Set multiple attributes on AAD users with Set-AzureADUserExtension

2023-03-11

Decorative image - PowerShell and Azure AD logos with user icon and attribute list

All product names, logos, and brands used in this post are property of their respective owners.

This post is yet another about Azure AD and setting attributes on accounts. I recently worked on performance tuning a PowerShell script that was designed to set attribute values on Azure AD accounts in bulk. The script used a combination of the Set-AzureADUser and Set-AzureADUserExtension cmdlets to achieve that, which doubled the number of Graph API calls and ultimately doubled the execution time of the script.

As it turns out, the Set-AzureADUserExtension cmdlet can set any attribute that Set-AzureADUser can (or at least the ones I was interested in). With that in mind, I opted to combine the commands into a single instance of Set-AzureADUserExtension and use the -ExtensionNameValues parameter (which accepts a “dictionary of strings” or Dictionary<TKey,TValue> Class variable). The documentation for -ExtensionNameValues lacks an example, and the Dictionary<TKey,TValue>[System.String,System.String] type was not immediately obvious to me, but I muscled through it and derived the following:

  1. Install the Azure AD PowerShell module and authenticate: 

    Install-Module AzureAD
Connect-AzureAD

  2. Create a dictionary of strings to store the attribute/value pairs: 

    $setAzureADUserExtensionValues = New-Object 'System.Collections.Generic.Dictionary[String,String]'

  3. Add attribute/value pairs to the dictionary: 

    $setAzureADUserExtensionValues.Add("CompanyName", "E Corp")
$setAzureADUserExtensionValues.Add("JobTitle", "CEO")
$setAzureADUserExtensionValues.Add("GivenName", "Phillip")
$setAzureADUserExtensionValues.Add("Surname", "Price")
$setAzureADUserExtensionValues.Add("DisplayName", "Phillip Price")
$setAzureADUserExtensionValues.Add("PhysicalDeliveryOfficeName", "135 East 57th Street")
$setAzureADUserExtensionValues.Add("extensionAttribute10", "CW892451")
    Note that the first value in each pair is the name of the Azure AD account attribute and the second pair is the desired value of the attribute.

  4. Finally, set the attributes on an Azure AD account: 

    Set-AzureADUserExtension -ObjectID 32ac1405-ee40-4eff-ac14-6ddd9ae99a9b -ExtensionNameValues $setAzureADUserExtensionValues

Pump users and values through that in a loop, and you can update most (all?) attributes on an Azure AD account (including Guest and B2B users) with a single cmdlet. I hope this helps someone looking to achieve a similar result.