Extension attributes on devices in Azure Active Directory can be configured with custom values to aid with the management of devices in your tenant. They can be used to perform useful tasks such as filtering for devices, applying policies, script development and automation as well as just providing useful information.
In this tutorial, I am going to show you how to use Microsoft Graph PowerShell to assign custom values to extension attributes on devices in Azure Active Directory.
Page Contents
What are Extension Attributes?
Extension Attributes make up part of the Azure Active Directory schema. The schema is what defines the property value types, the rules for each property and how each property may be interacted with. You can provide custom values into the directory schema in attributes called Extension Attributes, these are also often called Azure AD extensions.
These attributes provide a convenient way to input custom values into objects (and in our case devices) in your tenant to store additional, meaningful data.
Many different types of objects in Azure Active Directory support Azure AD extensions such as users, groups, service principals and in the case of this tutorial, devices.
What can Extension Attributes be used for?
After you have defined the value for the extension attributes on your objects, you can use these values to filter for devices. For example, if you have created a PowerShell script, you can look up devices based on a value configured within an extension attribute, that will allow you to perform an action on a set of devices based on that attribute value.
These values can even be defined automatically through scripting or other processes when a device is registered to Azure AD or enrolled in Intune.
One of my favourite reasons for configuring extension attributes is so I can use device filters in conditional access to enforce stronger authentication methods or session controls on specific personal devices.
How to view the full device schema in Azure AD
If you want to view the full Azure AD Schema for a device you can use the Invoke-MgGraphRequest cmdlet in Microsoft PowerShell.
Import-Module Microsoft.Graph.Identity.DirectoryManagement
Select-MgProfile -Name "beta"
Connect-mgGraph -Scopes Directory.Read.All
$devicename = "DESKTOP-DKTMUR6"
$device = Get-MgDevice | Where-Object {$_.DisplayName -eq $devicename}
$uri = "https://graph.microsoft.com/v1.0/devices/" + $device.id
Invoke-MgGraphRequest -uri $uri | fl
In your output, you will see all available attributes for the device. You can also copy the $uri variable and paste this into the Microsoft Graph Explorer to get a similar result.
How to configure Extension Attributes with PowerShell
Now let’s take a look at how we can configure the value of extension attributes for devices registered in our tenant using Microsoft Graph PowerShell and the Invoke-MgGraphRequest cmdlet.
In the below example, I am storing all devices that are Azure AD joined and looping through each device to update the ‘extentionattribute1’ with the value ‘Corporate Device’.
Import-Module Microsoft.Graph.Identity.DirectoryManagement
Select-MgProfile -Name "beta"
Connect-mgGraph -Scopes Device.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
$AzureADJoinedDevices = Get-MgDevice | Where-Object {$_.EnrollmentType -eq "AzureDomainJoined"}
ForEach ($device in $AzureADJoinedDevices) {
$uri = $null
$uri = "https://graph.microsoft.com/beta/devices/" + $device.id
$json = @{
"extensionAttributes" = @{
"extensionAttribute1" = "Corporate Device"
}
} | ConvertTo-Json
Invoke-MgGraphRequest -Uri $uri -Body $json -Method PATCH -ContentType "application/json"
}
You can also view the script on GitHub here.
How to view extension attributes from the Azure AD portal
It is useful and convenient to check which extension attributes are configured on devices from the Azure Active Directory Admin Portal.
2. From the menu, select Devices under the Manage heading.
3. Select All devices.
4. Select the target device you want to view the properties off.
5. Scroll down to the bottom of the page and you will see highlighted a list of configured extension attributes.
Scenarios where updating extension attributes may be useful
Above, I wrote about what the attributes can be used for, but let’s take a look at some real-world scenarios where updating the extension attribute may be useful.
Scenario 1 – Employe Leaver
You may have an employee that has handed in their notice. You want to ensure that over their notice period they are connected to the VPN (in full tunnel) to connect to any corporate services (Office 365 and cloud apps for example). You may want to configure an extension attribute on the user’s device that allows you to target the device with conditional access. You can then enforce that the user connects to corporate systems from a trusted location while using that device.
Scenario 2 – Monitor and remediation
A great feature in Azure is Azure Automation. You could integrate a script with Azure Automation which updates a device extension attribute based on a device alert or log. If risky activity is detected on a device you could create your own custom script in Azure Automation that pulls that information, then connects to Microsoft Graph with application permissions and updates the attribute on the device directory object. You can then report on a said device with the value of the defined extension attribute, which would allow you to take manual or automatic action based on the information stored in the attribute.
Scenario 3 – Device object deletion
When users leaves a business or when devices are off-boarded from systems, there may be a period of time where you want to keep the device object in Azure AD. Instead of using device clean-up rules which will automatically impact devices, attributes can be set to detail the required date of removal or next review. These values can then be reported on and manual or automatic schedule then action can be taken when required.
Pingback: How to use custom Extension Attributes on Teams Devices | UC Mess