Energy: sync Active Directory user attribute without CoreView Hybrid Connector

A major European energy and communications provider successfully addressed a reporting and remediation challenge in their Microsoft 365 environment using the CoreView platform. 

Unable to deploy CoreView's Hybrid Connector, the company needed to surface the synchronized employeetype user attribute for effective reporting and compliance. Through a creative workaround leveraging CoreView's native reporting flexibility, custom action and workflow features, the IT team made employeetype accessible for segmentation and automation. This solution enhanced governance, accelerated audits, and delivered measurable operational efficiencies.

Customer profile

This organization is a mid-sized enterprise in the European energy and communications sector, supporting thousands of Microsoft 365 users across office and field roles. With complex regulatory requirements and a demanding hybrid environment, their IT team must maintain precise oversight and control of user accounts. Their Microsoft 365 environment integrates both cloud and on-premises AD, presenting unique challenges for attribute visibility and reporting.

Business challenge

The absence of CoreView's Hybrid Connector meant the IT department could not natively map synchronized employeetype attributes from their on-premises Active Directory into CoreView reports. This gap threatened compliance and consistency in user management and made critical operational processes inefficient.

Pain points:

• Lack of direct access to employeetype for reporting or audits.
• Labor-intensive and error-prone manual user classification.
• Delays in generating compliance and audit reports.
• Limited capability to automate user remediation and licensing actions.
• Rising administrative overhead and frustration among IT and compliance teams.

CoreView products involved

• CoreView ONE

Step-by-step solution guide

The below guide will detail the solutions produced to allow on-premises attributes to be synced to Entra, and in turn CoreView, when the customer does not have the CoreView Hybrid Connector add-on. The approach is designed to maintain attribute visibility and automation in environments where direct hybrid synchronization is unavailable.

An Entra custom attribute will be used, which is required to be mapped into CoreView. This allows important on-premises user information, such as the employeeType attribute, to be available within the CoreView platform for reporting, segmentation, and automated actions. By leveraging Entra's extensibility and CoreView's powerful automation features, IT teams can keep critical compliance-related data in sync.

Step 1: Entra Custom Attribute creation

A new custom attribute is created in Microsoft Entra (Azure AD) to serve as the destination for the on-premises employeeType value after the Entra Connect sync. This makes it possible to carry the necessary data from on-premises AD, through Entra, and ultimately into CoreView.

Open an Admin PowerShell and connect to Graph with the following command:

Connect-MgGraph -Scopes "Application.ReadWrite.All","Directory.ReadWrite.All" -ContextScope Process

An application is used to register a directory extension. Here we used the application that is already configured in the tenant for CoreView. The list of application already configured can be listed by Get-MgApplication -all command.

Now create the new custom attribute for the preferred application using the right ID and Name in the following command:

New-MgApplicationExtensionProperty -ApplicationId 'Id for CoreView Management Integration' -Name 'custom attribute name' -DataType String -TargetObjects @("User")

Make a note of the Name from the response; we will need this later in steps 2.

Additional information is available in the article “Add custom data to resources by using extensions” from the Microsoft documentation regarding the creation of the Entra extension.

Step 2: attribute mapping in CoreView

The newly created Entra custom attribute is mapped into CoreView as an extension attribute. This step ensures that CoreView recognizes the attribute, making it available for inclusion in user reports and as part of automated workflows.

To map the Attribute into CoreView, log into the CoreView Portal and navigate to “Settings > My organization”.

Click on “Settings > Extension Attributes Mapping”.

Select for the Account Type “on-Cloud” and paste the value from the ID response from Step 1 into Extension Name. 
Provide a Friendly Name and the Data Type equal "String" (in this case).

Detailed information are available into the article “Extension attributes” from our documentation.

Step 3: initial data population via Custom Action

A one-time custom action is run to copy the existing employeeType values from Entra into the new Entra custom attribute for all relevant users. After the synchronization period (normally every 24 hours), this will populate CoreView with the current state of employee types in the environment.

Navigate to “Actions > Manage Custom Actions”:

Click on “Add New”:

Give the Custom Action a “Title” and, if required, a “Description”:

Select “None” for the “Target”:

In “Inputs” select:

• “Type” = "String”
• "Name = “Extension”
• and tick “Is required”.

In the “Script” field paste the following:

Refresh-CVGraphToken
# Get all users where EmployeeType is present
$users = Get-MgUser -All -Property "UserPrincipalName,EmployeeType" | Where-Object { $_.EmployeeType }
 foreach ($user in $users) {
    $employeeType = $user.EmployeeType
    $body = @{
      $extension = $employeeType
    }
    Update-MgUser -UserId $user.UserPrincipalName -AdditionalProperties $body
    Write-Host "Updated $($user.UserPrincipalName): $employeeType"
}

This script utilizes Graph so Refresh-CVGraphToken is required at the top of the script. What the script does is filter all the users in the tenant for where EmployeeType attribute is not empty. It will loop through each user and copy that attribute into the custom attribute we created in Step 1.

Step 4: ongoing attribute maintenance using automation

To keep the attribute up-to-date, a second Custom Action is created which can update individual users' custom attribute whenever changes are detected. This action is incorporated into a CoreView Workflow, establishing a reusable, automated method for maintaining data consistency.

Navigate to “Actions > Manage Custom Actions”:

Click on “Add New”:

Give the Custom Action a “Title” and, if required, a “Description”:

Select “User” for the “Target”:

In “Inputs” select:

• “Type” = “String”
• “Name” = “Extension”
• and tick “Is required”.

In Script paste the following:

# This script refreshes the CoreView Graph token, retrieves a user's EmployeeType, 
# updates the user if EmployeeType is set, and provides output accordingly.
Refresh-CVGraphToken
$user = Get-MgUser -UserId $UserPrincipalName -Property "UserPrincipalName,EmployeeType" | Select-Object UserPrincipalName, EmployeeType
if ($user.EmployeeType) {
    $body = @{
        $extension = $user.EmployeeType
    }
    Update-MgUser -UserId $UserPrincipalName -AdditionalProperties $body
    Write-Host "Updated $($user.UserPrincipalName): $($user.EmployeeType)"
} else {
    Write-Host "$($user.UserPrincipalName) does not have EmployeeType set."
}

This script utilizes Graph so 'Refresh-CVGraphToken' is required at the top of the script. What the script does is update the individual users' Entra Custom Attribute with the value from Entra EmployeeType.

Now is necessary to encapsulate the custom action to have an automated method for maintaining data consistency.

Navigate to “Actions > Manage Workflows > Workflows”:

Click on “Create New”:

Give the Workflow a “Name” and then click on “Add > Action”:

In “Action Category” choose “Custom Actions” and find your Custom Action that was created in Step 4. Paste your value from Step 1 into the “Extension” field and then click “Fields” and select “UserPrincipalName”.

Click on the lightning bolt next to UserPrincipalName and select “Manage Execution Input”:

• Under “Target” select “User”
• Under “Name” select “UserPrincipalName” 
• and tick “Is Required”

and then click on “Save”.

Click on the lightning bolt next to UserPrincipalName and select “UserPrincipalName”, then click on “Save”:

Click on “Save > Save and Publish":

Step 6: real-time monitoring and policy-driven automation

A Custom Playbook Policy is used to monitor the Entra audit log for any changes to the employeeType attribute. When an update is detected, the associated Workflow is triggered automatically, this ensures that CoreView remains in sync with Entra.

Navigate to “Audit > Entra”:

Click on “Columns” and select “Modified properties”:

• Under “Workload” select “AzureActiveDirectory”
• Under “Operation” select “Update user”
• Under “Modified properties” type “EmployeeType”
• Change “Last 7 days” to “Last day”

Click on “Actions > Create Custom Policy”:

Fill in the details as required and then click on “Next”:

This will take you to the report we have just customized, click on “Next”:

Click “Next” and you will be in the Remediation action screen. 

• Toggle “Enable Remediation” and select “Run workflow”. 
• In “Select Workflow” select the workflow created under Step 5. 
• In the “Execution Inputs Mapping” click on the lightning bolt and choose “ObjectId”, then click on “Next”

Review the settings and click on “Save”:

The Playbook will monitor the Entra audit log for changes to the EmployeeType attribute and will run the Workflow to copy the attribute to the custom attribute.

Solution results

With this solution, key user attributes from on-premises AD are efficiently surfaced inside CoreView, supporting robust reporting, compliance audits, and automated account management. The need for manual user tracking and updates is eliminated, greatly reducing administrative workload while improving accuracy and timeliness of compliance operations.

Now we can segment and act on user employment types natively in CoreView, which saves our team hours every week" explained the project's lead IT administrator.

Reporting intervals are now automated, reducing audit preparation time by more than 60%, and improving accuracy for user-based workflows and remediation.

Achieved benefits

• Complete auditability of employeetype within user reports
• No extra licensing or connector procurement required
• Automated remediation and user segmentation based on real-time data
• Audit report turnaround time cut by over 60%
• IT operational efficiency measurably improved

These outcomes drove rapid ROI, ensuring compliance and efficiency without increasing the administrative burden or budget.

Additional resources

• Microsoft Create Custom Attribute
• Map Attributes in CoreView
• Create Custom Actions
• Create Workflows
• Audit Log
• Create Custom Playbook