I'm managing a hybrid identity environment with around 2000 users, where their accounts are synced from Active Directory into Entra ID for utilization with various systems for provisioning and single sign-on. Some of our systems require specific information to identify whether users are part of our leadership or senior leadership teams, among other criteria. Ideally, I'd like to use a custom extension attribute in AD, but we've run out of those due to previous limitations, and I currently have about nine different use cases that need to be addressed. Since both systems can write back to Entra ID, I'm trying to discover if there are any attributes that are strictly 'cloud only' within Entra that wouldn't be sent back to AD, allowing us to conserve our remaining extension fields. I've done some searching but haven't found any concrete information on this. Has anyone else encountered this issue?
4 Answers
You could look into security attributes; those might work for your sensitive information needs without needing to sync back to AD.
Why not leverage security or mail-enabled security groups instead?! It could streamline how you manage users without needing to navigate through additional attributes.
It's a bit of a lengthy process, but you could potentially create a new AD attribute. Then edit the sync rules for it to sync directly with Entra. Also, have you checked out the msDS-cloudExtensionAttributeX fields? They might be helpful in storing that data without reverting back to AD.
Have you considered using groups instead? It might simplify the process for categorizing your leadership members.
Thanks for the suggestion! I'd like to explore the msDS attributes further. Sounds like they could help free up some extension space.