When using a federated scenario where on prem users are synchronized to the cloud with Dirsync or AAD Connect, it’s important to know which user properties are transported into the Azure Active Directory (AAD). In the Microsoft Sync Tool you can define which fields shall be federated.
In the cloud world, we can use the user properties in AAD in different ways: Accessing them with PowerShell, GraphAPI or with Exchange Remote PowerShell, depending on the scenario and the data you need.
We often had the scenario that customers want to add data like a store name, a cost center, employee number etc. in the User Profile in the Active Directory – and want to use that data in the cloud, for example, in SharePoint Online in the User Profile there. For such data CustomAttributes are often used – but you do not get them from AAD. So you need to plan how the task can be accomplished…
Here we will have a look into a sample User Profile and in an Exchange Online Mailbox. I am using an Office 365 demo tenant COM654056.onmicrosoft.com with a user named Dan Jump and his UPN.
Using GraphAPI for the UserProfile
So when asking with GraphAPI for data for a specific user the URI has to be composed with tenant and username as here:
https://graph.windows.net/COM654056.onmicrosoft.com/users/danj@COM654056.onmicrosoft.com
The result looks like here (I just deleted some recurring data to keep this output a little bit shorter than it was originally) and includes the Office 365 licenses (assignedLicenses and assignedPlans):
{
"odata.metadata": "[https://graph.windows.net/COM654056.onmicrosoft.com/](https://graph.windows.net/com654056.onmicrosoft.com/)$metadata#directoryObjects/Microsoft.DirectoryServices.User/@Element",
"odata.type": "Microsoft.DirectoryServices.User",
"objectType": "User",
"objectId": "82e8de13-…",
"deletionTimestamp": null,
"accountEnabled": true,
"assignedLicenses": [
{
"disabledPlans": [
"70d33638-9c74-4d01-bfd3-562de28bd4ba"
],
"skuId": "f8a1db68-be16-40ed-86d5-cb42ce701560"
},
{
"disabledPlans": [
"bea4c11e-220a-4e6d-8eb8-8ea15d019f90"
],
"skuId": "efccb6f7-5641-4e0e-bd10-b4976e1bf68e"
},
...shortened...
],
"assignedPlans": [
{
"assignedTimestamp": "2015-12-19T03:10:29Z",
"capabilityStatus": "Enabled",
"service": "exchange",
"servicePlanId": "efb87545-963c-4e0d-99df-69c6916d9eb0"
},
{
"assignedTimestamp": "2015-12-19T03:10:29Z",
"capabilityStatus": "Enabled",
"service": "Sway",
"servicePlanId": "a23b959c-7ce8-4e57-9140-b90eb88a9e97"
},
...shortened...
],
"city": null,
"companyName": null,
"country": null,
"creationType": null,
"department": "Executive",
"dirSyncEnabled": null,
"displayName": "Dan Jump",
"facsimileTelephoneNumber": null,
"givenName": "Dan",
"immutableId": null,
"jobTitle": "Chief Executive Officer",
"lastDirSyncTime": null,
"mail": "danj@COM654056.onmicrosoft.com",
"mailNickname": "danj",
"mobile": null,
"onPremisesSecurityIdentifier": null,
"otherMails": [],
"passwordPolicies": "DisablePasswordExpiration",
"passwordProfile": null,
"physicalDeliveryOfficeName": null,
"postalCode": null,
"preferredLanguage": "en-US",
"provisionedPlans": [
{
"capabilityStatus": "Enabled",
"provisioningStatus": "Success",
"service": "MicrosoftOffice"
},
{
"capabilityStatus": "Enabled",
"provisioningStatus": "Success",
"service": "exchange"
},
...shortened...
],
"provisioningErrors": [],
"proxyAddresses": [
"SMTP:danj@COM654056.onmicrosoft.com"
],
"sipProxyAddress": "danj@COM654056.onmicrosoft.com",
"state": null,
"streetAddress": null,
"surname": "Jump",
"telephoneNumber": null,
"usageLocation": "US",
"userPrincipalName": "danj@COM654056.onmicrosoft.com",
"userType": "Member"
}
That’s it. You can get this data for any AAD tenant with the graphexplorer.cloudapp.net tool.
As you can see, the user’s Exchange attributes are not delivered by the GraphAPI. This (still) has to be done with Exchange Remote Powershell…
Using Remote Exchange PowerShell for the Mailbox settings
To get mailbox settings we need to load the Remote Exchange PowerShell cmdlets. First, we connect to the tenant.
Connect-MsolService -Credential $cred
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri [https://outlook.office365.com/powershell-liveid/](https://outlook.office365.com/powershell-liveid/) -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $session –AllowClobber
…and then query the mailbox data as list for a specific mailbox (the one of Dan Jump):
Get-Mailbox -Identity danj@COM654056.onmicrosoft.com | fl
The output looks as here:
If the user has no Exchange Online Mailbox, but is Mail Enabled (for example with Exchange on premises), use this Cmdlet:
Get-MailUser -Identity danj@COM654056.onmicrosoft.com | fl
The Exchange mailbox attributes are much more extensive than the user profile properties in AAD.
RunspaceId : cab07916-…
Database : NAMPR14DG008-db…
MailboxProvisioningConstraint :
MessageCopyForSentAsEnabled : False
MessageCopyForSendOnBehalfEnabled : False
MailboxProvisioningPreferences : {}
UseDatabaseRetentionDefaults : False
RetainDeletedItemsUntilBackup : False
DeliverToMailboxAndForward : False
IsExcludedFromServingHierarchy : False
IsHierarchyReady : True
IsHierarchySyncEnabled : True
HasSnackyAppData : False
LitigationHoldEnabled : False
SingleItemRecoveryEnabled : True
RetentionHoldEnabled : False
EndDateForRetentionHold :
StartDateForRetentionHold :
RetentionComment :
RetentionUrl :
LitigationHoldDate :
LitigationHoldOwner :
LitigationHoldDuration : Unlimited
ManagedFolderMailboxPolicy :
RetentionPolicy : Default MRM Policy
AddressBookPolicy :
CalendarRepairDisabled : False
ExchangeGuid : 47f84e34-…
MailboxContainerGuid :
UnifiedMailbox :
MailboxLocations : {1;47f84e34-…;Primary;namprd14.prod.outlook.com;52923a40-…,
1;c91ac088-…;MainArchive;namprd14.prod.outlook.com;52923a40-…}
AggregatedMailboxGuids : {}
ExchangeSecurityDescriptor : System.Security.AccessControl.RawSecurityDescriptor
ExchangeUserAccountControl : None
AdminDisplayVersion : Version 15.1 (Build 409.15)
MessageTrackingReadStatusEnabled : True
ExternalOofOptions : External
ForwardingAddress :
ForwardingSmtpAddress :
RetainDeletedItemsFor : 14.00:00:00
IsMailboxEnabled : True
Languages : {en-US}
OfflineAddressBook :
ProhibitSendQuota : 49.5 GB (53,150,220,288 bytes)
ProhibitSendReceiveQuota : 50 GB (53,687,091,200 bytes)
RecoverableItemsQuota : 30 GB (32,212,254,720 bytes)
RecoverableItemsWarningQuota : 20 GB (21,474,836,480 bytes)
CalendarLoggingQuota : 6 GB (6,442,450,944 bytes)
DowngradeHighPriorityMessagesEnabled : False
ProtocolSettings : {RemotePowerShell§1, MAPI§1§0§§§0§§§§§0, IMAP4§1§§§§§§§§§§§§, POP3§1§§§§§§§§§§§§1...}
RecipientLimits : 500
ImListMigrationCompleted : False
SiloName :
IsResource : False
IsLinked : False
IsShared : False
IsRootPublicFolderMailbox : False
LinkedMasterAccount :
ResetPasswordOnNextLogon : False
ResourceCapacity :
ResourceCustom : {}
ResourceType :
RoomMailboxAccountEnabled :
SamAccountName : danj57645-15603…
SCLDeleteThreshold :
SCLDeleteEnabled :
SCLRejectThreshold :
SCLRejectEnabled :
SCLQuarantineThreshold :
SCLQuarantineEnabled :
SCLJunkThreshold :
SCLJunkEnabled :
AntispamBypassEnabled : False
ServerLegacyDN : /o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=CO2PR14MB0122
ServerName : co2pr14mb0122
UseDatabaseQuotaDefaults : False
IssueWarningQuota : 49 GB (52,613,349,376 bytes)
RulesQuota : 256 KB (262,144 bytes)
Office :
UserPrincipalName : danj@COM654056.onmicrosoft.com
UMEnabled : True
MaxSafeSenders :
MaxBlockedSenders :
NetID : 1003000095…
ReconciliationId :
WindowsLiveID : danj@COM654056.onmicrosoft.com
MicrosoftOnlineServicesID : danj@COM654056.onmicrosoft.com
ThrottlingPolicy :
RoleAssignmentPolicy : Default Role Assignment Policy
DefaultPublicFolderMailbox :
EffectivePublicFolderMailbox :
SharingPolicy : Default Sharing Policy
RemoteAccountPolicy :
MailboxPlan : ExchangeOnlineEnterprise-fc7b5d11-…
ArchiveDatabase : NAMPR14DG008-db051
ArchiveGuid : c91ac088-…
ArchiveName : {In-Place Archive - Dan Jump}
JournalArchiveAddress :
ArchiveQuota : 100 GB (107,374,182,400 bytes)
ArchiveWarningQuota : 90 GB (96,636,764,160 bytes)
ArchiveDomain :
ArchiveStatus : Active
ArchiveState : Local
DisabledMailboxLocations : False
RemoteRecipientType : None
DisabledArchiveDatabase :
DisabledArchiveGuid : 00000000-0000-0000-0000-000000000000
QueryBaseDN :
QueryBaseDNRestrictionEnabled : False
MailboxMoveTargetMDB :
MailboxMoveSourceMDB :
MailboxMoveFlags : None
MailboxMoveRemoteHostName :
MailboxMoveBatchName :
MailboxMoveStatus : None
MailboxRelease :
ArchiveRelease :
IsPersonToPersonTextMessagingEnabled : False
IsMachineToPersonTextMessagingEnabled : True
UserSMimeCertificate : {}
UserCertificate : {}
CalendarVersionStoreDisabled : False
ImmutableId :
PersistedCapabilities : {BPOS_S_EquivioAnalytics, BPOS_S_CustomerLockbox, BPOS_S_Analytics, BPOS_S_Enterprise}
SKUAssigned : True
AuditEnabled : False
AuditLogAgeLimit : 90.00:00:00
AuditAdmin : {Update, Move, MoveToDeletedItems, SoftDelete...}
AuditDelegate : {Update, SoftDelete, HardDelete, SendAs...}
AuditOwner : {}
WhenMailboxCreated : 19.12.2015 04:11:18
SourceAnchor :
UsageLocation : United States
IsSoftDeletedByRemove : False
IsSoftDeletedByDisable : False
IsInactiveMailbox : False
IncludeInGarbageCollection : False
WhenSoftDeleted :
InPlaceHolds : {}
GeneratedOfflineAddressBooks : {}
AccountDisabled : False
StsRefreshTokensValidFrom : 09.02.2016 13:17:13
DataEncryptionPolicy :
AuditStorageStartTimeUTC :
AuditStorageEndTimeUTC :
AuditStorageState : None
Extensions : {52010}
HasPicture : True
HasSpokenName : False
IsDirSynced : False
AcceptMessagesOnlyFrom : {}
AcceptMessagesOnlyFromDLMembers : {}
AcceptMessagesOnlyFromSendersOrMembers : {}
AddressListMembership : {\Mailboxes(VLV), \All Mailboxes(VLV), \All Recipients(VLV), \Default Global Address List...}
Alias : danj
ArbitrationMailbox :
BypassModerationFromSendersOrMembers : {}
OrganizationalUnit : nampr14a002.prod.outlook.com/Microsoft Exchange Hosted Organizations/COM654056.onmicrosoft.com
CustomAttribute1 :
CustomAttribute10 :
CustomAttribute11 :
CustomAttribute12 :
CustomAttribute13 :
CustomAttribute14 :
CustomAttribute15 :
CustomAttribute2 :
CustomAttribute3 :
CustomAttribute4 :
CustomAttribute5 :
CustomAttribute6 :
CustomAttribute7 :
CustomAttribute8 :
CustomAttribute9 :
ExtensionCustomAttribute1 : {}
ExtensionCustomAttribute2 : {}
ExtensionCustomAttribute3 : {}
ExtensionCustomAttribute4 : {}
ExtensionCustomAttribute5 : {}
DisplayName : Dan Jump
EmailAddresses : {EUM:52010;phone-context=Demo_DialPlan.8d37cd6c-…, SIP:danj@COM654056.onmicrosoft.com,
SMTP:danj@COM654056.onmicrosoft.com}
GrantSendOnBehalfTo : {}
ExternalDirectoryObjectId : 82e8de13-…
HiddenFromAddressListsEnabled : False
LastExchangeChangedTime :
LegacyExchangeDN : /o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=8865f585f421458aac0463e0ef7fe1b9-danj
MaxSendSize : 35 MB (36,700,160 bytes)
MaxReceiveSize : 36 MB (37,748,736 bytes)
ModeratedBy : {}
ModerationEnabled : False
PoliciesIncluded : {}
PoliciesExcluded : {{26491cfc-…}}
EmailAddressPolicyEnabled : False
PrimarySmtpAddress : danj@COM654056.onmicrosoft.com
RecipientType : UserMailbox
RecipientTypeDetails : UserMailbox
RejectMessagesFrom : {}
RejectMessagesFromDLMembers : {}
RejectMessagesFromSendersOrMembers : {}
RequireSenderAuthenticationEnabled : False
SimpleDisplayName :
SendModerationNotifications : Always
UMDtmfMap : {emailAddress:3265, lastNameFirstName:5867326, firstNameLastName:3265867}
WindowsEmailAddress : danj@COM654056.onmicrosoft.com
MailTip :
MailTipTranslations : {}
Identity : danj
IsValid : True
ExchangeVersion : 0.20 (15.0.0.0)
Name : danj
DistinguishedName : CN=danj,OU=COM654056.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMPR14A002,DC=PROD,DC=OUTLOOK,DC=COM
Guid : 92617819-...
ObjectCategory : NAMPR14A002.PROD.OUTLOOK.COM/Configuration/Schema/Person
ObjectClass : {top, person, organizationalPerson, user}
WhenChanged : 09.02.2016 13:17:47
WhenCreated : 19.12.2015 04:11:18
WhenChangedUTC : 09.02.2016 12:17:47
WhenCreatedUTC : 19.12.2015 03:11:18
OrganizationId : NAMPR14A002.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/COM654056.onmicrosoft.com -
NAMPR14A002.PROD.OUTLOOK.COM/ConfigurationUnits/COM654056.onmicrosoft.com/Configuration
Id : danj
OriginatingServer : CY1PR14A002DC06.NAMPR14A002.PROD.OUTLOOK.COM
ObjectState : Unchanged
Summary
The key message is: Using the GraphAPI delivers the “default” user properties as listed above – and no additional attributes, as for example, Exchange attributes (CustomAttribute1 to 15, manager, etc.).
So, this short blog post shall support as reminder that working with user data in the cloud can vary in methods for getting (and setting) data and depends on the properties you need for further operations.
My intention was to have a list of the default user profile properties from AAD and the user’s mailbox properties from Exchange Online as lookup. That’s why I exported the data here. Hope this helps!