Blog

Custom Attributes in Entra ID -- Decision Tree

By DavidLundell

October 1, 2025

This article is the eighth in a series about Custom Attributes in Entra ID and will step through the decision tree which I hope will be the definitive guide to which way to store custom data in Entra ID. Names and aliases Naming Conventions Resource Types Data Types Lifecycle Limitations Use Cases Decision Tree Is this custom data intended for Enterprise Applications or Managed Identities (both of which are of the servicePrincipal resource type)?

Continue reading

Custom Attributes in Entra ID -- Use Cases

By DavidLundell

October 1, 2025

This article is the seventh in a series about Custom Attributes in Entra ID and will discuss the use cases of each these approaches. There are seven use cases that have only one solution, three exclusive use cases for Extension Attributes, three exclusive for Custom Security Attributes and one for Directory Extensions. Names and aliases Naming Conventions Resource Types Data Types Lifecycle Limitations Use Cases Decision Tree Use Cases Extension attributes Directory Extensions Schema Extensions Open Extensions Custom Security Attributes Visible on Profile Card Y (Exclusive) N N N N Exchange Dynamic Groups Y (Exclusive) N N N N Group Dynamic Membership Rule Y Y N N N Administrative Unit Dynamic Membership rule Y Y N N N Inbound Cloud Provisioning Y Y N N N Cloud User App Provisioning Y Y N N N User App Provisioning Filtering Y Y N N N On Premise Sync Y Y N N N Cross Tenant Sync Y Y N N N Customized Token Claims Y Y N N N** Entra ID DS Y Y N N N Graph Filterable Y Y Y N Y Azure B2C Y Y N N N External ID Custom User Attributes N Y (Exclusive) N N N Restricted Access/Sensitive Data N N N N Y (Exclusive) Conditional Access Filter on Enterprise Applications N N N N Y (Exclusive) Conditional Access Filter on Devices Y (Exclusive) N N N N Conditional Access Filter on Users and Groups (via Dynamic Group Membership) Y Y N N N UI to manage the customizations N/A N* N N Y Azure ABAC N N N N Y (Exclusive) Lifecycle Workflows: Scope Filter Y Y N N Y Lifecycle Workflows: Trigger Attributes N N N N N Access package assignment Policy Y Y N N N My default answer: use a Directory Extension unless you can’t!

Continue reading

Custom Attributes in Entra ID -- Limitations

By DavidLundell

October 1, 2025

This article is the sixth in a series about Custom Attributes in Entra ID and will discuss the Limitations of each these approaches. Names and aliases Naming Conventions Resource Types Data Types Lifecycle Limitations Use Cases Decision Tree Limitation Extension attributes Directory Extensions Schema Extensions Open Extensions Custom Security Attributes Needs an App to own it N Y Y N but an App must create it N Values Per Resource 15 100 100 2 kb of data 50 Per App N/A 5 definitions 2 extensions N/A Per Tenant 15 Infinte Infinte Infinte 500 Schema can be shared Built in to every tenant If other tenants install your mult-tenant app Discoverable Globally N N Can exist on Synced User Y Y Y Y Y Must Manage on Prem for Synced User Y N* N N N *No, except for Directory extensions from the “Tenant Schema Extension App” used by Entra ID Connect Sync and Cloud Sync.

Continue reading

Custom Attributes in Entra ID -- Lifecycle

By DavidLundell

September 27, 2025

This article is the fifth in a series about Custom Attributes in Entra ID and will discuss the Lifecycle of each of these approaches. Names and aliases Naming Conventions Resource Types Data Types Lifecycle Limitations Use Cases Decision Tree Lifecycle Question Extension attributes Directory Extensions Schema Extensions Open Extensions Custom Security Attributes Has Lifecycle States?

Continue reading

Custom Attributes in Entra ID -- Data Types

By DavidLundell

September 26, 2025

This article is the fourth in a series about Custom Attributes in Entra ID and will discuss the Data Types that each of these approaches can use. Names and aliases Naming Conventions Resource Types Data Types Lifecycle Limitations Use Cases Decision Tree Resource Types Extension attributes Directory Extensions Schema Extensions Open Extensions Custom Security Attributes String Y 256 characters Y Y 64 Characters Binary N Y Y N N Boolean N Y Y N Y DateTime N Y Y N N Integer N Y Y N Y LargeInteger N Y N N N Multi-valued Attributes N Y N Y Y Strongly Typed N Y Y N Y Going beyond single valued strings If you need to go beyond single valued string data then Extension Attributes are out.

Continue reading

Custom Attributes in Entra ID -- Resource Types

By DavidLundell

September 26, 2025

This article is the third in a series about Custom Attributes in Entra ID and will discuss the Resource Types that each of these approaches can use. Names and aliases Naming Conventions Resource Types Data Types Lifecycle Limitations Use Cases Decision Tree Resource Types Extension attributes Directory Extensions Schema Extensions Open Extensions Custom Security Attributes servicePrincipal N N N N Y user Y Y Y Y Y device Y Y Y Y N group N Y Y Y N administrative unit N Y Y N N application N Y N N N organization N Y Y Y N contact N N Y Y N event N N Y Y N message N N Y Y N post N N Y Y N todoTask N N N Y N todoTaskList N N N Y N Right away it should be noted that contact resources are personal contacts not the Organization contacts (orgContact) that are maintained by the org’s admins.

Continue reading

Custom Attributes in Entra ID -- Naming Conventions

By DavidLundell

September 26, 2025

This article is the second in a series about Custom Attributes in Entra ID and will discuss the Naming Conventions so that you can recognize them when you see them in the wild and understand how uniqueness is enforced and guaranteed. Names and aliases Naming Conventions Resource Types Data Types Lifecycle Limitations Use Cases Decision Tree Names Name or ID Example Notes Extension attributes extensionAttribute1 .

Continue reading

Custom Attributes in Entra ID

By DavidLundell

September 26, 2025

Microsoft has had a lot of chefs in the Entra ID kitchen baking up solutions to different problems and now we have an array of confusing choices about where to put your data. This is the first of a series of posts to help you choose the correct one for you and your needs. While Microsoft’s official documentation provides a fairly handy comparison table it completely leaves out Custom Security Attributes.

Continue reading

Cross Tenant Sync for GalSync?

April 4, 2025

Microsoft Entra ID’s Cross Tenant Sync can sync users from one tenant to another. They will sync as External Members or External Guests. In Exchange Admin they will show as MailUsers. Just be sure that showInAddressList is synced to be true or better yet carries over the showInAddressList from your source tenant. GalSync done! Yeah! Wait a minute! What about Groups? What about contacts? What about internal guests? NO! They are not supported

Continue reading

MIMWAL Can run PowerShell 3.0 and beyond without PSRemoting or Start-Process!

June 7, 2024

I just discovered that a colleague had several years prior managed to get MIMWAL PowerShell Activity to run Get-ADUser and other commandlets from the Active Directory Module (which requires PowerShell 3.0 or later) without using PowerShell Remoting or starting a new Process with Start-Process. <Caution> Per Eugene Sergeev This breaks SSPR AuthN workflows. </Caution> So if you aren’t using SSPR through MIM this might be an option for you!

Continue reading

Search

Categories

Tags