Azure Identity And Access Management Part 4 – Azure Active Directory – Create Azure AD Extension Attribute Using Power-Shell
Thanks for your good responses for our last article Create Custom Directory Role & Assign Role using Power-Shell . Today we will continue with our series and discuss about one more very useful Azure Active Directory feature Directory Extension Attribute.
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Azure Active Directory Extension Attribute :
Azure AD directory extensions can be used to add custom property/ custom attribute on few directory object resources without requiring an external data store. We can store values in that custom attribute. We can also use the Microsoft Graph API, Power-Shell to manage the extension property definitions and add, get, update and delete data in the properties of these extensions. It means, we can use directory extensions to extend the schema in Azure Active Directory (Azure AD) with our own attributes.
Supported Azure AD Object Types :
Extension attributes offer a convenient way to extend our Azure AD directory with new attributes, that we can use to store attribute values for objects in our directory. We can attach an extension attribute to the following object types:
- tenant details
- service principals
Extension properties are registered on an Application object within the developer’s directory. After the application has been consented to by a user or an admin in the developer’s directory, the property is added to the target directory type and becomes immediately accessible in the developer’s directory. For a multi-tenant application, when the application is granted consent by a user or an admin in another organization, the extension properties become immediately accessible on the target directory type in the other organization’s directory. ( Content from MS documents)
Supported Data Types :
The following data types are supported when we are creating a new extension attribute.
Example Scenario :
If we consider a scenario, where we have a company MSTechs Knowledge Junction and it has different offices in different location in the country. Company decided to set a different rule for employee working in Pune location. So achieve this, company created a new string type extension attribute “MSTechsLocation” and associate with every employee in Azure AD . Then office created a dynamic group and added all employees into the group where MSTechsLocation extension attribute’s value is Pune.
Here I have used Power-Shell to create and associate the Directory Extension Attribute. To download the complete Power-Shell scrip, link will be available at the end of this article. So let’s start .
1 . Connect to AzureAD after Install and Importing AzureADPreview module.
2 . As we discussed a Extension Property, must be done for a specific application, or for a placeholder application. Let’s create a new application “MSTechs Knowledge Junction” using New-AzureADApplication power-shell cmdlet as shown in the following figure.
3 . In the above figure we can see that, Service Principal has not created for the application. We can create it from portal by hitting the Create Service Principal link as shown in the above figure. Lets create a new service principal for the application using New-AzureADServicePrincipal power-shell cmdlet as shown in the following figure.
4 . Now we have our our application for which we will create a new directory extension “MSTechsLocation“. New-AzureADApplicationExtensionProperty can be used to create a new Extension property as shown in the following figure.
5 . If we see the above figure the name of the extension property include the AppId of the application without hyphen (-). if we want to construct the exact name of the extension attribute then we need to replace the (-) with (“”) and construct the correct name as shown in the following figure.
6 . Now times come to associate the new extension property with user with the required property value using Set-AzureADUserExtension cmdlet as shown in the following figure.
7 . Now we have value in extension property/attribute of our user. We can also use Graph API to access this property value and utilize wherever required.
Few More Useful Power-Shell Commands on Extension Property :
Remove-AzureADApplicationExtensionProperty : Removes an application extension property.
Get-AzureADApplicationExtensionProperty : Gets application extension properties in Azure Active Directory.
The complete script can be found her to download.
Please let me know if I missed anything important .In my next article we will continue one more feature of Azure Active Directory.
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
If you have any suggestion / feedback / doubt, you are most welcome. Stay tuned on Knowledge-Junction, will come up with more such articles.
Thanks for reading 🙂 .