Azure AD cmdlets to work with extension attributes

About extension attributes

Extension attributes offer a convenient way to extend your Azure AD directory with new attributes that you can use to store attribute values for objects in your directory. You can attach an extension attribute to the following object types:

  • users
  • tenant details
  • devices
  • applications

Extension properties are registered on an Application object within the developer’s directory. After the application has been consented to by a user or an admin in the developer’s directory, the property is added to the target directory type and becomes immediately accessible in the developer’s directory. For a multi-tenant application, when the application is granted consent by a user or an admin in another organization, the extension properties become immediately accessible on the target directory type in the other organization’s directory.

If an organization consents to “read only” permissions for an application with registered extensions, the properties will still become accessible in the other organization’s directory. Additionally, extension properties are accessible by any consented application in an organization, not just for the application to which they are registered. Other consented applications in that organization can read or write values for the new extension property if they have sufficient permissions.

If the application is deleted or consent is removed in the other organization’s directory, the extension property becomes inaccessible on the target directory object. If the extension is deleted by the application, it also becomes inaccessible on the target directory object. If a multi-tenant application adds additional extension properties after consent was granted, these properties become immediately accessible in the other organization’s directory.

Note

If an extension property’s value is set on an object and that property becomes inaccessible in that object’s directory, the property still counts against that object’s limit of 100 extension property values. The only way to remove the property value from consideration once it has been set is to explicitly set it to null. You cannot do this if the extension property is inaccessible.

You can read more about extension properties in this article.

Examples

In these examples we'll be using a user object and work with extension properties. We'll first find the ObjectId of the user so we can easily refer to it later:

$UserId = (Get-AzureADUser -Searchstring <UPN of the user we're working with>).ObjectId 

Get all property values of a user

(Get-AzureADUser -ObjectId $UserId).ToJson()

Get a user and show all extension properties

Get-AzureADUser -ObjectId $UserId | Select -ExpandProperty ExtensionProperty

This cmdlet returns all extension properties of a user with their current values:

Key                                                                   Value
---                                                                   -----
odata.metadata                                                        https://graph.windows.net/85b5ff1e-0402-400c-9e3c-0f9e965325d1/$metad...
odata.type                                                            Microsoft.DirectoryServices.User
thumbnailPhoto@odata.mediaContentType                                 image/Jpeg
extension_e5e29b8a85d941eab8d12162bd004528_extensionAttribute13       Test 

Retrieve the value of a specific extension property for a user

(Get-AzureADUserExtension -ObjectId $UserId).get_item("extension_e5e29b8a85d941eab8d12162bd004528_wWWHomePage")

Retrieve all extension properties that are defined in your tenant

Get-AzureADApplication | Get-AzureADApplicationExtensionProperty 

Create a new extension property

Extension properties are always created for a specific application. If you just want to add generic properties to your directory, you can create a placeholder application:

$MyApp = (New-AzureADApplication -DisplayName "My Properties Bag" -IdentifierUris "https://dummy").ObjectId 

Note that you need to create a service principal for this application in your directory as well, so you can create a new extension property:

New-AzureADServicePrincipal -AppId (Get-AzureADApplication -SearchString "My Properties Bag").AppId 

Now we can use this application to create a new extension property:

New-AzureADApplicationExtensionProperty -ObjectId $MyApp -Name "MyNewProperty" -DataType "String" -TargetObjects "User" 

When the cmdlet completes successfully it returns the new extension attribute object:

ObjectId                             Name                                                     TargetObjects
--------                             ----                                                     -------------
aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb extension_0380f0f700c040b5aa577c9268940b53_MyNewProperty {User}

Note

The Name of the new property is generated from the format "Extension_" + <objectID of your placeholder application> + "_" + <the name of your new property>. The exact value of the name will therefore be different for different applications you create. You can assign a property to more than one object type. In our example we only used one TargetObject, "User", but you could also have specified "User","Group", this would assign the object to both user and group objects.

Setting values for extension properties

Using the extension property we used in the previous example, we can now assign a value to it:

Set-AzureADUserExtension -ObjectId $UserId -ExtensionName "extension_0380f0f700c040b5aa577c9268940b53_MyNewProperty" -ExtensionValue "MyNewValue" 

Retrieving all extension attributes that are defined for your application

You can retrieve the list of extension attributes that have been defined for your application:

Get-AzureADApplicationExtensionProperty -ObjectId (Get-AzureADApplication -SearchString "My Properties Bag").ObjectId 

This cmdlet returns the list of extension properties in your application:

ObjectId                             Name                                                      TargetObjects
--------                             ----                                                      -------------

aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb extension_0380f0f700c040b5aa577c9268940b53_MyNewProperty  {User}

Deleting extension properties

If you no longer need an extension property, you can delete it:

Remove-AzureADApplicationExtensionProperty -ObjectId (Get-AzureADApplication -SearchString "My Properties Bag").ObjectID -ExtensionPropertyId aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb 

Note

You can neither remove the attribute from Azure AD once extended nor delete the Tenant Schema Extension App without raising a request to the PayOps Team. Also, turning off the directory extensions option from Azure AD wizard won't remove the attributes or let you get rid of the app.