Thanks Spindle8551, I believe your solution works. Unfortunately this is an "Azure only" solution.

I sync from onprem AD via Azure AD Connect to Azure thousands of computers from different AD domains. I have 12 Azure AD Connect connectors to 12 onprem AD's.

Not all IT admins follow the computer naming convention and I have a problem in Azure to recognize which onprem AD computers are syncing from which AD.

The idea was that I set computer extensionAttribute1 in onprem AD (e.g. Italy-site, Germany-site, Korea-site....) and then I can create dynamic groups in Azure accordingly, set Conditional Access and so on.

Unfortunately as I can see, it is not possible to synchronize computer/device ExtensionAttributes to Azure.

Very briefly - I am not able to find out in Azure from which onprem AD the computer syncs to Azure.

Y@KatakKatak 

Firstly, what are you trying to achieve exactly?

Secondly and unfortunately, it's a hard 'no' to be able to sync the on-prem extensionattribute. Yes, it would be so much easier if you could. 

Lastly, you should be able see which on-prem domain they're being synchronised from in AAD Connect. Yes, making a naming standard and sticking to it would help a lot more. But if you do a metaverse search for devices, you'll be able to see which connectors they've come from. You'll have to excuse that I've had to blank out the values in my screenshot, but I hope this guides you how to see them. If you search for a computer in the metaverse search with the attribute 'DisplayName' is equal to <computerdisplaynamevalue> the result will show you which connector (or AD domain) it's come from. Does it make your job harder? Yes! But the info is there.

My scenario is, I needed to add a string value to an extensionattribute of a handful of devices to be exempt from MFA. You can filter devices with extensionattribute# with a value equal to <yourstringvalue>. 

I ended up writing my own PowerShell function to utilise the Microsoft.Graph.Identity.DirectoryManagement module. This function takes one or more device display names or a path to a CSV file containing device names as input, and adds a value I've specified to an extensionAttribute of my choosing for each device. The function requires a valid client ID and certificate thumbprint for authentication. In other words, I had to create a service principal with Graph permission Device.ReadWrite.All and utilise a certificate thumbprint as the "secret".

Hope all that makes sense.

@Spindle8551 

If you search for a computer in the metaverse search with the attribute 'DisplayName' is equal to <computerdisplaynamevalue> the result will show you which connector (or AD domain) it's come from. Does it make your job harder? Yes! But the info is there.

Yes, correct. The info is here. But the info is not in Azure AD, only in the connector.

I will also try to write my own PowerShell function to utilise the Microsoft.Graph.Identity.DirectoryManagement module. Jut like you did.

Thanks for help.