Share via

Custom Attributes with Azure AD Connect

Liam Ray 20 Reputation points
2025-11-10T19:42:17.51+00:00

I'm working on building a new domain which employs AADC for password writeback. I've read through several threads and come to the general conclusion that I will not be able to have attributes like extensionAtribute1 mastered in the cloud. The issue with this is I have cloud flows for on/off-boarding users which are now unable to run as it edits the attribute field. The specific field is custom attribute 1 in exchange. Are there any workarounds, or should I move forward with my current idea of an API call that makes the change on the server instead of the cloud?

Exchange | Hybrid management
Exchange | Hybrid management
The administration of a hybrid deployment that connects on-premises Exchange Server with Exchange Online, enabling seamless integration and centralized control.
0 comments
Answer accepted by question author
  1. Vergil-V 6,220 Reputation points Microsoft External Staff Moderator
    2025-11-11T02:32:46.3266667+00:00

    Hi @Liam Ray 

    Thank you for reaching out to Microsoft Learn Q&A!   
    From my research, I agree with you that the extension attribute property cannot be changed when it was previously synced from an on-premises Active Directory as read-only, since the source of authority for these properties is the on-premises environment. undefined

    Reference: onPremisesExtensionAttributes resource type - Microsoft Graph v1.0 | Microsoft Learn 

    From the information above, one possible approach is to update the Customer Attribute mapped to ExtensionAttribute1 using Exchange Online or Exchange Online V2 PowerShell modules

    For example, you could combine this with your idea of using an API call and PowerShell command such as: 

    Set-Mailbox -Identity ******@domain.com -CustomAttribute1 "NewValue"  

    This could be automated through a cloud flow like: 

    Trigger event => API => Execute PowerShell => Attribute update 

    Note: Remember to run 

    Connect-ExchangeOnline -AppId <AppId> -CertificateThumbprint <Thumbprint> -Organization <TenantName>

    for unattended scripts using the Exchange Online module and ensure the module is imported and installed on the API host. 

    Another method, similar to your idea, is to update the extension attribute in the on-premises environment first and then sync it to the customer attribute. The automated flow would look like this: 

    Trigger event => API => Execute PowerShell  

    Set-ADUser -Identity $UserPrincipalName -Replace @{extensionAttribute1="NewValue"}

     => Sync to Azure AD => Custom attribute update 
    Note: Make sure the Active Directory module is installed on the API host. 

    Additionally, you could consider using an extension-based Hybrid Runbook Worker as an alternative to the API host.  Reference: Deploy an extension-based Windows or Linux User Hybrid Runbook Worker in Azure Automation | Microso… 

    I hope these suggestions provide some helpful ideas. As a forum moderator, I don’t have access to a dedicated testing environment, so I cannot confirm whether these options will work fully in your setup. For more advanced assistance, I highly recommend reaching out to the Microsoft Technology Community, where experts with hands-on experience can provide deeper insights. 

    I apologize for any inconvenience caused by transitioning to another forum, and I truly appreciate your understanding. 

    Thank you for your time and patience. 

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-10T19:42:39.8366667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    In your scenario with Azure AD Connect (AADC) and the management of custom attributes like extensionAttribute1, it is important to note that these attributes cannot be mastered in the cloud when using AADC for password writeback. This limitation can indeed affect your cloud flows for onboarding and offboarding users, especially if those flows involve editing custom attributes that are not synchronized back to the cloud.

    One potential workaround is to continue using your API call approach to make changes directly on the server. This method allows you to bypass the limitations imposed by AADC and manage the attributes effectively. Additionally, you might consider using the Microsoft Graph API to update these attributes programmatically, which can provide more flexibility in managing user data.

    If you find that the API approach does not meet your needs, you may also want to explore alternative methods for managing user attributes, such as adjusting your cloud flows to avoid modifying these specific attributes or using different attributes that can be mastered in the cloud.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.