Working with Extension Attributes Using Microsoft Graph

Introduction 

It is not possible to specify custom attributes for a user using the Azure portal for Azure AD (at least at the time of writing). Custom attributes (called extension attributes in Azure AD) for a user can only be set using Microsoft’s Graph API. Luckily, Microsoft makes it easy to use the API by using the Graph Explorer. You can sign into Graph Explorer with the same account details that you use to manage Azure AD in the portal. This will give you access to all the API methods without having to worry about authentication, as your signed in account will automatically be used. 

Working with custom attributes 

Once you have signed in, make a GET request to https://graph.microsoft.com/v1.0/applications. This will return all the applications registered on the Azure AD tenant. Within the list, find the application with the name aad-extensions-app. Do not modify. Used by AAD for storing user data. This is a special “application” created by Azure AD itself. When a user has custom attributes added to this application, those attributes are accessible by all users on the Azure AD tenant. Grab the Id of the application as well as the AppId as you need them both to create or modify custom attributes. For some reason, Azure AD has two different IDs for an application. There also doesn’t seem to be any pattern to which ID is used where. 

Getting extension attributes already created 

You can then get all the custom attributes that have already been created using the following URI: https://graph.microsoft.com/v1.0/applications/{id}/extensionProperties. 

The {id} should be replaced with the Id you copied previously. 

You’ll see the extension attributes take the format of extension_{AppId}_{extensionName} where AppId is the AppId of that special application we found earlier. However, in the GET URL, we use the normal Id of the application 🤷🏻‍♂️. 

Creating new extension attributes 

To create a new extension attribute, change the GET into a POST and use the same https://graph.microsoft.com/v1.0/applications/{id}/extensionProperties URL with the following header and request body. 

Content-Type: application/json 

{
    "name": "extensionName",
    "dataType": "string",
    "targetObjects": [
    "User"
    ]
}

You’ll see this creates an extension property using the extension_{AppId}_{extensionName} format. 

You can also issue a GET request, removing the body and header to see the new extension property in the list. 

Deleting an extension attribute 

To delete an extension attribute, append the Id of the extension attribute to the URL and change the verb to DELETE. If we use the LikesPizza example from above, the ID would be de49b6f2-07cd-443c-84ba-8f38e0b3e495. 

After making the request you should receive a 204 response code with nothing in the response body. 

If you execute the GET request again, you’ll see the extension property is no longer in the list. 

Setting an attribute on a user’s profile 

Before we can set the values for an extension attribute on a user, we first need to obtain the user’s ID. The easiest way to do this is by making a GET request to https://graph.microsoft.com/v1.0/users/ and finding the user in the list. 

To set the custom attribute on a user, you need to make a PATCH request to https://graph.microsoft.com/v1.0/users/{id} with the Content-Type header set to application/json and the following request body: 

{
  "extension_inputAppId_extensionName": "extensionValue"
}

You should receive a 204 response code and an empty response body. 

You can get the extension attributes for a user using the Graph API by making a GET request to https://graph.microsoft.com/v1.0/users/{id}?$select=displayName,extension_inputAppId_extensionName. Unfortunately, I haven’t found a way to list all extension attributes for a user. They need to be queried individually.