次の方法で共有


Use Azure AD PowerShell to Check Synchronised On-Premises AD extensionAttributes 1-15

You wait 271 days for a new PoSh Chap post and, like London buses, two come along at once!

 

 

How can we use the Azure AD PowerShell module to check for users that have extensionAttributes sync'd up to Azure AD?

Here's how...

Use the Get-AzureADApplication and Get-AzureADApplicationExtensionProperty to retrieve a base value representing the extentionAttributes as they appear in Azure AD. The application ID of the 'Tenant Schema Extension App' forms the middle part of the name of each extensionAttribute when sync'd to azure AD, just like this:

 

extension_9c0741cdf21149d1bcee83ccd513b92f_extensionAttribute9

extension_9c0741cdf21149d1bcee83ccd513b92f_extensionAttribute4

extension_9c0741cdf21149d1bcee83ccd513b92f_extensionAttribute15

 

The PowerShell removes the integer at the end of the extension property so we can use it as a base value when checking if a user has an of the on-premises extension attributes associated with their account.

 

extension_9c0741cdf21149d1bcee83ccd513b92f_extensionAttribute

 

Here's the PowerShell:

 
#Get an extensionAttribute property from the 'Tenant Schema Extension App' - this will be used to check user extension properties
$ExtAttribute = (Get-AzureADApplication -SearchString "Tenant Schema Extension App" | 
                 Get-AzureADApplicationExtensionProperty | 
                 Where-Object {$_.Name -like "*extensionAttribute*"} | 
                 Select-Object -First 1).Name.Substring(0,61)

 

We now use Get-AzureADUser to retrieve all of the users in the tenant. For each user we examine the contents of their ExtensionProperty attribute and attempt to match them to the base value, $ExtAttribute, captured before we retrieved the users. Switch with a wildcard drives the matching and, if we match, we write the following details to the PowerShell host: UserPrincipalName with the ‘extensionAttribute’ and its value.

 

Here's the PowerShell:

 
#If we have an extenstionAttribute property then proceed with the user search
if ($ExtAttribute) {

    #Get all Azure AD users
    Get-AzureADUser -All $true | ForEach-Object {

        #Variable for current user
        $User = $_.UserPrincipalName

        #Variable for extension properties
        $ExtProperties = $_.ExtensionProperty

        #Check for presence of extension attribute
        switch -Wildcard ($ExtProperties.Keys) {

            "$ExtAttribute*" {Write-Output "$User,$($_.substring(43)),$($ExtProperties.Item($_))"}

        } #end switch

    } #end foreach-object

} #end if

 

Here's some sample output:

 

The 'Shell will also dump out where a user has more than one 'extensionAttribute' set: