Extension attributes (PR from TinaCMS)

content/posts/2025/extension-attributes-and-api-driven-provisioning.mdx

@@ -0,0 +1,129 @@
+---
+title: Extension Attributes and API Driven Provisioning
+category: Identity
+heroImg: /uploads/Blogs/API-Driven-Provisioning.png
+excerpt: >
+  Learn how to extend the user schema in Microsoft Entra ID to support
+  API-driven provisioning, using custom attributes to enrich identity flows and
+  align with HR or business system requirements.
+author: content/authors/warwick.md
+date: 2025-09-14
+---
+
+Modern identity systems often require more than just first name, last name, and job title. With API-driven provisioning in Microsoft Entra ID, you can ingest enriched identity data—like cost centres, manager aliases, or internal classification codes—by mapping them to extension attributes.
+
+This post explores:
+
+- What extension attributes are  
+- How to register and use them  
+- How to map them in an API-driven provisioning workflow  
+
+---
+
+## What Are Extension Attributes?
+
+Microsoft Entra ID supports schema extensions to hold custom identity metadata beyond the default directory attributes.
+
+There are two main types:
+
+- **Directory extension attributes** (e.g., `extensionAttribute1–15`, often synced from on-prem AD)  
+- **Custom schema extensions** (e.g., `extension_{appId}_{attributeName}`)
+
+In API-driven provisioning, you can use either type—but custom schema extensions are **preferred for cloud-native HR-to-Entra scenarios**.
+
+---
+
+## Registering Schema Extensions
+
+To register a schema extension:
+
+```http
+POST https://graph.microsoft.com/v1.0/schemaExtensions
+Content-Type: application/json
+```
+
+```json
+{
+  "id": "contosoIdentity",
+  "description": "Contoso's HR identity extensions",
+  "targetTypes": ["User"],
+  "properties": [
+    {
+      "name": "employeeRegion",
+      "type": "String"
+    },
+    {
+      "name": "costCentreCode",
+      "type": "String"
+    }
+  ]
+}
+```
+
+After registration, your attributes will appear as:
+
+- `extension_contosoIdentity_employeeRegion`  
+- `extension_contosoIdentity_costCentreCode`
+
+These can now be used in user objects, filtered in Graph queries, and mapped in API-based provisioning.
+
+---
+
+## API-Driven Provisioning and Attribute Mapping
+
+In your Entra **API-driven inbound provisioning** setup:
+
+- Extension attributes from your source system (e.g., Workday, Aurion, SAP) can be passed in the payload  
+- These values are mapped into Entra ID using attribute mappings like:
+
+```json
+{
+  "sourceAttributeName": "region",
+  "targetAttributeName": "extension_contosoIdentity_employeeRegion"
+}
+```
+
+This lets you:
+
+- Enrich the user profile with business context  
+- Drive access policy decisions (e.g., Access Packages or Conditional Access)  
+- Use these values in dynamic group rules  
+
+---
+
+## Tips for Working with Extension Attributes
+
+- 🔒 `schemaExtensions` are **immutable** once published (you can't rename or change property types)  
+- ⚠️ Avoid using `extensionAttribute1–15` for new apps unless bridging with on-prem AD  
+- 🔄 You can still **patch user values** using Graph API after provisioning
+
+---
+
+## Example Use Case: HR System Sends Division + Cost Centre
+
+Imagine your HR system sends:
+
+```json
+{
+  "userPrincipalName": "jane.doe@contoso.com",
+  "division": "APAC",
+  "costCentre": "IT045"
+}
+```
+
+You map these to:
+
+- `extension_contosoIdentity_division`  
+- `extension_contosoIdentity_costCentre`
+
+Now, you can:
+
+- Add users to dynamic groups by division  
+- Assign licenses by cost centre  
+- Create audit reports from Entra ID profiles alone  
+
+---
+
+## Wrapping Up
+
+Extension attributes enable true identity enrichment in Microsoft Entra ID, especially when combined with API-driven provisioning. They allow IT and HR to meet in the middle—passing meaningful business context into the cloud directory, powering automation, access decisions, and governance.