All product names, logos, and brands used in this post are property of their respective owners.
This is a quick post about setting extension attributes 1 - 15 on Azure AD Guest identities (or any other Azure AD account for that matter). I admittedly Googled this for longer than I should have before I stumbled across the solution. Here are the steps:
-
Install the Azure AD PowerShell module and authenticate:
Install-Module AzureAD Connect-AzureAD -
(Optional) Create a new Guest or B2B user:
New-AzureADMSInvitation -InvitedUserDisplayName "Rene Descartes" -InvitedUserEmailAddress "rene.descartes@example.com" -InviteRedirectURL https://myapps.microsoft.com -SendInvitationMessage $false -
Get the ObjectID of a Guest or B2B user:
Get-AzureADUser -SearchString "Rene" ObjectId DisplayName UserPrincipalName UserType -------- ----------- ----------------- -------- 32ac1405-ee40-4eff-ac14-6ddd9ae99a9b Rene Descartes rene.descartes_example.com#EXT#@xxxx.onmicrosoft.com Guest -
Set extensionAttribute1 on a Guest or B2B user:
Set-AzureADUserExtension -ObjectID 32ac1405-ee40-4eff-ac14-6ddd9ae99a9b -ExtensionName extensionAttribute1 -ExtensionValue "Some value"
Once done, you can configure Enterprise Applications to emit extensionAttribute1 (or any other extension attribute) as a claim:
You can confirm the correct value of the custom claim with the trusty RSA SAML 2.0 Test Service Provider:
I hope this helps someone looking to achieve a similar result (and saves some Googling)!