Forum Discussion

KatakKatak's avatar
KatakKatak
Copper Contributor
Jun 19, 2023

Azure AD Connect - sync computer(device) extensionAttributes to Azure AD

Hi, is there any way to synchronize extensionAttribute from onprem AD to Azure AD? I can sync these attributes for "user" or "group". But I can't do it for computer(device). See screenshot below. Thanks

  • Spindle8551's avatar
    Spindle8551
    Copper Contributor

    KatakKatak in short, no. It's not supported. You have to use the Microsoft Graph PowerShell SDK to add your own extension attributes.

     

    $Params = @{

            "extensionAttributes" = @{

                "extensionAttribute1" = "YourPreferredStringAttribute"

            }

     

    Update-MgDevice -DeviceId $Device.Id - BodyParameter ($params | ConvertTo-Json)

     

    Use get-mgdevice to grab the device Id. Hope that helps. I have had to do this revently. 

    • KatakKatak's avatar
      KatakKatak
      Copper Contributor

      Thanks Spindle8551, I believe your solution works. Unfortunately this is an "Azure only" solution.

      I sync from onprem AD via Azure AD Connect to Azure thousands of computers from different AD domains. I have 12 Azure AD Connect connectors to 12 onprem AD's.

      Not all IT admins follow the computer naming convention and I have a problem in Azure to recognize which onprem AD computers are syncing from which AD.

      The idea was that I set computer extensionAttribute1 in onprem AD (e.g. Italy-site, Germany-site, Korea-site....) and then I can create dynamic groups in Azure accordingly, set Conditional Access and so on.

      Unfortunately as I can see, it is not possible to synchronize computer/device ExtensionAttributes to Azure.

      Very briefly - I am not able to find out in Azure from which onprem AD the computer syncs to Azure.

      • Spindle8551's avatar
        Spindle8551
        Copper Contributor

        YKatakKatak 

        Firstly, what are you trying to achieve exactly?

         

        Secondly and unfortunately, it's a hard 'no' to be able to sync the on-prem extensionattribute. Yes, it would be so much easier if you could. 

         

        Lastly, you should be able see which on-prem domain they're being synchronised from in AAD Connect. Yes, making a naming standard and sticking to it would help a lot more. But if you do a metaverse search for devices, you'll be able to see which connectors they've come from. You'll have to excuse that I've had to blank out the values in my screenshot, but I hope this guides you how to see them. If you search for a computer in the metaverse search with the attribute 'DisplayName' is equal to <computerdisplaynamevalue> the result will show you which connector (or AD domain) it's come from. Does it make your job harder? Yes! But the info is there.

         

        My scenario is, I needed to add a string value to an extensionattribute of a handful of devices to be exempt from MFA. You can filter devices with extensionattribute# with a value equal to <yourstringvalue>. 

         

        I ended up writing my own PowerShell function to utilise the Microsoft.Graph.Identity.DirectoryManagement module. This function takes one or more device display names or a path to a CSV file containing device names as input, and adds a value I've specified to an extensionAttribute of my choosing for each device. The function requires a valid client ID and certificate thumbprint for authentication. In other words, I had to create a service principal with Graph permission Device.ReadWrite.All and utilise a certificate thumbprint as the "secret".

         

        Hope all that makes sense.

         

  • malloy9932150's avatar
    malloy9932150
    Copper Contributor
    Hello All, still today I am facing this issue. Do we know if this is supported now?

    Has anyone else deployed any other solutions that doesn't require a custom PowerShell script?

    Thank you

Resources