Introduction

Microsoft has announced a significant enhancement to its Entra Domain Services by introducing support for custom attributes. This development aims to facilitate smoother cloud migrations for enterprises, particularly those reliant on legacy applications with specific directory dependencies.

Background

Microsoft Entra Domain Services provides managed domain services such as domain join, group policy, LDAP, and Kerberos/NTLM authentication without the need to deploy, manage, or patch domain controllers. This service is particularly beneficial for organizations transitioning from on-premises infrastructures to cloud-based environments. Custom Attributes in directory services allow organizations to define and store additional information specific to their business needs. These attributes are often utilized by legacy applications for various operations, including authentication and user management.

Key Features of Custom Attributes in Entra Domain Services

  1. Synchronization of On-Premises Extension Attributes: Entra Domain Services now supports the synchronization of on-premises extension attributes (extensionAttribute1-15). These attributes are commonly used in on-premises Active Directory environments and can now be seamlessly integrated into the cloud environment.
  2. Support for Directory Extensions: Organizations can extend the schema of directory objects such as users and groups with custom attributes through directory extensions. This feature allows for the inclusion of strongly typed attributes tailored to specific business requirements.
  3. Configuration via Entra Connect and Microsoft Graph APIs: For users managed on-premises, custom attributes can be configured using Entra Connect. Cloud-only users can leverage Microsoft Graph APIs to manage these attributes, providing flexibility in various deployment scenarios.

Implications and Impact

The introduction of custom attributes in Entra Domain Services has several significant implications:

  • Seamless Migration of Legacy Applications: Many legacy applications depend on custom attributes for their operations. With this new support, organizations can migrate these applications to the cloud without extensive code modifications, preserving existing functionalities.
  • Enhanced Identity Management: Custom attributes enable more granular and tailored identity management, allowing organizations to store and manage additional user information pertinent to their operations.
  • Improved Compliance and Governance: By incorporating custom attributes, organizations can better align their directory services with internal policies and regulatory requirements, enhancing overall governance.

Technical Details

  • Enabling Custom Attributes: Administrators can enable attribute synchronization by navigating to the 'Custom Attributes' section under 'Settings' in the Entra Domain Services portal and selecting the desired attributes for synchronization.
  • Supported Attributes: The service supports synchronization of onPremisesExtensionAttributes and directory extensions. However, certain types of extensions, such as custom security attributes in Entra ID and Microsoft Graph schema extensions, are not supported for synchronization.
  • Requirements: The minimum SKU supported for custom attributes is the Enterprise SKU. Organizations using the Standard SKU need to upgrade to Enterprise or Premium to utilize this feature.

Conclusion

The support for custom attributes in Microsoft Entra Domain Services marks a significant advancement in facilitating cloud migrations for enterprises. By addressing the needs of legacy applications and providing flexible identity management options, Microsoft continues to enhance its cloud offerings to meet the evolving demands of modern businesses.