How to Sync a Default User Attribute from On-Prem Active Directory to Microsoft Entra ID using Microsoft Entra Connect

In this tutorial, we will teach you how to sync a default user attribute, e.g., “employeeID”, from on-prem Active Directory to Entra ID in the cloud via Microsoft Entra Connect. Before we start, there are several prerequisites we should check:
- Microsoft Entra Connect (previously known as Azure AD Connect) has been installed on a server and the version is 2 or higher
- This server has already joined domain controller or it is the domain controller
Check the User Attribute in Active Directory
Moving forward, let’s navigate to Active Directory Users and Computers to visualize how this attribute is presented.


Then we are going to set up the Entra ID sync.
Enable Directory extension attribute sync
Here are the steps which you need to follow:
1) Open the Microsoft Entra Connect wizard, choose Tasks, and then choose Customize synchronization options.

2) Sign in as an Entra ID Global Administrator.
3) On the Optional Features page, select Directory extension attribute sync.

4) Select the Employee ID attribute from the list and click on Configure:

5) Complete the Wizard and run a Full Sync.
Verify the Directory Extension Replication
When this is done, you can verify that the Entra ID Connect rules have been updated by starting the Entra ID Connect Rules Editor.
Launch the synchronization editor from the application menu in desktop as shown below:

Looking at inbound rules, select “In from AD – User DirectoryExtension”:

Clicking View will display the details of the extended replication scope:

As seen, the employeeId attribute is truncated to the leftmost 256 characters and stored in the Azure AD Connect Metaverse as “extension_employeeID”.
To see the transformation applied when the attribute is replicated from the Azure AD Connect Metaverse to Entra ID, go to Outbound replication and select “Out to AAD – User DirectoryExtension”:

Clicking View reveals the following details:

As (almost) seen, the extension_employeeID attribute is renamed to extension_[GUID]_employeeID. The GUID comes from the Enterprise Application responsible for handling Azure AD schema extensions. You can find this in Enterprise applications in the Azure portal:

How to Retrieve Extension Attributes from Entra ID
Login Azure AD.
Install – Module AzureAD Connect -AzureAD
Now that synchronization is set up let’s see how to grab the new attributes. Unlike your regular AD, you won’t find the new attributes directly on the Entra ID user object. To retrieve the extension attributes, you must use the Get-AzureADUserExtension. This command looks at the special directory handled by the Tenant Schema Extension App:
PS C:\> Get-AzureADUserExtension -ObjectId josh@datawizatest .onmicrosoft.com Key Value — —– odata .metadata https: //graph.windows.net/c1493961-2ba6-41ae-b462-e3e7e4dae630/$metadata#directoryObjects/@Element odata .type Microsoft .DirectoryServices.User createdDateTime 4 / 14 / 2024 9 : 56 : 03 PM employeeId EID_123 userIdentities [] userState userStateChangedOn extension_48f1cddfddbd450398acd86491e59a81_employeeID EID_123
You will find two attributes, one is employeeId and the other one is `extension_{GUID}_employeeID`. It is normal, `employeeId` is the Entra ID default attribute and `extension_{GUID}_employeeID` is the extension attribute.
Verify the result through Microsoft Graph Explorer
We can verify these synced values by using Microsoft Graph Explorer . More info about Microsoft Graph is available on Microsoft Graph .
In my demo environment, I am using the following to verify employeeId attribute values.
https: / /graph.microsoft.com/beta/users/josh @datawizatest .onmicrosoft.com
In the above, josh@datawizatest.onmicrosoft.com is the user account. We are using beta endpoint because it can return all user profiles rather than v1.0 endpoint. When I use Microsoft Graph Explorer, as expected I can see the attribute value.

Also, it matches the value in the on-premises user object.
Summary
As we can see, it is possibl e to sync default attributes to Entra ID using Microsoft Entra connect. This marks the end of this blog post. If you have any questions, feel free to contact us.
About Datawiza
Datawiza provides a no-code solution to integrate modern auth into your apps. It supports Microsoft Entra ID, Azure AD B2C, Amazon Cognito, Google, Okta, Auth0, Cisco Duo, Ping Identity, KeyCloak and others. You can leverage Datawiza to easily implement Multi-Factor Authentication (MFA), Single Sign-On (SSO), Passwordless and Conditional Access. Interested in learning more about it? Book a demo today.



