Blog Post

Core Infrastructure and Security Blog
4 MIN READ

Update Entra ID Device Extension Attributes via PowerShell & Create Dynamic Security Groups.

SantoshPargi's avatar
SantoshPargi
Icon for Microsoft rankMicrosoft
Sep 01, 2025

1) Introduction Microsoft Entra ID device objects provide a rich set of properties for identity, compliance, and device management. Among these, extension attributes allow organizations to store custom metadata on device objects in the cloud directory (not to be confused with on-premises AD extension attributes). These attributes are useful for categorization, automation, and policy enforcement. You can update these extension attributes using PowerShell through the Microsoft Graph API. Once populated, these attributes can be leveraged to create dynamic device groups in Entra ID, enabling targeted Defender for Endpoint policies, Conditional Access policies, Intune configurations, or application assignments.

2) Overview of Extension Attributes and Updating via PowerShell What Are Extension Attributes? Extension attributes (1–15) are predefined string fields available on Entra ID device objects. T...
Published Sep 01, 2025
Version 1.0
device
device properties
Entra
entra id
Extension Attributes
groups
Intune
MDE
Security group
Security Groups
NathanVorhies's avatar
NathanVorhies
Occasional Reader
Oct 01, 2025

Santosh - 

I'm attempting to use the PS script to update extension attributes and running into a few issues and was hoping you could update the script and possibly inset it so it's easier to read/copy. 

  • $tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/

    $tenantId/oauth2/v2.0/token" -Method POST -Body $tokenBody
    • Combine onto single line
    • $tokenBody is not defined
  • try {    $deviceResponse = Invoke-RestMethod -Uri $deviceLookupUri -Headers $headers -Method 
    • -Method is not defined and is required
  • $headers = @{ "Authorization" = "Bearer $accessToken"} $deviceLookupUri = "https://graph.microsoft.com/beta/devices?`$filter=displayName eq '$deviceName'" 
    • Separate lines for $deviceLookupUri
    • Does the $filter variable need a new line or need to be defined prior?

Thank you for your effort in creating this script and the blog!  We are starting into using Extension Attributes for Dynamic Group creation and this script/process will be used a lot in our environment.