Extension attributes

  • Last update on May 12th, 2026

Table of Contents

A predefined set of attributes is available for user entities and is routinely imported and managed. To extend this set, additional user attributes can be configured, up to a maximum of 45. In this article, these are referred to as extension attributes.

CoreView currently supports only directory extensions / extension properties for User objects. This includes cloud directory extensions created in Microsoft Entra ID and on-premises directory extensions synchronized from Active Directory.

CoreView does not currently support Microsoft Entra custom security attributes, schema extensions, or open extensions.

Because the term custom attributes can be confused with custom security attributes in Microsoft Entra, this article uses extension attributes when referring to supported attributes.

 

This functionality allows extension attributes to be configured in the portal. They can be imported through full imports and on-premises imports, managed through supported management actions, and used in Virtual Tenant filters, reports, and user entities.

Configuration requirements for cloud-only attributes

These attributes are hosted in Microsoft Entra ID as directory extensions / extension properties.

Microsoft documentation:

Instructions to manage cloud directory extensions

To view the extension properties already configured in the tenant, connect to Microsoft Graph PowerShell and run the following PowerShell cmdlet. This command lists the directory extensions that can be mapped in the platform:

$applications = Get-MgApplication
foreach ($app in $applications) {
    $extensionProperties = Get-MgApplicationExtensionProperty -ApplicationId $app.Id
    if ($extensionProperties) {
        Write-Output "Application ID: $($app.Id)"
        Write-Output "Application Name: $($app.DisplayName)"
        Write-Output "Extension Properties:"
        $extensionProperties | Format-Table Id, Name, DataType
        Write-Output "`n"
    }
}

Before running these commands, ensure that the required Microsoft Graph permissions have been granted. For details, refer to the Microsoft documentation for Get-MgApplication and Get-MgApplicationExtensionProperty.

 
 

On-premises directory extensions

The default Active Directory schema includes the main attributes most organizations need. In some scenarios, additional attributes may need to be created and linked to the user class.

This article does not describe how to create new attributes directly in Active Directory. For that process, refer to the Microsoft Entra Connect documentation when the goal is to synchronize on-premises attributes to Microsoft Entra ID as directory extensions.

To obtain a list of on-premises attributes that can be integrated with the platform, use the PowerShell command below:

PowerShell command

#include DataTypes: Bool(1), Int(2), GeneralizedTime (23-24) and DirectoryString(64)
$allowedTypes = 1,2,23,24,64
$schemaNaming = (Get-ADRootDSE).schemaNamingContext
$attr = (Get-ADObject -SearchBase $schemaNaming -Filter * -Properties lDAPDisplayName, omSyntax).Where({ $allowedTypes -contains $_.omSyntax}) | Select-Object lDAPDisplayName, @{
Name = 'DataType'; Expression ={
if( $_.omSyntax -eq 1){
"Bool"
}
elseif( $_.omSyntax -eq 2){
"Int"
}
elseif( $_.omSyntax -eq 23 -or $_.omSyntax -eq 24){
"DateTime"
}
else{
"String"
}
}
} | Sort-Object lDAPDisplayName
$attr | Out-GridView

Attributes that cannot be imported into CoreView

Unicode string attributes that can contain multiple values are not currently supported. This occurs when the value returned from Active Directory is stored as an ADPropertyValueCollection.

To check whether an on-premises attribute can be imported, run the following commands:

$user = Get-ADUser -Identity $identity -Properties postOfficeBox

$user.postOfficeBox.GetType()

If the result is ADPropertyValueCollection, the attribute cannot be imported, because it is an array and not a string.

 
 
 

The script output includes two properties: LDAP display name and Data type.
The attributes listed below cannot be configured, because they are already imported automatically:

List of non-configurable attributes

  • UserPrincipalName
  • GivenName
  • sn
  • l
  • c
  • Department
  • physicaldeliveryofficename
  • PostalCode
  • st
  • StreetAddress
  • Title
  • DisplayName
  • facsimiletelephonenumber
  • mobile
  • telephonenumber
  • WhenCreated
  • DistinguishedName
  • lastlogontimestamp
  • ObjectGUID
  • whenChanged
  • Proxyaddresses
  • lockouttime
  • userAccountControl
  • sAMAccountName
  • msDS-UserPasswordExpiryTimeComputed
  • objectSid
  • pwdLastSet
  • employeeID
  • employeeNumber
  • accountExpires
 
 

Synchronized directory extensions

These are on-premises Active Directory attributes synchronized to Microsoft Entra ID.

To synchronize on-premises attributes to Microsoft Entra ID as directory extensions, refer to the Microsoft guide: Microsoft Entra Connect Sync: Directory extensions.

Synchronized attributes may keep their on-premises name or appear with the cloud extension naming pattern. Because of this, the recommended approach is to use the name as it appears after synchronization. This helps ensure the attribute is recognized correctly in both on-premises and cloud environments.

To synchronize these attributes, the on-premises attributes must first be selected for synchronization in Microsoft Entra Connect. After synchronization completes, the attributes are also available in the cloud and can be listed using the cmdlet provided in the cloud section.

Once synchronized, these attributes can be assigned to all users, whether they are cloud-only, on-premises, or synchronized users.

Instructions for setting attributes in CoreView

Although several data types can exist in the local environment, CoreView supports only four data types. Each type has a fixed number of slots:

  • String - 30 slots
  • Integer - 5 slots
  • Boolean - 5 slots
  • DateTime - 5 slots

If the required permissions to modify organization settings are available, these attributes can be configured as follows:

  1. Go to Settings > My organization > Settings > Extension attribute mapping.
  2. For each attribute, configure the following values:
  • Account Type (On-Cloud, On-Premises, or Synchronized)
  • Extension Name (Microsoft name)
  • Friendly Name
  • Data Type (String, Int, Bool, or DateTime)
 
 

Extension name formats

The extension name format depends on the selected account type:

For on-cloud account types

For cloud directory extensions, the naming pattern must follow this structure:

extension_{applicationId}_{attributeGivenName}

In this pattern:

  • extension_ is the fixed prefix.
  • {applicationId} is the application identifier associated with the extension property.
  • {attributeGivenName} is the name assigned to the extension property.

The naming convention must be respected. If the format is incorrect, imports and management actions will not work correctly.

 
 
 

For on-premises account types

For on-premises attributes, use the exact attribute name as it appears in the local Active Directory environment. There are no additional naming restrictions, but the name must match exactly. Otherwise, imports and management actions may fail.

Do not use attribute names that are already listed as non-configurable in the on-premises section. Using those names may cause the on-premises import process to fail.

 
 
 

For synchronized account types

When an on-premises attribute is synchronized to the cloud as a directory extension, it becomes available in both Microsoft Entra ID and the local Active Directory environment. For these attributes, the cloud naming format is recommended:

extension_{applicationId}_{attributeGivenName}

Using this format helps ensure that the attribute can be used correctly for imports and management actions across all supported account types.

 
 

Friendly name

The friendly name is an internal label used to identify each configured attribute clearly. It is the value shown in reports as the column title, in Virtual Tenant settings, and in management actions.

For on-cloud patterns, the friendly name defaults to attributeGivenName. A different label can be assigned if needed.

Using configured attributes in CoreView

Import functions

  • Full import: every 24 hours.
  • On-premises import: every 6 hours.

Reports

Virtual Tenant

Management actions (accessible only through the wizard)

Basic rules for actions

  • If the attribute is on-cloud, it is available for all cloud users and synchronized users. For synchronized users, it is written only in Microsoft Entra ID.
  • If the attribute is on-premises, it is available for on-premises users and synchronized users. For synchronized users, it is written only in the local Active Directory.
  • If the attribute is synchronized, it can be set for all users. Depending on the user type, it is visible only in Microsoft Entra ID for cloud users, only in local Active Directory for on-premises users, or in both directories for synchronized users.

Related Articles

DID THIS PAGE HELP YOU?