As some of you might know already, Microsoft is currently previewing the Filters for devices functionality for Conditional access policies. Among the attributes supported by this feature, you will find listed good old extensionAttributeXX, so the question on how to set values for said attributes on devices objects pops up. This article will show you how.
TL;DR version – you have to use the Graph API. The Azure AD blade, MSOnline and Azure AD PowerShell modules currently do not support setting those attributes, and only the former will actually show any values you’re already configured (more on this later). Thus, to manage the extension attributes for devices, one needs to use a PATCH operation against the /devices/{id} Graph endpoint. Or use the Microsoft Graph “wrapper” module. Both the /v1.0 and /beta versions should do, even though documentation on this is hard to find.
Anyway, the steps are more or less as follows. First, get the objectID of the device you want to manage extension attributes for. While you are at it, you can also check the current values, by issuing a GET request against the /devices/{id} endpoint or the more specific /devices/{id}/extensionAttributes one. To change the value of specific attribute, say extensionAttribute10, change the request type to PATCH, make sure the endpoint is /devices/{id} and use a JSON payload in the following format:
{ "extensionAttributes": { "extensionAttribute10": "bla bla bla" } }
Of course also make sure to have the necessary permissions, Device.ReadWrite.All or Directory.ReadWrite.All. Here’s how a full request will look like via the Graph explorer tool (PATCH https://graph.microsoft.com/v1.0/devices/26ce1385-406c-4b4a-b55b-778191f23e16):
A 204 “No Content” response indicates success, so we’re all fine here. If needed, you can update multiple attributes in one go, adding the corresponding entries under the extensionAttributes group (or even update attributes other than extension ones). Then, you can simply run another GET request to verify the changes were successful (for example GET https://graph.microsoft.com/v1.0/devices/26ce1385-406c-4b4a-b55b-778191f23e16/extensionAttributes):
Outside of the Graph API, said attributes are currently only exposed in the Azure AD blade. Go to the Devices tab, select the device in question and scroll all the way to the bottom of the page:
Do note that only a single attribute seems to be currently show by default, in case you’ve configured more than one, make sure to press the little “More” control on the bottom right (where “Less” is shown on the above”).
That’s pretty much all there is to it. If you are planning to use said attributes for the Device filter functionality, do make sure to read the documentation as caveats depending on the device state.
Thanks for this, it helped me a lot. DO you have any guidance on how to set a extension attributes to null or remove it entirely from a device?
Thanks
In theory, this should work:
In practice, it looks like the endpoint doesn’t properly handle null values.
Yeah thats the issue i was seeing. Glad its not just me! Thanks for your help Vasil
NULL doesn’t work… just apply ” and it seems to work now 😉
$Attributes = @{
“extensionAttributes” = @{
“extensionAttribute1″ = ” }
} | ConvertTo-Json
Update-MgDevice -DeviceId $DeviceId -BodyParameter $Attributes
https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/1823
They actually fixed it now, you can PATCH null values via direct API calls. PowerShell has its own issues with null values, but that’s what you get from the lazy approach of using AutoREST instead of properly crafted cmdlets…
Currently getting the follow error when trying to post and not sure how to resolve:
“error”: {
“code”: “Authorization_RequestDenied”,
“message”: “Insufficient privileges to complete the operation.”,
If you set an extensionattribute value on-premise computer account, will that sync?
Afaik no, at least not currently.
Hello,
I must using the select-profile command line to switch to Graph Beta version in my script so that the update-device command with -extentionsattribute parametrs works.
Thanks again
If we had many AD registered devices that we wanted to update a extension attribute number with values, is there to do this in bulk instead of doing them one at a time?
For instance, if we have a CSV file with device ID and the value we want to populate the extension attributes with, is there a way to upload that to Graph or through PowerShell?
Sure, you can use the Graph API or the MG SDK /beta profile (Update-MgDevice -ExtensionAttributes)
Is there a simple how to or script to bulk update the extension attributes. Input from a csv where the device ID’s and extension attributes are into?
I’ve updated our AD Extension Attributes so that if/when AADConnect can sync these it will be handled by that instead. So the below assumes you have the Attributes in AD, have an App Registration in Azure for using the Graph API and have the Graph Module installed in PS.
Thanks for this, I was searching everywhere and this is the only thing that worked! If you have any solution for setting these via Powershell, I’d love to see that. Thanks!
You should be able to use the Update-MgDevice from the Graph SDK… but that’s a wrapper for the Graph calls above anyway.
The Update-MgDevice that work only with devices enrolled into Microsoft Intune
No it does not only work with Intune enrolled devices, there are plenty of properties you can update without it being enrolled, including said extension attributes.