Azure AD Connect and Custom Attributes

Azure AD Connect does a good job of linking your On Premises Active Directory to Azure AD. But what if you want to do some customizations?

In a previous post I detailed how to set up a Dynamic Distribution Group in Exchange Online. In the example provided I included a CustomAttribute1 field where I set the group to filter out any CustomAttribute1 = “NoMember”. Read that post here: https://catastrophe.wiredwolf.com/dynamic-distribution-lists/

By default, though, Active Directory does not have these attribute options assigned to the users, or indeed anywhere in the Schema. You have to add them by extending the AD Schema.

The simplest way to do this is by downloading Exchange 2016/2019 CU (latest) – mounting the ISO – and executing the command:

\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareSchema

This is a little bit of a pain in the ass as the file is huge (5+ GB) to run a simple command without actually installing Exchange to your environment. However, a necessary time expense if you want to use these features.

Please note – CustomAttribute1-15 is not the same as msDS-cloudExtensionAttribute1-15. Do not use msDS-cloudExtensionAttribute.

Once you have your Schema extended with Exchange, the next step is to update/refresh your Azure AD Connector.

Open Azure AD Connect configuration and select Refresh Directory Schema. Run through the wizard, provide your Global Admin credentials, and complete the process.

Next, reopen Azure AD Connect configuration and this time Customize Synchronization Options. Click through, provide your Global Admin credentials where required, until you get to Optional Features. To this point you’ve probably only ever enabled Password Hash Synchronization but here’s where you enable other goodies such as Directory Extension Attribute Sync.

When Directory Extension Attribute Sync is enabled you’ll click through until you get to Directory Extensions. Scroll down through the available extensions and add all the ExtensionCustomAttribute1-15 for both Group and User to the right side. When they’re all selected, click on Next, then Configure, and wait until the wizard is completed and a new sync is initiated.

At this point you can now synchronize CustomAttribute1 through 15 from the Attributes section of your AD user.

By admin|2021-06-07T21:51:13-08:00June 7th, 2021|Uncategorized|Comments Off

About the Author: admin

An IT Specialist with humble beginnings at an ISP here in BC in 1996. Since then WiReDWoLF has expanded his knowledge and expertise in many areas of the IT field and is proficient with networking, applications, servers, and general application of all of the above.