Azure AD extension attributes from AD Connect

Copper Contributor

I'm struggling with finding my data in AAD.  We've been running Azure Connect for years to bring the data from our on-prem AD over to our AAD instance.  Back last spring, I expanded the scope of the fields we were bringing over; in Azure Connect I configured it to also send the uid from AD, where we were storing a value that I needed for SSO for a specific application.  I was able to configure the claims rules for the enterprise application that I configured in AAD to send the value along to the app, and SSO works fine.

My problem is where that data is.  I'll be referring here mostly to Powershell commands to look at the users.  If I run a Get-Azureaduser a user -- I've tried several, all who can successfully use the SSO -- then pipe that along to select to expand the extension properties, the extension property isn't even in the list.
The one place I have found it is if I run
Get-AzureADApplication | Get-AzureADApplicationExtensionProperty
It is in the list of defined extension properties, targetting users.  Ideally, I'd like to be able to see the value for a given user from AAD, and set it through Powershell as well.
Help?  Why doesn't it show up in the extension attributes for our users?

9 Replies

@EStrong9Hi - you are using the AzureAD Module, which is marked for Deprecation. If you want full access to all Information in Entra ID (new Name for Azure AD) you will want to move to the new PowerShell Modules.

 

You should try Get-MgUser and Update-MgUser, however I personally find that the documentation of the PowerShell SDK for the Graph API (the semi-new way to talk to Entra ID) is so poor that I prefer using Invoke-MgGraphrequest and the Graph API Documentation (Get a user - Microsoft Graph v1.0 | Microsoft Learn). When interacting with Users it is important to know that you have to explicitly request a lot of properties, since the API only returns basic information by default.

@juliansperling The same thing was happening with the graph commands I ran, but I'm much less comfortable with that interface.  Running get-mguser on a user, then piping it to format-list -property, and the property does not show up at all in the list.  If I manually select for the propery by schema extension name -- as obtained from Get-AzureADApplication | Get-AzureADApplicationExtensionProperty -- it turns back a null result.

EStrong9_0-1701734135182.png

 

@EStrong9 Hello,

 

It is a good idea to clarify between an Entra ID Directory Extension and the Extension Attributes from 1 to 15 - from the CmdLets you used I presumed you mean Directory Extensions, which are new Attributes added to Entra ID, while the extension Attributes are always there and would be handled differently - if I am incorrect please say so. (Also note: Maybe your UID is also one of the Attributes that are Synced to Entra ID by default?)

 

Your Problem was probably either, that "Get-MgUser -Property ..." Really only Returns the Properties you specify there, or that you missed that your result is returned in the AdditionalProperties of the Result.

Format-list can only show Properties that are there, so you can only copy what you requested in get-mguser.

 

To Shorten this thread this Snippet worked for me, at least as far as I understand what you are trying to achieve:

# Necessary Permissions / Scopes: Directory.Read.All
# Tip: Use Find-MgGraphCommand to find the URI being used for better Documentation as well as the Necessary Permissions

# Find the required Extension Property
$extension  = Get-MgDirectoryObjectAvailableExtensionProperty | where Name -match "exampleExtension"

$user = get-mguser -UserId $mggraphConfig.testUser -Property Displayname, Id, UserPrincipalName, $extension.Name 

$extensionValue = @{Name = "$($extension.Name)"; Expression = {$_.AdditionalProperties.$($extension.Name)}}
$user | select Displayname, $extensionValue | ft

 

Result:

2023-12-05 19_52_21.png

 

Hi, can I offer any further assistance? If you found my snippet useful please mark it as best answer.

@juliansperling 
Thank you, that has gotten me most of the way there.  I can see the value of the property using the code you helpfully provided.  Now I'm trying to figure out how to change the property value.
update-mguser -userid $user -additionalproperties @{$extensionValue="yyyyyyyyy"}

is what I've been working with, but it doesn't seem to be doing what I want. 

 

Related question, with

$user | select Displayname, AdditionalProperties

the Additional Properties is cut off; is there an easy way to get it to display the whole hash table?

@EStrong9 Hi, I happen to have used this as a jump off point for a full blog Post - Working with Entra ID Directory Extensions – Sparrowtech
However your follow up question will lead me to make a few edits since I recognize I could extend the Documentation a bit :)

 

I also have how to update them in there, but I can't recommend doing that if you are synchronising them from OnPremises - you might run into conflicts with your Entra ID (AAD) connect sync down the line, that should be done by manipulating the base Properties in Active Directory

 

To the related note (and why I should work on my Naming and Documentation):

$extensionValue is not the Value of the extension, it defines a custom Property in Select-Object to handle exactly the issue you described - it tells select-Object to Take the Value from Additionalproperties, so the select statement you are looking for is 

$extensionValue = @{Name = "$($extension.Name)"; Expression = {$_.AdditionalProperties.$($extension.Name)}}
$user | select Displayname, $extensionValue | ft

 

If you have multiple Values in $AdditionalProperties you can define more Custom Expressions for Select - see Selecting parts of objects - PowerShell | Microsoft Learn for example.

 

Hi, if there are no further issues would you be so kind as to mark one of my Replys as the best Answer? This will help people with a similar issue finding the solution in future.

@juliansperling 

Short version: no love, scrapping this part of the project.

Slightly longer version: I looked at your site and pulled the part about building out the param array and assigning it. Ran it on my test user, got some errors. Modified things, got it to run without errors. Went to check for the value. No value in the property. Went back and did more checking. With the previous background of the SSO that keys off the property value works and continues to work, I ran the select statement as you provided earlier, and it continued to return the correct value... for my account. On all other accounts I tested, not a single one returned a value at all. When I dug down into it, and checked the Additional Properties on all those accounts, all of them had the default context and that's it.

EStrong9_0-1703004242205.png

I don't know why.  They can sign in, so the information contained within the additional properties field of my account of that extension value is there, somewhere, but I can't find it.

But all this was primarily to be a short workaround for an more onerous way of getting a service account access, and it is providing to be less short and straightforward than is probably worth it.

My condolences! To me the issue sounds like you did not have permissions to view the other users - How did you connect to Microsoft Graph and did you use Get-MgContext to check whether you had the required permissions? Either way, I wish you the best of luck on any further endeavours.