With the default configuration of Azure AD Connect, only a subset of Active Directory attributes is synchronized to Azure AD.
To extend the synchronization to include employeeId (or any other attribute), follow the below steps.
(To dig to the bottom of AD-to-AzureAD attribute mapping, read this)
Synchronize Additional Attributes with Azure AD
Start Azure AD Connect and select “Customize synchronization options”:

Click Next until you reach Optional Features, where you select “Directory extension attribute sync”:

Clicking Next will bring you to the “Directory extensions,” where you can search and add the attributes you want to add to the synchronization scope:
(Note: The Available Attributes search is case-sensitive in AADC versions earlier than 1.2.65.0)

Verify the Directory Extension Replication
When this is done, you can verify that the Azure AD Connect rules have been updated by starting the Azure AD Connect Rules Editor.
Looking at inbound rules, select “In from AD – User DirectoryExtension”:

Clicking View will display the details of the extended replication scope:

As seen, the employeeId attribute is truncated to the leftmost 256 characters and stored in the Azure AD Connect Metaverse as “extension_employeeID”.
To see the transformation applied when the attribute is replicated from the Azure AD Connect Metaverse to Azure AD, go to Outbound replication and select “Out to AAD – User DirectoryExtension”:

Clicking View reveals the following details:

As (almost) seen, the extension_employeeID attribute is renamed to extension_[GUID]_employeeID.
The GUID comes from the Enterprise Application responsible for handling Azure AD schema extensions. You can find this in Enterprise applications in the Azure portal:

How to Retrieve Extension Attributes from Azure AD
Now that synchronization is set up let’s see how to grab the new attributes.
Unlike your regular AD, you won’t find the new attributes directly on the Azure AD user object:
PS C:\> Get-AzureADUser -ObjectId tycho.brahe@azure.skrubbeltrang.com | fl *ID* ObjectId : 0b1a9aa0-43e3-49e1-bb09-db1b09144e6b ConsentProvidedForMinor : ImmutableId : gNhIe/ITL0K4HM2syRD8sQ== OnPremisesSecurityIdentifier : S-1-5-21-3688220979-3330231506-4120471870-1110 RefreshTokensValidFromDateTime : 9/14/2021 9:55:04 PM
We don’t find any employeeID information here…!
To retrieve the extension attributes, you must use the Get-AzureADUserExtension.
This command looks at the special directory handled by the Tenant Schema Extension App:
PS C:\> Get-AzureADUserExtension -ObjectId tycho.brahe@azure.skrubbeltrang.com Key Value --- ----- odata.metadata https://graph.windows.net/c1493961-2ba6-41ae-b462-e3e7e4dae630/$metadata#directoryObjects/@Element odata.type Microsoft.DirectoryServices.User createdDateTime 9/14/2021 9:56:03 PM employeeId 14-12-1546 onPremisesDistinguishedName CN=Tycho Brahe,OU=Denmark,OU=Users,OU=E365M,DC=easy365manager,DC=local userIdentities [] userState userStateChangedOn extension_b3cbe46992964923919c175dcd1c974d_employeeID 14-12-1546
Using the following command you can address the extension attribute directly:
(Get-AzureADUserExtension -ObjectId tycho.brahe@azure.skrubbeltrang.com).extension_b3cbe46992964923919c175dcd1c974d_employeeID
Note that (opposed to the Azure AD) the Azure AD Extension attributes are case-sensitive:
_employeeId and _employeeID are NOT the same!
Mistaking the case of the attribute name will leave you with an empty output!
Summary
Extending the replication scope from your Active Directory to the Azure AD has a little bit of complexity.
Understanding the components involved can save you a lot of trouble.
A lot of admins find the Active Directory and Azure AD integration a bit confusing.
To many, it’s also a great inconvenience to switch between the many different admin tools:
- Active Directory Users & Computers
- Exchange on-premises web console
- Microsoft 365 admin center web console
- Exchange online web console
- PowerShell
Just to mention some of the more common…
If you would like to do all daily AD and Office 365 management from one single tool, have a look at Easy365Manager.
Easy365Manager is a snap-in to AD Users & Computers that adds new tabs to user and group properties.
With Easy365Manager, you can save tons of hours on your daily admin tasks.
Download our free 30-day trial today and start saving time now!