There might be a scenario where the environment has Azure AD synced users from local Active Directory. The mailboxes will be created directly in exchange online with no hybrid configured from the underlying time as a rule for new businesses.
Usually developers for customizing the login experience for different business units in their application consume the local extension AD attributes and its usually fine for fully on premise environments.
If we have exchange installed in the environment , the active directory schema will be extended to include user extensionattributes in the exchange mailbox properties.
There is another option of Using the Exchange Server install media, extend only the local Active Directory schema. Usually this option is not recommended. Doing this would add Exchange attributes to the local Active Directory. These attributes could then be set, and Azure AD Sync would then be configured to sync these attributes to Office 365.This option requires much testing, and there is always risk associated with AD schema changes.
Even in hybrid setup these values gets populated in Exchange online via exchange hybrid configuration for all users.
In the third scenario where we do not own a exchange hybrid and if the developer is using Azure AD via graph API and expecting these values on azure AD for the customization. In this case we have a better option of extending these values from the Azure AD connect by running them again and selecting only the required AD extension attributes.
Login to Azure AD with global admin credentials and select customize synchronization options
Select directory extension attribute sync.
Here we will have the option to choose the local active directory attributes. In our case we are selecting the two atttributes extensionattribute7 and extensionattribute8 .
Once done go ahead and click on configure.
It must be working usually in this steps but in this case we did a directory refresh schema.
Selected the directory for refresh.
Now went to the local Active Directory and populated the extensionattribute8 for one user.
Once after the sync is completed we can verify if the value is populated in the azure ad via graph explorer.
Login to the graph explorer from the below url.
We can login with any valid credentials from your tenant.
We will be asked for the admin consent and needs to be selected based on the requirement.
Run the below query.
For Reading on premise attributes (mail, jobTitle, company Name and onPremisesExtensionAttributes) using Graph API. You should see the extensionAttribute8 under onPremisesExtensionAttributes which is being used currently.
In our case we can see the extension attribute8 value which has been synched and available in Azure AD.
Using the directory extension option in the azure ad connect achieves this task in a lot less simpler way.
Thanks & Regards
Leave a Reply