Forum Discussion
Azure AD extension attributes from AD Connect
I'm struggling with finding my data in AAD. We've been running Azure Connect for years to bring the data from our on-prem AD over to our AAD instance. Back last spring, I expanded the scope of the fields we were bringing over; in Azure Connect I configured it to also send the uid from AD, where we were storing a value that I needed for SSO for a specific application. I was able to configure the claims rules for the enterprise application that I configured in AAD to send the value along to the app, and SSO works fine.
My problem is where that data is. I'll be referring here mostly to Powershell commands to look at the users. If I run a Get-Azureaduser a user -- I've tried several, all who can successfully use the SSO -- then pipe that along to select to expand the extension properties, the extension property isn't even in the list.
The one place I have found it is if I run
Get-AzureADApplication | Get-AzureADApplicationExtensionProperty
It is in the list of defined extension properties, targetting users. Ideally, I'd like to be able to see the value for a given user from AAD, and set it through Powershell as well.
Help? Why doesn't it show up in the extension attributes for our users?
9 Replies
EStrong9Hi - you are using the AzureAD Module, which is marked for Deprecation. If you want full access to all Information in Entra ID (new Name for Azure AD) you will want to move to the new PowerShell Modules.
You should try Get-MgUser and Update-MgUser, however I personally find that the documentation of the PowerShell SDK for the Graph API (the semi-new way to talk to Entra ID) is so poor that I prefer using Invoke-MgGraphrequest and the Graph API Documentation (Get a user - Microsoft Graph v1.0 | Microsoft Learn). When interacting with Users it is important to know that you have to explicitly request a lot of properties, since the API only returns basic information by default.
juliansperling The same thing was happening with the graph commands I ran, but I'm much less comfortable with that interface. Running get-mguser on a user, then piping it to format-list -property, and the property does not show up at all in the list. If I manually select for the propery by schema extension name -- as obtained from Get-AzureADApplication | Get-AzureADApplicationExtensionProperty -- it turns back a null result.
EStrong9 Hello,
It is a good idea to clarify between an Entra ID Directory Extension and the Extension Attributes from 1 to 15 - from the CmdLets you used I presumed you mean Directory Extensions, which are new Attributes added to Entra ID, while the extension Attributes are always there and would be handled differently - if I am incorrect please say so. (Also note: Maybe your UID is also one of the Attributes that are Synced to Entra ID by default?)
Your Problem was probably either, that "Get-MgUser -Property ..." Really only Returns the Properties you specify there, or that you missed that your result is returned in the AdditionalProperties of the Result.
Format-list can only show Properties that are there, so you can only copy what you requested in get-mguser.
To Shorten this thread this Snippet worked for me, at least as far as I understand what you are trying to achieve:
# Necessary Permissions / Scopes: Directory.Read.All # Tip: Use Find-MgGraphCommand to find the URI being used for better Documentation as well as the Necessary Permissions # Find the required Extension Property $extension = Get-MgDirectoryObjectAvailableExtensionProperty | where Name -match "exampleExtension" $user = get-mguser -UserId $mggraphConfig.testUser -Property Displayname, Id, UserPrincipalName, $extension.Name $extensionValue = @{Name = "$($extension.Name)"; Expression = {$_.AdditionalProperties.$($extension.Name)}} $user | select Displayname, $extensionValue | ftResult:
