Forum Discussion
Azure AD extension attributes from AD Connect
EStrong9 Hi, I happen to have used this as a jump off point for a full blog Post - https://sparrowte.ch/index.php/en/2023/12/07/391/
However your follow up question will lead me to make a few edits since I recognize I could extend the Documentation a bit 🙂
I also have how to update them in there, but I can't recommend doing that if you are synchronising them from OnPremises - you might run into conflicts with your Entra ID (AAD) connect sync down the line, that should be done by manipulating the base Properties in Active Directory
To the related note (and why I should work on my Naming and Documentation):
$extensionValue is not the Value of the extension, it defines a custom Property in Select-Object to handle exactly the issue you described - it tells select-Object to Take the Value from Additionalproperties, so the select statement you are looking for is
$extensionValue = @{Name = "$($extension.Name)"; Expression = {$_.AdditionalProperties.$($extension.Name)}}
$user | select Displayname, $extensionValue | ft
If you have multiple Values in $AdditionalProperties you can define more Custom Expressions for Select - see https://learn.microsoft.com/en-us/powershell/scripting/samples/selecting-parts-of-objects--select-object-?view=powershell-7.4 for example.
Short version: no love, scrapping this part of the project.
Slightly longer version: I looked at your site and pulled the part about building out the param array and assigning it. Ran it on my test user, got some errors. Modified things, got it to run without errors. Went to check for the value. No value in the property. Went back and did more checking. With the previous background of the SSO that keys off the property value works and continues to work, I ran the select statement as you provided earlier, and it continued to return the correct value... for my account. On all other accounts I tested, not a single one returned a value at all. When I dug down into it, and checked the Additional Properties on all those accounts, all of them had the default context and that's it.
I don't know why. They can sign in, so the information contained within the additional properties field of my account of that extension value is there, somewhere, but I can't find it.
But all this was primarily to be a short workaround for an more onerous way of getting a service account access, and it is providing to be less short and straightforward than is probably worth it.
- My condolences! To me the issue sounds like you did not have permissions to view the other users - How did you connect to Microsoft Graph and did you use Get-MgContext to check whether you had the required permissions? Either way, I wish you the best of luck on any further endeavours.