Intune Stuff | The Community place for Microsoft Intune, Intune Suite, Autopilot, macOS Management, Copilot for Security.

How to add extension attributes for AAD-Entra ID Devices

by | Nov 28, 2023 | Device Management, Featured Post, Graph, MDM, Microsoft Entra ID, Most Popular, News, Top Stories | 2 comments

Hi, as you might know it is possible for some time now to add extension attributes to you Entra ID joined devices. A few reasons for doing this would be:

For instance, you might include a “BE” attribute specifically for Belgian Autopilot Preprovisioned devices. You can control the BE Devices’ access to certain cloud apps, allowing only the use of those specified devices.

  • Creating Dynamic Entra ID Device groups

For instance, you might include a “BE” attribute specifically for Belgian Autopilot Preprovisioned devices. Afterwards, ensure that a particular Intune-deployed app or specific Intune configuration policy is exclusively installed on those devices.

What kind of devices can have Extension Attributes?

All Azure AD device objects, regardless of platform (Windows, iOS, Android), and join types (Registered, Entra ID Joined, Hybrid Entra ID Joined), can have extension attributes applied to them. These attributes can be utilized for both Intune-managed and unmanaged devices.

Adding extension attributes to pre-registered Autopilot device objects can be beneficial. This allows them to be grouped and targeted with policies and applications before their enrollment in Intune

How to set the Extension Attributes to a device?

Update 16-01-2024 – I’ve added also the way to remove the attribute.

To set the attributes to a device we use graph explorer.

Sign in with your Entra ID credentials.

Here  are a few example queries you can run:

You can find the object ID of a device in the Entra ID Portal: https://portal.azure.com/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId~/null

Now we are going to add an extension on a device.

In Graph Explorer change the request type to PATCH and make sure the endpoint is /devices/{id} and use a JSON payload in the following format:

{
    "extensionAttributes": {
        "extensionAttribute1": "BE"
}
}

Change the “BE” attribute to the one you want to use.

Of course also make sure to have the necessary permissions, Device.ReadWrite.All or Directory.ReadWrite.All. Here’s how a full request will look like via the Graph explorer tool.

To set the permissions go to your account icon and click Consent to permissions.

Search for the Directory permission and give consent on the Directory.ReadWrite.All permission.

Your full request should look like this: PATCH      https://graph.microsoft.com/v1.0/devices/0a1b42df-98e0-45b1-acaa-2f09537678d2

A 204 response of “No Content” signals success, so everything is in good order. If necessary, you can update multiple attributes simultaneously by adding the respective entries under the extensionAttributes group. You can even modify attributes other than extensions. Afterward, perform another GET request to confirm the changes were successfully applied. For example GET https://graph.microsoft.com/v1.0/devices/0a1b42df-98e0-45b1-acaa-2f09537678d2/extensionAttributes and you can see now that extension attribute 1 has been changed to BE:

Beyond the Graph API, these attributes are visible within the Entra ID interface. To access them, navigate to the Devices tab, choose the specific device, and scroll down to the very bottom of the page.

To remove the extension attribute remove the value from the query like this:

{
    "extensionAttributes": {
        "extensionAttribute1": ""
}
}

That’s it. You now can start creating Dynamic Groups based on this extension attribute. To do so go to your Entra ID groups and create a new group.

Group type is security, give it a name and optionally a description, change the membership type to Dynamic Device and add the correct dynamic query.

if you want to set Microsoft Entra roles to this group in the future do this now because you cannot change this afterwards!

The dynamic query is as follows:

(device.extensionAttribute1 -eq “BE”)

Click save and create.

When the dynamic group processing is completed you can see your devices in the newly created group.

You can do the same for a conditional access filter.

Go to or create a conditional access policy and in the conditions section you can add a filter:

extension attributes

Feel free to play around with the different settings.

SHARE THIS:

2 Comments

  1. Ramesh Rajendran
    Ramesh Rajendran on March 26, 2025 at 09:57

    What happens to the EA when a device is re-provisioned?
    Are the EA’s exposed via the api?
    Is there an audit when the EA gets modified?

    Reply
    • joery
      joery on April 7, 2025 at 10:56

      Hi, if the device is removed from antra the ea needs to be set again. i’m not aware of an audit for changes.

      Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Buy me a Duvel 😉

Discover more from IntuneStuff

Subscribe now to keep reading and get access to the full archive.

Continue reading