command line interface - How can I CRUD an extension attribute for application registrations in Azure? - Stack Overflow

I need to set owner information on App Registrations, but Azure mysteriously doesn't allow group assignment or have any means to add metadata I've found other than the notes field (already being used) and the "extension attribute" possibly. (While there's a "tags" value in the manifest, I can't find a way to use it.)

I did some work to get Microsoft Graph approved for full read/write access to the app and then tried to set the extension attribute like so in the Azure Shell:

# This uses OBJECT ID, not application id
tok=$(az account get-access-token --resource  --query accessToken --output tsv)
curl -X POST ".0/applications/<ObjectID>/extensionProperties" \
-H "Authorization: Bearer $tok" \
-H "Content-Type: application/json" \
-d '{
        "name": "Owner",
        "dataType": "String",
        "targetObjects": [
            "Application"
        ]
    }'

This seemed to work, but I don't know how to test to see if the value is there let alone set/update it. And this would ideally all be done in Powershell instead.

So how can I use PowerShell to

1. Create/configure an extension attribute
2. Set/update that value
3. Test that value.

====== Regarding use of MsGraph, I checked my permissions:

This is in my private instance so I have all rights as far as I can tell.

But when I try to use any MsGraph command, I get:

The results of Get-MgContext is:

I need to set owner information on App Registrations, but Azure mysteriously doesn't allow group assignment or have any means to add metadata I've found other than the notes field (already being used) and the "extension attribute" possibly. (While there's a "tags" value in the manifest, I can't find a way to use it.)

I did some work to get Microsoft Graph approved for full read/write access to the app and then tried to set the extension attribute like so in the Azure Shell:

# This uses OBJECT ID, not application id
tok=$(az account get-access-token --resource https://graph.microsoft.com --query accessToken --output tsv)
curl -X POST "https://graph.microsoft.com/v1.0/applications/<ObjectID>/extensionProperties" \
-H "Authorization: Bearer $tok" \
-H "Content-Type: application/json" \
-d '{
        "name": "Owner",
        "dataType": "String",
        "targetObjects": [
            "Application"
        ]
    }'

This seemed to work, but I don't know how to test to see if the value is there let alone set/update it. And this would ideally all be done in Powershell instead.

So how can I use PowerShell to

1. Create/configure an extension attribute
2. Set/update that value
3. Test that value.

====== Regarding use of MsGraph, I checked my permissions:

This is in my private instance so I have all rights as far as I can tell.

But when I try to use any MsGraph command, I get:

The results of Get-MgContext is:

• azure
• command-line-interface

Share Improve this question Follow edited Jan 27 at 14:35 not_a_generic_user asked Jan 22 at 20:41 not_a_generic_usernot_a_generic_user 2,19833 gold badges2323 silver badges4040 bronze badges 3

• Could you confirm whether your requirement is to retrieve created extension attribute? – Sridevi Commented Jan 23 at 3:40
• I'm trying to set ownership information to a group identifier since Azure doesn't allow this by default. That's why I need a new value which I would need to create, set, retrieve, update, etc. – not_a_generic_user Commented Jan 27 at 14:34
• As Scopes claim is empty in Get-MgContext command, could you confirm whether you are running Connect-MgGraph -Scopes "Application.ReadWrite.All" including Scopes or not? – Sridevi Commented Jan 27 at 16:56

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

You can make use of Microsoft Graph PowerShell module to CRUD an extension attribute for application registration.

Create Extension Attribute:

#Install-Module Microsoft.Graph
Connect-MgGraph -Scopes "Application.ReadWrite.All"

$objectId = "1a84a8ec-fe3a-4xxxxxxxx"  # Application Object ID
$propertyName = "Owner"  # Extension Attribute Name

New-MgApplicationExtensionProperty -ApplicationId $objectId -Name $propertyName -DataType String -TargetObjects @("Application")

Response:

Retrieve Extension Attribute:

Get-MgApplicationExtensionProperty -ApplicationId $objectId | fl

Set or Update Extension Attribute Value:

$customAttribute = "extension_b974434xxxxxxx_Owner"  # Full attribute name
$Value = "Sri"  # Value to Set

Update-MgApplication -ApplicationId $objectId -BodyParameter @{
    $customAttribute = $Value
}

Write-Output "Updated $customAttribute to: $Value"

Response:

Test Extension Attribute Value:

$app = Get-MgApplication -ApplicationId $objectId
$customAttribute = "extension_b974434xxxxxxxx_Owner"

$ownerValue = $app.AdditionalProperties[$customAttribute]

Write-Output "Current Owner Value: $ownerValue"

Response:

Alternatively, you can add tags to the application by running below CLI command:

az ad app update --id 1a84a8ec-fxxxxxxxxxxx --set tags='["Owner=Sri"]'

To confirm that, I checked the same in app registration's Manifest where tags added successfully like this:

Reference:

Add custom data to resources using extensions - Microsoft Graph