diff --git a/content/posts/2025/extension-attributes-and-api-driven-provisioning.mdx b/content/posts/2025/extension-attributes-and-api-driven-provisioning.mdx new file mode 100644 index 0000000..b92338d --- /dev/null +++ b/content/posts/2025/extension-attributes-and-api-driven-provisioning.mdx @@ -0,0 +1,129 @@ +--- +title: Extension Attributes and API Driven Provisioning +category: Identity +heroImg: /uploads/Blogs/API-Driven-Provisioning.png +excerpt: > + Learn how to extend the user schema in Microsoft Entra ID to support + API-driven provisioning, using custom attributes to enrich identity flows and + align with HR or business system requirements. +author: content/authors/warwick.md +date: 2025-09-14 +--- + +Modern identity systems often require more than just first name, last name, and job title. With API-driven provisioning in Microsoft Entra ID, you can ingest enriched identity data—like cost centres, manager aliases, or internal classification codes—by mapping them to extension attributes. + +This post explores: + +- What extension attributes are +- How to register and use them +- How to map them in an API-driven provisioning workflow + +--- + +## What Are Extension Attributes? + +Microsoft Entra ID supports schema extensions to hold custom identity metadata beyond the default directory attributes. + +There are two main types: + +- **Directory extension attributes** (e.g., `extensionAttribute1–15`, often synced from on-prem AD) +- **Custom schema extensions** (e.g., `extension_{appId}_{attributeName}`) + +In API-driven provisioning, you can use either type—but custom schema extensions are **preferred for cloud-native HR-to-Entra scenarios**. + +--- + +## Registering Schema Extensions + +To register a schema extension: + +```http +POST https://graph.microsoft.com/v1.0/schemaExtensions +Content-Type: application/json +``` + +```json +{ + "id": "contosoIdentity", + "description": "Contoso's HR identity extensions", + "targetTypes": ["User"], + "properties": [ + { + "name": "employeeRegion", + "type": "String" + }, + { + "name": "costCentreCode", + "type": "String" + } + ] +} +``` + +After registration, your attributes will appear as: + +- `extension_contosoIdentity_employeeRegion` +- `extension_contosoIdentity_costCentreCode` + +These can now be used in user objects, filtered in Graph queries, and mapped in API-based provisioning. + +--- + +## API-Driven Provisioning and Attribute Mapping + +In your Entra **API-driven inbound provisioning** setup: + +- Extension attributes from your source system (e.g., Workday, Aurion, SAP) can be passed in the payload +- These values are mapped into Entra ID using attribute mappings like: + +```json +{ + "sourceAttributeName": "region", + "targetAttributeName": "extension_contosoIdentity_employeeRegion" +} +``` + +This lets you: + +- Enrich the user profile with business context +- Drive access policy decisions (e.g., Access Packages or Conditional Access) +- Use these values in dynamic group rules + +--- + +## Tips for Working with Extension Attributes + +- 🔒 `schemaExtensions` are **immutable** once published (you can't rename or change property types) +- ⚠️ Avoid using `extensionAttribute1–15` for new apps unless bridging with on-prem AD +- 🔄 You can still **patch user values** using Graph API after provisioning + +--- + +## Example Use Case: HR System Sends Division + Cost Centre + +Imagine your HR system sends: + +```json +{ + "userPrincipalName": "jane.doe@contoso.com", + "division": "APAC", + "costCentre": "IT045" +} +``` + +You map these to: + +- `extension_contosoIdentity_division` +- `extension_contosoIdentity_costCentre` + +Now, you can: + +- Add users to dynamic groups by division +- Assign licenses by cost centre +- Create audit reports from Entra ID profiles alone + +--- + +## Wrapping Up + +Extension attributes enable true identity enrichment in Microsoft Entra ID, especially when combined with API-driven provisioning. They allow IT and HR to meet in the middle—passing meaningful business context into the cloud directory, powering automation, access decisions, and governance.