Configuring extension attributes for devices in Azure AD

As some of you might know already, Microsoft is currently previewing the Filters for devices functionality for Conditional access policies. Among the attributes supported by this feature, you will find listed good old extensionAttributeXX, so the question on how to set values for said attributes on devices objects pops up. This article will show you how.

TL;DR version – you have to use the Graph API. The Azure AD blade, MSOnline and Azure AD PowerShell modules currently do not support setting those attributes, and only the former will actually show any values you’re already configured (more on this later). Thus, to manage the extension attributes for devices, one needs to use a PATCH operation against the /devices/{id} Graph endpoint. Or use the Microsoft Graph “wrapper” module. Both the /v1.0 and /beta versions should do, even though documentation on this is hard to find.

Anyway, the steps are more or less as follows. First, get the objectID of the device you want to manage extension attributes for. While you are at it, you can also check the current values, by issuing a GET request against the /devices/{id} endpoint or the more specific /devices/{id}/extensionAttributes one. To change the value of specific attribute, say extensionAttribute10, change the request type to PATCH, make sure the endpoint is /devices/{id} and use a JSON payload in the following format:

{
    "extensionAttributes": {
        "extensionAttribute10": "bla bla bla"
    }
}

Of course also make sure to have the necessary permissions, Device.ReadWrite.All or Directory.ReadWrite.All. Here’s how a full request will look like via the Graph explorer tool (PATCH https://graph.microsoft.com/v1.0/devices/26ce1385-406c-4b4a-b55b-778191f23e16):

Graph explorerA 204 “No Content” response indicates success, so we’re all fine here. If needed, you can update multiple attributes in one go, adding the corresponding entries under the extensionAttributes group (or even update attributes other than extension ones). Then, you can simply run another GET request to verify the changes were successful (for example GET https://graph.microsoft.com/v1.0/devices/26ce1385-406c-4b4a-b55b-778191f23e16/extensionAttributes):

Graph explorerOutside of the Graph API, said attributes are currently only exposed in the Azure AD blade. Go to the Devices tab, select the device in question and scroll all the way to the bottom of the page:

device extension attributes in the Azure AD portalDo note that only a single attribute seems to be currently show by default, in case you’ve configured more than one, make sure to press the little “More” control on the bottom right (where “Less” is shown on the above”).

That’s pretty much all there is to it. If you are planning to use said attributes for the Device filter functionality, do make sure to read the documentation as caveats depending on the device state.

20 thoughts on “Configuring extension attributes for devices in Azure AD

  1. David says:

    Thanks for this, it helped me a lot. DO you have any guidance on how to set a extension attributes to null or remove it entirely from a device?

    Thanks

    Reply
    1. Vasil Michev says:

      In theory, this should work:

      {
          "extensionAttributes": {
              "extensionAttribute10": null
          }
      }

      In practice, it looks like the endpoint doesn’t properly handle null values.

      Reply
      1. David says:

        Yeah thats the issue i was seeing. Glad its not just me! Thanks for your help Vasil

        Reply
        1. Vasil Michev says:

          They actually fixed it now, you can PATCH null values via direct API calls. PowerShell has its own issues with null values, but that’s what you get from the lazy approach of using AutoREST instead of properly crafted cmdlets…

  2. msftstg says:

    Currently getting the follow error when trying to post and not sure how to resolve:

    “error”: {
    “code”: “Authorization_RequestDenied”,
    “message”: “Insufficient privileges to complete the operation.”,

    Reply
  3. darren says:

    If you set an extensionattribute value on-premise computer account, will that sync?

    Reply
  4. Rahol says:

    Hello,

    I must using the select-profile command line to switch to Graph Beta version in my script so that the update-device command with -extentionsattribute parametrs works.

    Thanks again

    Reply
  5. Matt says:

    If we had many AD registered devices that we wanted to update a extension attribute number with values, is there to do this in bulk instead of doing them one at a time?
    For instance, if we have a CSV file with device ID and the value we want to populate the extension attributes with, is there a way to upload that to Graph or through PowerShell?

    Reply
    1. Vasil Michev says:

      Sure, you can use the Graph API or the MG SDK /beta profile (Update-MgDevice -ExtensionAttributes)

      Reply
      1. Nick says:

        Is there a simple how to or script to bulk update the extension attributes. Input from a csv where the device ID’s and extension attributes are into?

        Reply
        1. Doug says:

          I’ve updated our AD Extension Attributes so that if/when AADConnect can sync these it will be handled by that instead. So the below assumes you have the Attributes in AD, have an App Registration in Azure for using the Graph API and have the Graph Module installed in PS.

  6. DH says:

    Thanks for this, I was searching everywhere and this is the only thing that worked! If you have any solution for setting these via Powershell, I’d love to see that. Thanks!

    Reply
    1. Vasil Michev says:

      You should be able to use the Update-MgDevice from the Graph SDK… but that’s a wrapper for the Graph calls above anyway.

      Reply
      1. Rahol says:

        The Update-MgDevice that work only with devices enrolled into Microsoft Intune

        Reply
        1. Vasil Michev says:

          No it does not only work with Intune enrolled devices, there are plenty of properties you can update without it being enrolled, including said extension attributes.

          $hash = @{}
          $hash["ExtensionAttribute12"] = "a"
          
          Update-MgDevice -DeviceId 26ce1385-406c-4b4a-b55b-778191f23e16 -ExtensionAttributes $hash
          (Get-MgDevice -top 1).ExtensionAttributes
          
          ExtensionAttribute1 ExtensionAttribute10 ExtensionAttribute11 ExtensionAttribute12
          ------------------- -------------------- -------------------- -------------------- 
                              bla bla bla          bla bla bla          a

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.