How to work with Azure Active Directory Schema Extensions in Multi-Tenant Scenario

Question

I want to use an Azure AD schema extension to extend one property, I have successfully created a schema extension with id "myverifiedaaddomain_extensionid".

Schema Extension :

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#schemaExtensions/$entity",
    "id": "myverifiedaaddomain_extensionid",
    "description": "myverifiedaaddomain_extensionid",
    "targetTypes": [
        "User"
    ],
    "status": "InDevelopment",
    "owner": "owner",
    "properties": [
        {
            "name": "isExtended",
            "type": "Boolean"
        }
    ]
}

NOTE: It is working perfectly fine in single tenant scenario.

---

Multi-tenant scenario :

Scenario -

1. I have a host tenant T1
2. Registered multi-tenant AAD AAP A1 (in T1 with all required permissions)
3. I want to on-board tenant T2
4. Register schema extension on T2 after successful on-boarding

When I on-board T2, all schema extensions from T1 where owner is A1 get's imported in T2's directory without any notification or prompt.

So currently It is working in multi-tenant scenario as well but I am not sure about getting all schema extensions exported to partner tenant(T2), is it expected behaviour or a bug? There is no clear documentation available here https://learn.microsoft.com/en-us/graph/extensibility-overview or https://learn.microsoft.com/en-us/graph/api/resources/schemaextension?view=graph-rest-1.0

Apart from this there is no clear documentation on permissions as well, for example : https://learn.microsoft.com/en-us/graph/extensibility-overview#permissions They mentioned that, in order to read/update extended data, you need all permissions mentioned on that resource permission page. For User resource we will need to have all permissions mentioned here https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0#permissions

This is not working, I am not able to read extended data via other AAD apps(A2, A3 etc.) which has all permissions mentioned in above page(https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0#permissions).

Answer 1

Sorry for some of the challenges you are coming across here. Just to double check - have you used Azure AD Directory Schema extensions in the past? I'm asking because it seems like you have some preconceptions about how extensions work - and they behave a little differently in Microsoft Graph.

In terms of documentation - it is documented in the section about schema extension lifecycle in https://learn.microsoft.com/en-us/graph/extensibility-overview#schema-extensions. Maybe we can do a better job of providing a full on scenario. But here's the relevant bit when setting the schema definition state to Available:

• The schema extension is available for use by all apps in any tenant.

• After the owner app sets the extension to Available, any app can simply add custom data to instances of those resource types specified in the extension (as long as the app has permissions to that resource). The app can assign custom data when creating a new instance or updating an existing instance.

• Only the owner app can update the extension definition with additive changes. No app can delete the extension definition in this state.
• The owner app can move the schema extension from Available to the Deprecated state.

In terms of the permissions not working, what permissions were granted to the multi-tenant application, or the other apps A2 and A3? What response are you seeing (can you provide the request as well please)?

Hope this helps,