the attribute to Azure AD.)

Once schema extensions are created, these extension attributes are automatically discovered when you next visit the provisioning page in the Azure portal, in most cases.

When you've more than 1000 service principals, you may find extensions missing in the source attribute list. If an attribute you've created doesn't automatically appear, then verify the attribute was created and add it manually to your schema. To verify it was created, use Microsoft Graph and Graph Explorer. To add it manually to your schema, see Editing the list of supported attributes.

Create an extension attribute for cloud only users using Microsoft Graph

You can extend the schema of Azure AD users using Microsoft Graph.

First, list the apps in your tenant to get the ID of the app you're working on. To learn more, see List extensionProperties.

GET https://graph.microsoft.com/v1.0/applications

Next, create the extension attribute. Replace the ID property below with the ID retrieved in the previous step. You'll need to use the "ID" attribute and not the "appId". To learn more, see [Create extensionProperty]/graph/api/application-post-extensionproperty).

POST https://graph.microsoft.com/v1.0/applications/{id}/extensionProperties
Content-type: application/json

{
    "name": "extensionName",
    "dataType": "string",
    "targetObjects": [
    	"User"
    ]
}

The previous request created an extension attribute with the format extension_appID_extensionName. You can now update a user with this extension attribute. To learn more, see Update user.

PATCH https://graph.microsoft.com/v1.0/users/{id}
Content-type: application/json

{
  "extension_inputAppId_extensionName": "extensionValue"
}

Finally, verify the attribute for the user. To learn more, see Get a user.

GET https://graph.microsoft.com/v1.0/users/{id}?$select=displayName,extension_inputAppId_extensionName

Create an extension attribute on a cloud only user using PowerShell

Create a custom extension using PowerShell and assign a value to a user.

#Connect to your Azure AD tenant   
Connect-AzureAD

#Create an application (you can instead use an existing application if you would like)
$App = New-AzureADApplication -DisplayName “test app name” -IdentifierUris https://testapp

#Create a service principal
New-AzureADServicePrincipal -AppId $App.AppId

#Create an extension property
New-AzureADApplicationExtensionProperty -ObjectId $App.ObjectId -Name “TestAttributeName” -DataType “String” -TargetObjects “User”

#List users in your tenant to determine the objectid for your user
Get-AzureADUser

#Set a value for the extension property on the user. Replace the objectid with the ID of the user and the extension name with the value from the previous step
Set-AzureADUserExtension -objectid 0ccf8df6-62f1-4175-9e55-73da9e742690 -ExtensionName “extension_6552753978624005a48638a778921fan3_TestAttributeName”

#Verify that the attribute was added correctly.
Get-AzureADUser -ObjectId 0ccf8df6-62f1-4175-9e55-73da9e742690 | Select -ExpandProperty ExtensionProperty

Create an extension attribute using cloud sync

Cloud sync will automatically discover your extensions in on-premises Active Directory when you go to add a new mapping. Use the steps below to auto-discover these attributes and set up a corresponding mapping to Azure AD.

Sign-in to the Azure portal with a hybrid administrator account
Select Azure AD Connect
Select Manage Azure AD cloud sync
Select the configuration you wish to add the extension attribute and mapping
Under Manage attributes select click to edit mappings
Click Add attribute mapping. The attributes will automatically be discovered.
The new attributes will be available in the drop-down under source attribute.
Fill in the type of mapping you want and click Apply.

For more information, see Cloud Sync Custom Attribute Mapping

Create an extension attribute using Azure AD Connect

If users who will access the applications originate in on-premises Active Directory, then you must sync the attributes with the users from Active Directory to Azure AD. You will need to perform the following tasks before configuring provisioning to your application.

Check with the on-premises Active Directory domain admins whether the required attributes are part of the AD DS schema, and if they are not, extend the AD DS schema in the domains where those users have accounts.
Open the Azure AD Connect wizard, choose Tasks, and then choose Customize synchronization options.
Sign in as an Azure AD Global Administrator.
On the Optional Features page, select Directory extension attribute sync.
Select the attribute(s) you want to extend to Azure AD.

Note

The search under Available Attributes is case sensitive.
Finish the Azure AD Connect wizard and allow a full synchronization cycle to run. When the cycle is complete, the schema is extended and the new values are synchronized between your on-premises AD and Azure AD.
In the Azure portal, while you’re editing user attribute mappings, the Source attribute list will now contain the added attribute in the format <attributename> (extension_<appID>_<attributename>), where appID is the identifier of a placeholder application in your tenant. Select the attribute and map it to the target application for provisioning.