AAD AAD Connect directory extension

Find any multi-valued Directory Extension attribute via Graph API $search operator

UPDATE – It seems since writing this article the method below has changed (search), and is not available anymore to return the multi-valued attribute. Will update the blog once I have figured out a way 🙂

I was recently looking for certain extension attributes sourced from Active Directory that would not surface on the typical queries; Like using $select and then ($filter=id eq, startswith)

Reason I found out for this was, that multi-valued string attributes are not consumable by granular API calls in Graph API at the moment.

-> Multi-valued directory sync extension attributes are not surfaced in schema?


This blog outlines a workaround for this limitation; The workaround is achieved using another operator for Graph ODATA queries, resulting of consumable attributes in Graph API clients


  • For the example outlined here I used User.Read.All, which requires admin grant
Permissions outlined in Get open extension – Microsoft Graph v1.0 | Microsoft Docs
  • For Graph API endpoint you need to use the beta endpoint, to tap in to the power of search operator <https://graph.microsoft.com/beta/users/shanti@dewi.red?$search="*">
  • Obviously, you also need to complete the process of syncing these attributes in the first place as outlined here
Example of configuration in AAD Connect

Process for multi-valued extension attribute

  • For multi-valued custom extension attribute we can use the beta endpoint and $search operator
    • I believe this limitation of having to use $search for multi-valued custom attribute might be soon history, but for now only way I found this works is as outlined below
    • Currently the downside of this method is that you end up returning all user attributes surfaced in the Graph API for the selected user, which might be problematic if you want retain minimal data principle.

// Call HTTP GET

// Response 200 (Partial response, full response includes all attributes)

userPrincipalName: 'shanti@dewi.red',
externalUserState: null,
externalUserStateChangeDateTime: null,
userType: 'Member',
'extension_47caeaeda62048129438499e0872cdb2_url@odata.type': '#Collection(String)',
extension_47caeaeda62048129438499e0872cdb2_url: [ 'https://securecloud.blog/about', 'https://securecloud.blog' ],
extension_47caeaeda62048129438499e0872cdb2_employeeID: '987897


The result is the multi-valued attribute now searchable via Graph API

extension_47caeaeda62048129438499e0872cdb2_url: [ 'https://securecloud.blog/about', 'https://securecloud.blog' ]

Source attribute

Example call from Node.js

var uri = 'https://graph.microsoft.com/beta/users/a49f4a40-2f62-4f25-8ba9-fc1c25366317?$search="*"'
var opt = {
    method: 'GET',
    json: true,
    headers: {
        Authorization: 'Bearer ' + secrettoken,
        'content-type': 'application/json'
//Anyreq is custom function I made for AXIOS module
anyreq(opt, 'body').catch((error) => {

        return JSON.stringify(error)
    .then((data) => {

        return JSON.stringify(data)

Example for SAML payload

Process for single value extension attribute

  • We can use the example as outlined in the docs article

// Call HTTP GET

// Response 200
found body
'@odata.context': 'https://graph.microsoft.com/beta/$metadata#users(extension_47caeaeda62048129438499e0872cdb2_employeeID)/$entity',
extension_47caeaeda62048129438499e0872cdb2_employeeID: '9878977896'


While I was testing the solution I found many helpful articles

Use query parameters to customize responses – Microsoft Graph | Microsoft Docs

Microsoft Graph API does not show custom extensions · Issue #49955 · MicrosoftDocs/azure-docs · GitHub

Configure synchronization with directory extension attributes – Microsoft Graph beta | Microsoft Docs

Support for multi-valued attributes synchronized from on premises AD – Customer Feedback for ACE Community Tooling (azure.com)

Multi-valued attributes with AD Connect and Azure AD | (alven.tech)

0 comments on “Find any multi-valued Directory Extension attribute via Graph API $search operator


Täytä tietosi alle tai klikkaa kuvaketta kirjautuaksesi sisään:


Olet kommentoimassa WordPress.com -tilin nimissä. Log Out /  Muuta )


Olet kommentoimassa Facebook -tilin nimissä. Log Out /  Muuta )

Muodostetaan yhteyttä palveluun %s

%d bloggaajaa tykkää tästä: