How to Synchronize the EmployeeId Attribute to Azure AD?

Azure AD Connect extension attributes

With the default configuration of Azure AD Connect, only a subset of Active Directory attributes is synchronized to Azure AD.

To extend the synchronization to include employeeId (or any other attribute), follow the below steps.

(To dig to the bottom of AD-to-AzureAD attribute mapping, read this)

Synchronize Additional Attributes with Azure AD

Start Azure AD Connect and select “Customize synchronization options”:

Azure AD Connect extension attributes

Click Next until you reach Optional Features, where you select “Directory extension attribute sync”:

Azure AD Connect extension attributes

Clicking Next will bring you to the “Directory extensions,” where you can search and add the attributes you want to add to the synchronization scope:

(Note: The Available Attributes search is case-sensitive in AADC versions earlier than 1.2.65.0)

Azure AD Connect extension attributes

Verify the Directory Extension Replication

When this is done, you can verify that the Azure AD Connect rules have been updated by starting the Azure AD Connect Rules Editor.

Looking at inbound rules, select “In from AD – User DirectoryExtension”:

Azure AD Connect extension attributes

Clicking View will display the details of the extended replication scope:

Azure AD Connect extension attributes

As seen, the employeeId attribute is truncated to the leftmost 256 characters and stored in the Azure AD Connect Metaverse as “extension_employeeID”.

To see the transformation applied when the attribute is replicated from the Azure AD Connect Metaverse to Azure AD, go to Outbound replication and select “Out to AAD – User DirectoryExtension”:

Azure AD Connect extension attributes

Clicking View reveals the following details:

Azure AD Connect extension attributes

As (almost) seen, the extension_employeeID attribute is renamed to extension_[GUID]_employeeID.

The GUID comes from the Enterprise Application responsible for handling Azure AD schema extensions. You can find this in Enterprise applications in the Azure portal:

Azure AD Connect extension attributes

How to Retrieve Extension Attributes from Azure AD

Now that synchronization is set up let’s see how to grab the new attributes.

Unlike your regular AD, you won’t find the new attributes directly on the Azure AD user object:

PS C:\> Get-AzureADUser -ObjectId tycho.brahe@azure.skrubbeltrang.com | fl *ID*


ObjectId                       : 0b1a9aa0-43e3-49e1-bb09-db1b09144e6b
ConsentProvidedForMinor        :
ImmutableId                    : gNhIe/ITL0K4HM2syRD8sQ==
OnPremisesSecurityIdentifier   : S-1-5-21-3688220979-3330231506-4120471870-1110
RefreshTokensValidFromDateTime : 9/14/2021 9:55:04 PM

We don’t find any employeeID information here…!

To retrieve the extension attributes, you must use the Get-AzureADUserExtension.

This command looks at the special directory handled by the Tenant Schema Extension App:

PS C:\> Get-AzureADUserExtension -ObjectId tycho.brahe@azure.skrubbeltrang.com

Key                                                       Value
---                                                       -----
odata.metadata                                            https://graph.windows.net/c1493961-2ba6-41ae-b462-e3e7e4dae630/$metadata#directoryObjects/@Element
odata.type                                                Microsoft.DirectoryServices.User
createdDateTime                                           9/14/2021 9:56:03 PM
employeeId                                                14-12-1546
onPremisesDistinguishedName                               CN=Tycho Brahe,OU=Denmark,OU=Users,OU=E365M,DC=easy365manager,DC=local
userIdentities                                            []
userState
userStateChangedOn
extension_b3cbe46992964923919c175dcd1c974d_employeeID     14-12-1546

Using the following command you can address the extension attribute directly:

(Get-AzureADUserExtension -ObjectId tycho.brahe@azure.skrubbeltrang.com).extension_b3cbe46992964923919c175dcd1c974d_employeeID

Note that (opposed to the Azure AD) the Azure AD Extension attributes are case-sensitive:

_employeeId and _employeeID are NOT the same!

Mistaking the case of the attribute name will leave you with an empty output!

Summary

Extending the replication scope from your Active Directory to the Azure AD has a little bit of complexity.

Understanding the components involved can save you a lot of trouble.

A lot of admins find the Active Directory and Azure AD integration a bit confusing.

To many, it’s also a great inconvenience to switch between the many different admin tools:

  • Active Directory Users & Computers
  • Exchange on-premises web console
  • Microsoft 365 admin center web console
  • Exchange online web console
  • PowerShell

Just to mention some of the more common…

If you would like to do all daily AD and Office 365 management from one single tool, have a look at Easy365Manager.

Easy365Manager is a snap-in to AD Users & Computers that adds new tabs to user and group properties.

With Easy365Manager, you can save tons of hours on your daily admin tasks.

Download our free 30-day trial today and start saving time now!

Did you like this post? Maybe your friends will too!