I’ve been playing recently on try to figure out how I can extend the Azure AD Schema for my tenant.
In my endeavor, I have come across (till now) two way to do it:
- Using AADConnect and selecting directory extension to create the attribute in AzureAD in the form of “extension_{AppClientId}_{attributeName}“. This method works only if I have the custom attribute already in my on prem AD.
- Using Graph API to create it directly in Azure AD
Will expand on point 2 in this post. In our scenario, we have some custom attributes which are stored in AD LDS. For security and other reasons we didn’t want those attributes to be in our AD.
Goal
Create custom attributes in Azure AD when they are not available to be done via AADConnect Interface
Solution
- Whenever AADConnect is installed for your tenant, it creates an app called “Tenant Schema Extension App”. You can find it in Azure Portal AAD Blade.
- Click on the App and note its “Object ID”
- Open https://graphexplorer.azurewebsites.net/
- Login with the credentials which have write access to AAD (Global Admin or sorts).
- In the main window select GET and put in the following URL :
https://graph.windows.net/myorganization/applications/<ObjectID>
You will see the App details in the window
- To look at its extensionProperties (which shows the custom attributes created) goto the following link
https://graph.windows.net/myorganization/applications/<ObjectID>/extensionProperties
As you would see that it has some custom attributes I have created. The “name” tag has the attribute name with is “extension_{AppClientId}_{attributeName}“.
- To create a new attribute change the GET to POST and put in the following code to create a new attribute called “newAttribute”
|
{ "name": "newAttribute", "dataType": "String", "targetObjects": [ "User" ] } |
- Press GO and it will create the new attribute for you
There you go. newAttribute is created and your schema has been extended in Azure AD. You can simply delete that by changing the type to DELETE and putting the URL
https://graph.windows.net/myorganization/applications/<ObjectID of App>/extensionProperties/<ObjectID of attribute>
Limitations
Now here is the bummer. For my scenario I thought when I do then and “Refresh Schema” in AADConnect for AzureAD MA, it will be visible and then I can create custom rules and flows from AD LDS (via Generic LDAP MA). BUT you still can’t see it (tested as of v1.1.524.0) . Microsoft says that this is as per design at the moment. They are thinking of future enhancements or even integrating AD LDS as an option in GUI.
Moreover, if you had directory extension done even by using the GUI (using custom attributes from AD), and you do a refresh schema – it looses those as well saying
The Attribute ‘extension_<GUID>_customAttribute’ could not be located in the schema.
I call this a bug rather than design.
Well, in the end, I couldn’t get to reach my end goal (provisioning values from AD LDS to AzureAD via custom schema) but atleast got there half way and understood how to create custom Attributes in Azure AD via Graph API.
There is more cool stuff you can do with graphAPI and for the people who are hardcore programmers.. not me atm.. Hit up the links below..
References
Like this:
Like Loading...