Avvenimenti
Apr 9, 3 PM - Apr 10, 12 PM
Ikkodifika l-Futur bl-IA u qabbad ma 'pari Java u esperti f'JDConf 2025.
Irreġistra IssaCloud sync directory extensions and custom attribute mapping
Microsoft Entra ID must contain all the data (attributes) required to create a user profile when provisioning user accounts from Microsoft Entra ID to a line of business (LOB), SaaS app, or on-premises application. You can use directory extensions to extend the schema in Microsoft Entra ID with your own attributes. This feature enables you to build LOB apps by consuming attributes that you continue to manage on-premises, provision users from Active Directory to Microsoft Entra ID or SaaS apps, and use extension attributes in Microsoft Entra ID and Microsoft Entra ID Governance features such as dynamic membership groups or Group provisioning to Active Directory.
For more information on directory extensions, see Using directory extension attributes in claims, Microsoft Entra Connect Sync: directory extensions, and Syncing extension attributes for Microsoft Entra application provisioning.
You can see the available attributes by using Microsoft Graph Explorer.
Nota
In order to discover new Active Directory extension attributes, the provisioning agent needs to be restarted. You should restart the agent after the directory extensions have been created. For Microsoft Entra extension attributes, the agent doesn't need to be restarted.
You can use directory extensions to extend the synchronization schema directory definition in Microsoft Entra ID with your own attributes.
Importanti
Directory extension for Microsoft Entra Cloud Sync is only supported for applications with the identifier URI API://<tenantId>/CloudSyncCustomExtensionsApp and the Tenant Schema Extension App created by Microsoft Entra Connect.
You need to create an application with the identifier URI API://<tenantId>/CloudSyncCustomExtensionsApp if it doesn't exist and create a service principal for the application if it doesn't exist.
Check if application with the identifier URI
API://<tenantId>/CloudSyncCustomExtensionsAppexists.- Using Microsoft Graph
GET /applications?$filter=identifierUris/any(uri:uri eq 'api://<tenantId>/CloudSyncCustomExtensionsApp')For more information, see Get application
- Using PowerShell
PowerShell$tenantId = (Get-MgOrganization).Id Get-MgApplication -Filter "identifierUris/any(uri:uri eq 'API://$tenantId/CloudSyncCustomExtensionsApp')"For more information, see Get-MgApplication
If the application doesn't exist, create the application with identifier URI
API://<tenantId>/CloudSyncCustomExtensionsApp.- Using Microsoft Graph
POST https://graph.microsoft.com/v1.0/applications Content-type: application/json { "displayName": "CloudSyncCustomExtensionsApp", "identifierUris": ["api://<tenant id>/CloudSyncCustomExtensionsApp"] }For more information, see create application
- Using PowerShell (Note: take the
$tenantIdvariable from previous steps)
PowerShellNew-MgApplication -DisplayName "CloudSyncCustomExtensionsApp" -IdentifierUris "API://$tenantId/CloudSyncCustomExtensionsApp"For more information, see New-MgApplication
Check if the service principal exists for the application with identifier URI
API://<tenantId>/CloudSyncCustomExtensionsApp.- Using Microsoft Graph
GET /servicePrincipals?$filter=(appId eq '{appId}')For more information, see get service principal
- Using PowerShell (Note: take the
$tenantIdvariable from previous steps)
PowerShell$appId = (Get-MgApplication -Filter "identifierUris/any(uri:uri eq 'API://$tenantId/CloudSyncCustomExtensionsApp')").AppId Get-MgServicePrincipal -Filter "AppId eq '$appId'"For more information, see Get-MgServicePrincipal
If a service principal doesn't exist, create a new service principal for the application with identifier URI
API://<tenantId>/CloudSyncCustomExtensionsApp.- Using Microsoft Graph
POST https://graph.microsoft.com/v1.0/servicePrincipals Content-type: application/json { "appId": "<application appId>" }For more information, see create servicePrincipal
- Using PowerShell (Note: take the
$appIdvariable from previous steps)
PowerShellNew-MgServicePrincipal -AppId $appIdFor more information, see New-MgServicePrincipal
Create a directory extension in Microsoft Entra ID. For example, a new extension called 'WritebackEnabled', of boolean type, for Group objects.
- Using Microsoft Graph
POST https://graph.microsoft.com/v1.0/applications/<ApplicationId>/extensionProperties Content-type: application/json { "name": "WritebackEnabled", "dataType": "Boolean", "isMultiValued": false, "targetObjects": [ "Group" ] }- Using PowerShell (Note: take the
$tenantIdvariable from previous steps)
PowerShell$appObjId = (Get-MgApplication -Filter "identifierUris/any(uri:uri eq 'API://$tenantId/CloudSyncCustomExtensionsApp')").Id New-MgApplicationExtensionProperty -ApplicationId $appObjId -Name WritebackEnabled -DataType Boolean -TargetObjects Group
You can create directory extensions in Microsoft Entra ID in several different ways, as described in the following table:
| Method | Description | URL |
|---|---|---|
| MS Graph | Create extensions using GRAPH | Create extensionProperty |
| PowerShell | Create extensions using PowerShell | New-MgApplicationExtensionProperty |
| Using cloud sync and Microsoft Entra Connect | Create extensions using Microsoft Entra Connect | Create an extension attribute using Microsoft Entra Connect |
| Customizing attributes to sync | Information on customizing, which attributes to synch | Customize which attributes to synchronize with Microsoft Entra ID |
If you extended Active Directory to include custom attributes, you can add these attributes and map them to users.
To discover and map attributes, select Add attribute mapping and the attributes become available in the drop-down under source attribute. Fill in the type of mapping you want and select Apply.
For information on new attributes that are added and updated in Microsoft Entra ID see the user resource type and consider subscribing to change notifications.
For more information on extension attributes, see Syncing extension attributes for Microsoft Entra Application Provisioning.
Riżorsi addizzjonali
Taħriġ
Modulu
Implement directory synchronization tools - Training
This module examines the Microsoft Entra Connect Sync and Microsoft Entra Cloud Sync installation requirements, the options for installing and configuring the tools, and how to monitor synchronization services using Microsoft Entra Connect Health.
Ċertifikazzjoni
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.
Dokumentazzjoni
-
Attribute mapping in Microsoft Entra Cloud Sync - Microsoft Entra ID
This article describes how to use the cloud sync feature of Microsoft Entra Connect to map attributes.
-
Attribute mapping - Microsoft Entra ID to Active Directory - Microsoft Entra ID
This article describes how the attribute mapping and how to configure attributes when provisioning from Microsoft Entra ID to Active Directory.
-
Synchronize attributes to Microsoft Entra ID for mapping - Microsoft Entra ID
When configuring user provisioning with Microsoft Entra ID and SaaS apps, use the directory extension feature to add source attributes that aren't synchronized by default.