Azure AD and Microsoft Graph Extensions and Attributes
A comparison of the five different types of Microsoft Azure AD + Graph extensions and attributes.
| Β | Extension Attributes 1-15 (aka onPremisesExtensionAttributes) | Directory extensions / Custom extension properties (aka AAD extensions) | Schema extensions | Open extensions | Custom security attributes |
|---|---|---|---|---|---|
| Audience | IT Admins β’ Devs | IT Admins β’ Devs | Devs | Devs | IT Admins β’ Devs |
| Dynamic group membership rule | β | β | β | β | β |
| Conditional Access - Users and groups | β | β | β | β | β |
| Conditional Access - App Filter | β | β | β | β | β |
| Conditional Access - Device Filter | β | β | β | β | β |
| Admin user interface | β | β | β | β | β |
| Cross-Tenant synchronization | β | β | β | β | β |
| App user provisioning | β | β | β | β | β |
| Entitlement Management automatic assignment | β | β | β | β | β |
| Lifecycle Workflows execution conditions scope | β | β | β | β | β |
| Filterable | β | β | β | β | β |
| External identities - Self-service sign up flow | β | β | β | β | β |
| Usable for customizing token claims | β | β | β | β | β |
| Requires AAD P1/P2 license | β | β | β | β | β |
| Azure ABAC | β | β | β | β | β |
| Block read access | β | β | β | β | β |
| Strongly typed | β | β | β | β | β |
| Support multi-valued attributes | β | β 1 | β | β | β |
| Azure AD Connect and Cloud Sync | β | β | β | β | β |
| Supported resources | user β’ device | user β’ group β’ administrativeUnit β’ application β’ device β’ organization | user β’ group β’ administrativeUnit β’ application β’ contact β’ device β’ event β’ message β’ organization β’ post | user β’ group β’ contact β’ device β’ event β’ message β’ organization β’ post β’ todoTask β’ todoTaskList | user β’ servicePrincipal |
| Data types | String | Binary β’ Boolean β’ DateTime β’ Integer β’ LargeInteger β’ String (256 char) | Binary β’ Boolean β’ DateTime β’ Integer β’ String | String | Boolean β’ Integer β’ String |
| Max limits | 15 per object | 100 extensions across all types and all applications | 100 per resource | 2 per creator app per resource | 50 per object β’ 500 attributes per tenant β’ More info |
| When to use | β’ Simpler way to leverage on-prem data or Exchange data β’ Wanting a simple string attribute on a user/device which can be used in multiple applications as a claim |
β’ Extending AAD resources with more attributes β’ Need more strongly-typed attributes than extension attributes 1-15 β’ With AAD Connect Sync, can also sync on-prem or SharePoint data |
β’ To extend Graph resources β’ Donβt require attributes as part of user authentication and as a claim |
Directly add attributes to single Graph object, rather than through an extension schema | Store confidential data |
| Key notes | β’ Can only sync for users with onPremisesSyncEnabled β’ Cannot be updated by Microsoft Graph unless users/devices are cloud only (not synced from on-prem) |
β’ Extension is created on an app object, then target resource(s) are manually updated with value β’ AAD Connect Sync uses directory extensions |
Extension is created as stand-alone resource, then applied to object | Simple setup and usage | Built with security and least privilege |
1 Multi-value support in directory extensions is limited to attributes synchronized from on-prem. It is not possible to create new multi-valued directory extensions in Azure AD.