Forum Discussion
Azure AD Connect - sync computer(device) extensionAttributes to Azure AD
Hi, is there any way to synchronize extensionAttribute from onprem AD to Azure AD? I can sync these attributes for "user" or "group". But I can't do it for computer(device). See screenshot below. Thanks
6 Replies
- Hello All, still today I am facing this issue. Do we know if this is supported now?
Has anyone else deployed any other solutions that doesn't require a custom PowerShell script?
Thank you KatakKatak in short, no. It's not supported. You have to use the Microsoft Graph PowerShell SDK to add your own extension attributes.
$Params = @{
"extensionAttributes" = @{
"extensionAttribute1" = "YourPreferredStringAttribute"
}
Update-MgDevice -DeviceId $Device.Id - BodyParameter ($params | ConvertTo-Json)
Use get-mgdevice to grab the device Id. Hope that helps. I have had to do this revently.
Thanks Spindle8551, I believe your solution works. Unfortunately this is an "Azure only" solution.
I sync from onprem AD via Azure AD Connect to Azure thousands of computers from different AD domains. I have 12 Azure AD Connect connectors to 12 onprem AD's.
Not all IT admins follow the computer naming convention and I have a problem in Azure to recognize which onprem AD computers are syncing from which AD.
The idea was that I set computer extensionAttribute1 in onprem AD (e.g. Italy-site, Germany-site, Korea-site....) and then I can create dynamic groups in Azure accordingly, set Conditional Access and so on.
Unfortunately as I can see, it is not possible to synchronize computer/device ExtensionAttributes to Azure.
Very briefly - I am not able to find out in Azure from which onprem AD the computer syncs to Azure.Firstly, what are you trying to achieve exactly?
Secondly and unfortunately, it's a hard 'no' to be able to sync the on-prem extensionattribute. Yes, it would be so much easier if you could.
Lastly, you should be able see which on-prem domain they're being synchronised from in AAD Connect. Yes, making a naming standard and sticking to it would help a lot more. But if you do a metaverse search for devices, you'll be able to see which connectors they've come from. You'll have to excuse that I've had to blank out the values in my screenshot, but I hope this guides you how to see them. If you search for a computer in the metaverse search with the attribute 'DisplayName' is equal to <computerdisplaynamevalue> the result will show you which connector (or AD domain) it's come from. Does it make your job harder? Yes! But the info is there.
My scenario is, I needed to add a string value to an extensionattribute of a handful of devices to be exempt from MFA. You can filter devices with extensionattribute# with a value equal to <yourstringvalue>.
I ended up writing my own PowerShell function to utilise the Microsoft.Graph.Identity.DirectoryManagement module. This function takes one or more device display names or a path to a CSV file containing device names as input, and adds a value I've specified to an extensionAttribute of my choosing for each device. The function requires a valid client ID and certificate thumbprint for authentication. In other words, I had to create a service principal with Graph permission Device.ReadWrite.All and utilise a certificate thumbprint as the "secret".
Hope all that makes sense.
