Configuring extension attributes for devices in Azure AD

As some of you might know already, Microsoft is currently previewing the Filters for devices functionality for Conditional access policies. Among the attributes supported by this feature, you will find listed good old extensionAttributeXX, so the question on how to set values for said attributes on devices objects pops up. This article will show you how.

TL;DR version – you have to use the Graph API. The Azure AD blade, MSOnline and Azure AD PowerShell modules currently do not support setting those attributes, and only the former will actually show any values you’re already configured (more on this later). Thus, to manage the extension attributes for devices, one needs to use a PATCH operation against the /devices/{id} Graph endpoint. Or use the Microsoft Graph “wrapper” module. Both the /v1.0 and /beta versions should do, even though documentation on this is hard to find.

Anyway, the steps are more or less as follows. First, get the objectID of the device you want to manage extension attributes for. While you are at it, you can also check the current values, by issuing a GET request against the /devices/{id} endpoint or the more specific /devices/{id}/extensionAttributes one. To change the value of specific attribute, say extensionAttribute10, change the request type to PATCH, make sure the endpoint is /devices/{id} and use a JSON payload in the following format:

{
    "extensionAttributes": {
        "extensionAttribute10": "bla bla bla"
    }
}

Of course also make sure to have the necessary permissions, Device.ReadWrite.All or Directory.ReadWrite.All. Here’s how a full request will look like via the Graph explorer tool (PATCH https://graph.microsoft.com/v1.0/devices/26ce1385-406c-4b4a-b55b-778191f23e16):

A 204 “No Content” response indicates success, so we’re all fine here. If needed, you can update multiple attributes in one go, adding the corresponding entries under the extensionAttributes group (or even update attributes other than extension ones). Then, you can simply run another GET request to verify the changes were successful (for example GET https://graph.microsoft.com/v1.0/devices/26ce1385-406c-4b4a-b55b-778191f23e16/extensionAttributes):

Outside of the Graph API, said attributes are currently only exposed in the Azure AD blade. Go to the Devices tab, select the device in question and scroll all the way to the bottom of the page:

Do note that only a single attribute seems to be currently show by default, in case you’ve configured more than one, make sure to press the little “More” control on the bottom right (where “Less” is shown on the above”).

That’s pretty much all there is to it. If you are planning to use said attributes for the Device filter functionality, do make sure to read the documentation as caveats depending on the device state.

This entry was posted in Azure AD, Graph API, Microsoft 365, Office 365. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.