Skip to content
Draft
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
---
title: Extension Attributes and API Driven Provisioning
category: Identity
heroImg: /uploads/Blogs/API-Driven-Provisioning.png
excerpt: >
Learn how to extend the user schema in Microsoft Entra ID to support
API-driven provisioning, using custom attributes to enrich identity flows and
align with HR or business system requirements.
author: content/authors/warwick.md
date: 2025-09-14
---

Modern identity systems often require more than just first name, last name, and job title. With API-driven provisioning in Microsoft Entra ID, you can ingest enriched identity data—like cost centres, manager aliases, or internal classification codes—by mapping them to extension attributes.

This post explores:

- What extension attributes are
- How to register and use them
- How to map them in an API-driven provisioning workflow

---

## What Are Extension Attributes?

Microsoft Entra ID supports schema extensions to hold custom identity metadata beyond the default directory attributes.

There are two main types:

- **Directory extension attributes** (e.g., `extensionAttribute1–15`, often synced from on-prem AD)
- **Custom schema extensions** (e.g., `extension_{appId}_{attributeName}`)

In API-driven provisioning, you can use either type—but custom schema extensions are **preferred for cloud-native HR-to-Entra scenarios**.

---

## Registering Schema Extensions

To register a schema extension:

```http
POST https://graph.microsoft.com/v1.0/schemaExtensions
Content-Type: application/json
```

```json
{
"id": "contosoIdentity",
"description": "Contoso's HR identity extensions",
"targetTypes": ["User"],
"properties": [
{
"name": "employeeRegion",
"type": "String"
},
{
"name": "costCentreCode",
"type": "String"
}
]
}
```

After registration, your attributes will appear as:

- `extension_contosoIdentity_employeeRegion`
- `extension_contosoIdentity_costCentreCode`

These can now be used in user objects, filtered in Graph queries, and mapped in API-based provisioning.

---

## API-Driven Provisioning and Attribute Mapping

In your Entra **API-driven inbound provisioning** setup:

- Extension attributes from your source system (e.g., Workday, Aurion, SAP) can be passed in the payload
- These values are mapped into Entra ID using attribute mappings like:

```json
{
"sourceAttributeName": "region",
"targetAttributeName": "extension_contosoIdentity_employeeRegion"
}
```

This lets you:

- Enrich the user profile with business context
- Drive access policy decisions (e.g., Access Packages or Conditional Access)
- Use these values in dynamic group rules

---

## Tips for Working with Extension Attributes

- 🔒 `schemaExtensions` are **immutable** once published (you can't rename or change property types)
- ⚠️ Avoid using `extensionAttribute1–15` for new apps unless bridging with on-prem AD
- 🔄 You can still **patch user values** using Graph API after provisioning

---

## Example Use Case: HR System Sends Division + Cost Centre

Imagine your HR system sends:

```json
{
"userPrincipalName": "jane.doe@contoso.com",
"division": "APAC",
"costCentre": "IT045"
}
```

You map these to:

- `extension_contosoIdentity_division`
- `extension_contosoIdentity_costCentre`

Now, you can:

- Add users to dynamic groups by division
- Assign licenses by cost centre
- Create audit reports from Entra ID profiles alone

---

## Wrapping Up

Extension attributes enable true identity enrichment in Microsoft Entra ID, especially when combined with API-driven provisioning. They allow IT and HR to meet in the middle—passing meaningful business context into the cloud directory, powering automation, access decisions, and governance.