By DavidLundell September 26, 2025
This article is the third in a series about Custom Attributes in Entra ID and will discuss the Resource Types that each of these approaches can use.
- Names and aliases
- Naming Conventions
- Resource Types
- Data Types
- Lifecycle
- Limitations
- Use Cases
- Decision Tree
| Resource Types | Extension attributes | Directory Extensions | Schema Extensions | Open Extensions | Custom Security Attributes |
| servicePrincipal | N | N | N | N | Y |
| user | Y | Y | Y | Y | Y |
| device | Y | Y | Y | Y | N |
| group | N | Y | Y | Y | N |
| administrative unit | N | Y | Y | N | N |
| application | N | Y | N | N | N |
| organization | N | Y | Y | Y | N |
| contact | N | N | Y | Y | N |
| event | N | N | Y | Y | N |
| message | N | N | Y | Y | N |
| post | N | N | Y | Y | N |
| todoTask | N | N | N | Y | N |
| todoTaskList | N | N | N | Y | N |
Right away it should be noted that contact resources are personal contacts not the Organization contacts (orgContact) that are maintained by the org’s admins. Contact resources are Outlook Items (or resources) and not directory resources. orgContact is a directory resource type. You can tell because in the doc it says, “Inherits from directoryObject.” In other words contacts are visible for a particular user and not to the organization. Whereas orgContact resources are visible for the entire organization through the Global Address List.
Service Principals means using Custom Security Attributes
The most startling thing this table reveals, is that the only way to extend Service Principals (aka Enterprise Applications – this also includes Managed Identities) is with Custom Security Attributes.
The second most startling thing is that Custom Security Attributes can apply to Service Principals and users.
Open Extensions apply to most types
Open Extensions can apply to anything but Service Principals, Administrative Units, and Applications, but are the only way to add to a todoTask or a todoTaskList.
Schema Extensions apply to slightly fewer
Schema Extensions can apply to the same list as Open Extensions minus the todoTask and the todoTaskList but adding back the Application.
Directory Extensions are more limited still
Directory Extensions are much more limited but still allow for a variety of resource types.
Extension Attributes in Entra only apply to users and devices
Finally, Extension Attributes in Entra only apply to users and devices. What about groups? On-premises AD groups also have Extension Attributes, if your on-prem AD schema was extended by Exchange. In the cloud, Exchange also owns these attributes for groups and for whatever reason the Entra ID and Exchange Online teams did not make provisions for those attributes to be available through Entra ID.
This creates an interesting problem: Connect Sync supports syncing these the Extension Attributes on groups to the cloud but Cloud Sync does not.