Introduction
Microsoft Entra allows you to add custom attributes to directory objects, a valuable option for managing data according to your organizational needs. However, not all extension types are created equal, and it's best to understand their specifics before adopting them. Let's analyze the available options together for optimal configuration.
Good to know
Extensions allow you to customize objects for various scenarios such as governance, automation, or monitoring.
Extension Types Available in Microsoft Entra
Microsoft Entra offers several options to extend its directory objects. They are divided into four main types:
- Extension Attributes
- Directory Extensions
- Schema Extensions
- Open Extensions
In parallel, don't forget custom security attributes, although they don't follow the same extension model. These will be covered in a future article.
Quick Analysis of the Four Extension Types
Here's a summary of the main uses of extension types in Microsoft Entra:
| Extension Type | What's It Good For | Strengths | Limitations |
|---|---|---|---|
| Extension Attributes | Storage of simple custom values | Ease of use, hybrid integration | Limited to 15 fields, not suitable for structured data |
| Directory Extensions | Custom attributes for identity | Strong typing, good governance capabilities | Requires a custom application, not accessible via portal |
| Schema Extensions | Structured and reusable data | Better structure, supports multiple resources | Complex setup, managed lifecycle |
| Open Extensions | Flexible metadata with JSON | Easy to use, no schema constraints | Weak governance, unstructured typing |
Extension Attributes
Extension Attributes are the simplest to use. They include 15 predefined fields that allow you to store custom values as strings. Originally limited to on-premises AD DS and Exchange data, they can now be managed directly via Microsoft Graph for cloud-only environments.
Extension attributes are widely adopted due to their simplicity, though they are often misused. However, they present significant limitations such as:
- A maximum of 15 fields
- Limited support for user and device objects
- Difficulty in tracking and potential conflicts with third-party systems
Recommended Use Cases
Typical uses include:
- Integration with on-premises data
- Leveraging Exchange attributes
- Device filters in Conditional Access
- Displaying custom information in Microsoft 365 profile cards
Directory Extensions
Directory extensions allow you to add strongly typed and custom attributes to Microsoft Entra objects. These attributes are defined at the application level with their own naming convention:
1extension_<ApplicationIdentifier>_<CustomAttribute>Example:
1extension_abcdef1234567890_CostCenter2extension_abcdef1234567890_ManagerID3extension_abcdef1234567890_RegionStrengths
Directory extensions offer:
- Scalability through strong typing
- Native integration with Graph and other Microsoft Entra modules
- Support for a wide range of objects such as user, device, group, etc.
Limitations
- They require a custom application for their management
- Only visible via Microsoft Graph, not in the Microsoft Entra portal
Tip
Directory extensions are ideal for scenarios like dynamic groups, identity governance, or automated workflows.
Schema Extensions
Unlike directory extensions, schema extensions are not specific to identity objects. They allow you to define reusable data models attached to various Microsoft Graph resources.
Schema extensions differ through their lifecycle stages:
Development Phase
Create the extension, available only for your tenant.
Publication
Make the extension accessible to all applications in Microsoft Entra tenants.
Retirement
Declare the extension as obsolete via the Deprecated status.
Recommendations
Use schema extensions to structure reusable objects for multi-tenant applications or complex data models.
Open Extensions
Open extensions are distinguished by their flexibility and simplified management of unstructured data in JSON format. These extensions are suitable for application-specific needs without requiring schema formalization.
Typically, they are appropriate for recording user preferences or temporary metadata, as in the following example:
1{2 "sessionData": {3 "ticketId": "ABC123",4 "priority": "high",5 "time": "2026-01-14T12:00:00Z"6 }7}Warning
Open extensions, while practical, offer limited governance and are rarely used in identity or provisioning scenarios.
Conclusion
Microsoft Entra offers flexible options to extend its directory objects, meeting various business needs. Each extension type presents strengths and weaknesses suited to particular contexts:
- Extension Attributes: Simple, but restricted
- Directory Extensions: Typed, ideal for identity workflows
- Schema Extensions: Structured and reusable
- Open Extensions: Lightweight and unconstrained
By choosing wisely, you optimize data consumption, governance, and maintenance. This initial choice also prevents the accumulation of technical debt.
Finally, stay tuned for our next article where we'll explore tools and methods to manage these extensions in Microsoft Graph!
