By DavidLundell September 27, 2025
This article is the fifth in a series about Custom Attributes in Entra ID and will discuss the Lifecycle of each of these approaches.
- Names and aliases
- Naming Conventions
- Resource Types
- Data Types
- Lifecycle
- Limitations
- Use Cases
- Decision Tree
| Lifecycle Question | Extension attributes | Directory Extensions | Schema Extensions | Open Extensions | Custom Security Attributes |
| Has Lifecycle States? | No(always there) | No(there and not there) | Yes (InDevelopment, Available, Deprecated) | No(never there) | Yes(Active,Deactivated) |
| Can other apps in the same tenant discover the extensions definitions? | Yes (same in every tenant) | Yes | Yes | No defintions to discover | Only with the Attribute Definition roles |
| Can other apps in same Tenant read the data (If app has read permissions to the resource)? | Yes | Yes | Yes | Yes | Only with Attribute Assignment Roles |
| Can other apps in same Tenant write the data (If app has write permissions to the resource)? | Yes | Yes | Yes | Yes | Only with Attribute Assignment Roles |
| Can defintions be shared with or discovered by other tenants? | They already are | If app is Multi-Tenant and gets installed | Once the Schema Extension is in Available State | No | No |
| Can the extension be deleted? | No | Yes | Only when in the InDevelopment State | N/A (there are no definitions) | No |
| Can be deactivated or deprecated? | No | No | Yes (deprecated) | No | Yes (deactivated) |
| Deletion of owning App | |||||
| What happens to the definitions? | N/A | Deletes the Extensions Definition | Not deleted but no longer updateable | Deleting the Creator app has no impact | N/A |
| What happens to the definitions in other tenants? | N/A | Nothing – other tenants could not update the definitions anyhow | Nothing – other tenants could not update the definitions anyhow | N/A | N/A |
| What happens to the data? | N/A | Makes it undiscoverable | All properties and values are still discoverable | Deleting the Creator app has no impact | N/A |
| What happens to the data in other tenants? | N/A | None | None | N/A | N/A |
| Can the extension be deleted? | N/A | Yes | Only when in the InDevelopment State | N/A (there are no definitions) | No |
| What happens to the definitions? | N/A | Deletes the Extensions Definition | Definition deleted and undiscoverable[[1]](#_msocom_1) | N/A | N/A |
| What happens to the definitions in other tenants? | N/A | Nothing – other tenants could not update the definitions anyhow | N/A (can’t delete when shared) | N/A | N/A |
| What happens to the data? | N/A | Makes it undiscoverable | Makes it undiscoverable | N/A | N/A |
| What happens to the data in other tenants? | N/A | Nothing | N/A (can’t delete when shared) | N/A | N/A |
| Can the extension be deactivated or deprecated? | No | No | Yes (deprecated) extension can no longer be read or modified | No | Yes (deactivated) Can no longer be applied |
| Effect on other tenants? | N/A | N/A | extension can no longer be read or modified | N/A | N/A |
| What happens to the data when the Extension is deprecated or deactivated? | N/A | N/A | Can read, update and delete existing property values | N/A | *Data is preserved * Can no longer be applied to resources |
| Effect on other tenants? | N/A | N/A | Can read, update and delete existing property values | N/A | N/A |
| Data in Undiscoverable/Deactivated count against limits | N/A | Yes | Probably | N/A | Yes |
Comparing Custom Security Attributes with on-prem AD
In on-prem AD we can create schema extensions but never delete them. We can mark them as deprecated or inactive. Custom Security Attributes come the closest in this regard, as you can never delete but you can deactivate them. Critical to know before investing in a particular kind of extension is to know what happens to the data if you delete or deactivate/deprecate the extension. In this case you can find, modify, and delete existing data populated in a deactivated Custom Security Attribute, but you can’t apply it to anymore objects (meaning you can’t add new values).
How does the application lifecycle affect it?
Both Directory Extensions and Schema Extensions are owned by Applications, so in their case you also need to take the Application lifecycle into account.
Deletion of the app that owns Schema Extension
All properties and values are still discoverable however the definitions can no longer be updated.
Deletion of the app that owns Directory Extension
Deletes the defintions, makes the data undiscoverable but in the multi-tenant app situation the data will remain discoverable.
Deletion or Deprecation of a Schema Extension
This topic is more complex. The first best practice is to not use production data in a Schema Extension that is still “InDevelopment” state because then the definition can’t be deleted. If you do use the Schema Extension while it is still “InDevelopment” if that definition gets deleted then the data becomes undiscoverable. This is tricky because the documentation gives different answers.
Which disagrees with:
While this next document explains more it is still not perfectly clear but it does explain how to recover:
This is one of the key reasons why you should use the verified vanity domain when creating Schema Extensions so that you can recover from deleting a Schema Extension that is InDevelopment if you did so without clearing the data.
Since deleting the definition does not delete the data it counts against the limit on the resource, probably.
Deletion of a Directory Extension
Makes the data undiscoverable – you can’t find it let alone read it let alone write to it or delete it. You can recover from this by restoring the Enterprise Application, although if this is the source tenant for the Enterprise Application then you must restore the Registered Application first. Then you can resume using the data or you can delete the data. This is critical because of the 100 value limit and it still counts against your tenant even if the data is undiscoverable.
