I have an on-prem AD in which I've defined a value against an directory extension property "msDS-cloudExtensionAttribute1" on a user.
I've successfully configured ADConnect to synchronise this directory extension property out to Azure AD / Entra.
Using Powershell, I can see that the property is now present against the user in AAD by running the command "Get-AzureADUserExtension -ObjectId 54c244ae-xxxx-xxxx-xxxx-xxxxc6f9907a". It shows me that the property is recorded against the user:
Key Value extension_90d845fxxxxxxxxxxxxx5310f0f9655cb_msDS_cloudExtensionAttribute1 DAVR
which follows the logical Key name of "extension_AppID_PropertyName" where the AppID is the Application (client) ID of the "Tenant Schema Extension App" in my AAD app registrations. I understand that the Tenant Schema Extension App is created by the ADConnect sync.
My problem:
I have another app "AppB" registered in my AAD. I want to be able to return a claim in the ID token issued for AppB the directory extension property and it's value for an authenticated user.
I've tried configuring via the Token Configuration, but the extension property isn't amongst list of available claims to add to the ID token.
I've tried via the Manifest adding the attribute under the OptionalClaims for the idToken. It lets me save the Manifest, but back under the Token Configuration, it shows a warning that "This claim is not supported and will not be returned in the token".
I've read nearly all of Microsoft's Learn articles. I've read https://www.xtseminars.co.uk/post/azure-ad-schema-and-directory-extensions and https://winsmarts.com/using-token-configuration-to-include-arbitrary-claims-in-id-token-or-access-token-or-samltoken-26f75ee13bf0 which give great background, but don't answer my question.
The issue obviously boils down to the appID that the extension property is recorded against on the user object. It is the appID for the Tenant Schema Extension App and not the appID for my AppB.
I assume I need some kind of mapping between the apps. Or permission for AppB to read a Tenant Schema Extension App property on users?
Bard suggested it is possible in the Manifest by adding:
{ "name": "extension_attribute-name", "essential": false, "source": "user", "additionalProperties": [ { "value": "extension__TenantSchemaExtension" } ] }
But when I tried this, AAD won't even let me save the Manifest and complains "Error detail: An unexpected 'StartObject' node was found when reading from the JSON reader. A 'PrimitiveValue' node was expected."
The JSON is well formed, so I think Bard perhaps just had a guess at how to do it and got it wrong?
Any tips/answers much appreciated!