If you need to populate values on Azure AD objects like users and groups, but there are no available attributes in the default Azure AD schema fit for the purpose, an easy solution is to add custom extension attributes to an Application object (app registration) and then populate the attributes with values on objects in Azure AD.
An example scenario is that you need to store some form of object lifecycle state value on an Azure AD object, like Active
, Inactive
or PendingDeletion
, to use in reports and identity automation tasks.
The custom extension attributes can be used with the following Azure AD object types: User, Group Organization, Device and Application.
Warning: Never store sensitive information in attributes in Azure AD, as all users and applications can access the values.
Create a new app registration
It’s a good choice to create a new app registration for the purpose of implementing custom extension attributes.
- Go to the Azure AD Portal, click Azure Active Directory and App registrations.
- Click New registration, give the app a name like IAM Custom Extension Attributes, keep the other settings default and click Register.
- Make a note of the app registration’s
Object ID
as we need this value when creating the extension attributes.
We’ll use Microsoft Graph via Graph Explorer to add the custom extension attributes to the app registration, but you can of course use Aure AD Powershell or Microsoft Graph Powershell SDK too. If you need to learn how to work with Microsoft Graph and Graph Explorer, check out my blogpost series Getting started with Microsoft Graph.
Add custom extension attribute in Graph Explorer
Custom extension attributes can be of the following types: Binary
, Boolean
(true/false), DateTime
(2021-10-16T18:01:29), String
(“Some Value”), Integer
(12345) and LargeInteger
.
- Go to Graph Explorer.
-
Do a
GET
request to resource Urihttps://graph.microsoft.com/v1.0/applications/{App registration Object ID}
- replace{App registration Object ID}
with the actual objectId of the app registration created earlier, and click Run query. You should get the app registration returned in the response.GET https://graph.microsoft.com/v1.0/applications/d74460c9-27d2-4dc9-bcba-49087063c360
-
Now change method to
POST
with resource Urihttps://graph.microsoft.com/v1.0/applications/{App registration Object ID}
and addRequest body
as shown below (in this example we create aString
attribute namedObjectLifeCycleState
for User and Group objects):POST https://graph.microsoft.com/v1.0/applications/d74460c9-27d2-4dc9-bcba-49087063c360/extensionProperties { "name": "ObjectLifeCycleState", "dataType": "string", "targetObjects": [ "User", "Group" ] }
Make a note of the name
value in the response, as this is the full attribute name that can now be populated with a string value on User and Group objects in Azure AD. The attribute name consists of extension_
+ Application (client) ID
+ attribute name
, which in this example is extension_cde0e9a5d3f44a81b81097334dbb9f66_ObjectLifeCycleState
.
Populate the custom extension attribute on a User object
Now that we have created the custom extension attribute on an application and it is available for User and Group objects in Azure AD, we can go ahead and populate the attribute with a value.
-
In Graph Explorer, set method to
Patch
with resource Urihttps://graph.microsoft.com/v1.0/users/{user objectId or upn}}
, insert the objectId or UserPrincipalName of an existing user. AddRequest body
and set the extension attribute name to a value.PATCH https://graph.microsoft.com/v1.0/users/e600712c-2132-455f-8d9f-ae0fc5ac9abe { "extension_cde0e9a5d3f44a81b81097334dbb9f66_ObjectLifeCycleState": "Active" }
If you get a HTTP 204 response (no content), the patch was successfull.
Retrieve custom extension attribute on a User object
You can now retrieve the custom extension attribute on the User object.
-
In Graph Explorer, set method to
Get
with resource Urihttps://graph.microsoft.com/v1.0/users/{user objectId or upn}
, insert the objectId or UserPrincipalName of the user you populated the extension attribute for, addid
,displayName
,userPrincipalName
and the custom extension attribute name to theselect
query parameter.GET https://graph.microsoft.com/v1.0/users/e600712c-2132-455f-8d9f-ae0fc5ac9abe?$select=id,displayName,userprincipalname,extension_cde0e9a5d3f44a81b81097334dbb9f66_ObjectLifeCycleState
And that concludes this blog post, thanks for reading!