Find any multi-valued Directory Extension attribute via Graph API $search operator

UPDATE – It seems since writing this article the method below has changed (search), and is not available anymore to return the multi-valued attribute. Will update the blog once I have figured out a way 🙂

I was recently looking for certain extension attributes sourced from Active Directory that would not surface on the typical queries; Like using $select and then ($filter=id eq, startswith)

Reason I found out for this was, that multi-valued string attributes are not consumable by granular API calls in Graph API at the moment.

-> Multi-valued directory sync extension attributes are not surfaced in schema?

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions

This blog outlines a workaround for this limitation; The workaround is achieved using another operator for Graph ODATA queries, resulting of consumable attributes in Graph API clients

Requirements

For the example outlined here I used User.Read.All, which requires admin grant

Permissions outlined in Get open extension – Microsoft Graph v1.0 | Microsoft Docs

For Graph API endpoint you need to use the beta endpoint, to tap in to the power of search operator <https://graph.microsoft.com/beta/users/shanti@dewi.red?$search="*">
Obviously, you also need to complete the process of syncing these attributes in the first place as outlined here

Process for multi-valued extension attribute

For multi-valued custom extension attribute we can use the beta endpoint and $search operator
- I believe this limitation of having to use $search for multi-valued custom attribute might be soon history, but for now only way I found this works is as outlined below
- Currently the downside of this method is that you end up returning all user attributes surfaced in the Graph API for the selected user, which might be problematic if you want retain minimal data principle.

// Call HTTP GET https://graph.microsoft.com/beta/users/shanti@dewi.red?$search="*"

// Response 200 (Partial response, full response includes all attributes)

userPrincipalName: 'shanti@dewi.red', externalUserState: null, externalUserStateChangeDateTime: null, userType: 'Member', 'extension_47caeaeda62048129438499e0872cdb2_url@odata.type': '#Collection(String)', extension_47caeaeda62048129438499e0872cdb2_url: [ 'https://securecloud.blog/about', 'https://securecloud.blog' ], extension_47caeaeda62048129438499e0872cdb2_employeeID: '987897

Result

The result is the multi-valued attribute now searchable via Graph API

extension_47caeaeda62048129438499e0872cdb2_url: [ 'https://securecloud.blog/about', 'https://securecloud.blog' ]

Example call from Node.js

var uri = 'https://graph.microsoft.com/beta/users/a49f4a40-2f62-4f25-8ba9-fc1c25366317?$search="*"'
var opt = {
    method: 'GET',
    json: true,
    uri,
    headers: {
        Authorization: 'Bearer ' + secrettoken,
        'content-type': 'application/json'
    }
}
//Anyreq is custom function I made for AXIOS module
anyreq(opt, 'body').catch((error) => {

        return JSON.stringify(error)
    })
    .then((data) => {
        console.log(data)

        return JSON.stringify(data)
    })

Example for SAML payload

Process for single value extension attribute

We can use the example as outlined in the docs article

// Call HTTP GET https://graph.microsoft.com/beta/users/a49f4a40-2f62-4f25-8ba9-fc1c25366317?select=extension_47caeaeda62048129438499e0872cdb2_employeeID

// Response 200found body { '@odata.context': 'https://graph.microsoft.com/beta/$metadata#users(extension_47caeaeda62048129438499e0872cdb2_employeeID)/$entity', extension_47caeaeda62048129438499e0872cdb2_employeeID: '9878977896' }