Set extensionAttribute1-15 on Azure AD guest accounts

Decorative image - PowerShell and Azure AD logos with user icon and attribute list

All product names, logos, and brands used in this post are property of their respective owners.

This is a quick post about setting extension attributes 1 - 15 on Azure AD Guest identities (or any other Azure AD account for that matter). I admittedly Googled this for longer than I should have before I stumbled across the solution. Here are the steps:

  1. Install the Azure AD PowerShell module and authenticate:

    Install-Module AzureAD

  2. (Optional) Create a new Guest or B2B user:

    New-AzureADMSInvitation -InvitedUserDisplayName "Rene Descartes" -InvitedUserEmailAddress "" -InviteRedirectURL -SendInvitationMessage $false

  3. Get the ObjectID of a Guest or B2B user:

    Get-AzureADUser -SearchString "Rene"
    ObjectId                             DisplayName     UserPrincipalName                                      UserType
    --------                             -----------     -----------------                                      --------
    32ac1405-ee40-4eff-ac14-6ddd9ae99a9b Rene Descartes   Guest

  4. Set extensionAttribute1 on a Guest or B2B user:

    Set-AzureADUserExtension -ObjectID 32ac1405-ee40-4eff-ac14-6ddd9ae99a9b -ExtensionName extensionAttribute1 -ExtensionValue "Some value"

Once done, you can configure Enterprise Applications to emit extensionAttribute1 (or any other extension attribute) as a claim:

Screenshot of adding extensionAttribute1 (sourced from user.extensionAttribute1) as a custom claim to an Azure AD Enterprise Application (SAML)

You can confirm the correct value of the custom claim with the trusty RSA SAML 2.0 Test Service Provider:

Screenshot of the custom extensionAttribute1 claim’s value in the SAML response via the RSA SAML 2.0 Test Service Provider

I hope this helps someone looking to achieve a similar result (and saves some Googling)!