Configuring extension attributes for devices in Azure AD

As some of you might know already, Microsoft is currently previewing the Filters for devices functionality for Conditional access policies. Among the attributes supported by this feature, you will find listed good old extensionAttributeXX, so the question on how to set values for said attributes on devices objects pops up. This article will show you how.

TL;DR version – you have to use the Graph API. The Azure AD blade, MSOnline and Azure AD PowerShell modules currently do not support setting those attributes, and only the former will actually show any values you’re already configured (more on this later). Thus, to manage the extension attributes for devices, one needs to use a PATCH operation against the /devices/{id} Graph endpoint. Or use the Microsoft Graph “wrapper” module. Both the /v1.0 and /beta versions should do, even though documentation on this is hard to find.

Anyway, the steps are more or less as follows. First, get the objectID of the device you want to manage extension attributes for. While you are at it, you can also check the current values, by issuing a GET request against the /devices/{id} endpoint or the more specific /devices/{id}/extensionAttributes one. To change the value of specific attribute, say extensionAttribute10, change the request type to PATCH, make sure the endpoint is /devices/{id} and use a JSON payload in the following format:

    "extensionAttributes": {
        "extensionAttribute10": "bla bla bla"

Of course also make sure to have the necessary permissions, Device.ReadWrite.All or Directory.ReadWrite.All. Here’s how a full request will look like via the Graph explorer tool (PATCH

A 204 “No Content” response indicates success, so we’re all fine here. If needed, you can update multiple attributes in one go, adding the corresponding entries under the extensionAttributes group (or even update attributes other than extension ones). Then, you can simply run another GET request to verify the changes were successful (for example GET

Outside of the Graph API, said attributes are currently only exposed in the Azure AD blade. Go to the Devices tab, select the device in question and scroll all the way to the bottom of the page:

Do note that only a single attribute seems to be currently show by default, in case you’ve configured more than one, make sure to press the little “More” control on the bottom right (where “Less” is shown on the above”).

That’s pretty much all there is to it. If you are planning to use said attributes for the Device filter functionality, do make sure to read the documentation as caveats depending on the device state.

This entry was posted in Azure AD, Graph API, Microsoft 365, Office 365. Bookmark the permalink.

12 Responses to Configuring extension attributes for devices in Azure AD

  1. msftstg says:

    Currently getting the follow error when trying to post and not sure how to resolve:

    “error”: {
    “code”: “Authorization_RequestDenied”,
    “message”: “Insufficient privileges to complete the operation.”,

  2. darren says:

    If you set an extensionattribute value on-premise computer account, will that sync?

  3. Rahol says:


    I must using the select-profile command line to switch to Graph Beta version in my script so that the update-device command with -extentionsattribute parametrs works.

    Thanks again

  4. Matt says:

    If we had many AD registered devices that we wanted to update a extension attribute number with values, is there to do this in bulk instead of doing them one at a time?
    For instance, if we have a CSV file with device ID and the value we want to populate the extension attributes with, is there a way to upload that to Graph or through PowerShell?

    • Vasil Michev says:

      Sure, you can use the Graph API or the MG SDK /beta profile (Update-MgDevice -ExtensionAttributes)

      • Nick says:

        Is there a simple how to or script to bulk update the extension attributes. Input from a csv where the device ID’s and extension attributes are into?

        • Doug says:

          I’ve updated our AD Extension Attributes so that if/when AADConnect can sync these it will be handled by that instead. So the below assumes you have the Attributes in AD, have an App Registration in Azure for using the Graph API and have the Graph Module installed in PS.

  5. DH says:

    Thanks for this, I was searching everywhere and this is the only thing that worked! If you have any solution for setting these via Powershell, I’d love to see that. Thanks!

    • Vasil Michev says:

      You should be able to use the Update-MgDevice from the Graph SDK… but that’s a wrapper for the Graph calls above anyway.

      • Rahol says:

        The Update-MgDevice that work only with devices enrolled into Microsoft Intune

        • Vasil Michev says:

          No it does not only work with Intune enrolled devices, there are plenty of properties you can update without it being enrolled, including said extension attributes.

          $hash = @{}
          $hash["ExtensionAttribute12"] = "a"
          Update-MgDevice -DeviceId 26ce1385-406c-4b4a-b55b-778191f23e16 -ExtensionAttributes $hash
          (Get-MgDevice -top 1).ExtensionAttributes
          ExtensionAttribute1 ExtensionAttribute10 ExtensionAttribute11 ExtensionAttribute12
          ------------------- -------------------- -------------------- -------------------- 
                              bla bla bla          bla bla bla          a

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.