Entra Connect Sync: Unable to configure Directory Extensions

Entra Connect Sync: Unable to configure Directory Extensions

Table of Contents

Recently, I ran into an error that didn’t seem to be well documented: Entra Connect Sync was unable to configure directory extensions. At first glance, it looked like one of those frustrating setup issues that should have an obvious fix, but didn’t.

Use Case

After a bit of digging, I found a quick solution that cleared it up. What initially looked like a confusing and undocumented issue turned out to be something much simpler to resolve once the right fix was applied.

In this article, I’ll walk through the error and show how to get Entra Connect Sync working with directory extensions without unnecessary trial and error.

What Directory Extensions are in Entra ID

Directory extensions in Entra ID are custom attributes that let you synchronize additional data from your on-premises Active Directory into Microsoft Entra ID. Entra Connect Sync can take selected extension attributes from your local directory and project them into the cloud as directory extensions, making them available to applications and services that rely on Entra ID data.

These extensions are useful when the built-in set of attributes is not enough and you need to carry over organization-specific information during synchronization. They are typically used to keep custom on-premises attributes available in the cloud, especially for identity-related workflows, app integrations, and automation scenarios.

Configure Entra Connect Sync for Directory Extensions

To sync additional attributes from on-premises Active Directory to Entra ID, you first need to update the configuration in the Entra Connect Sync wizard.

To make this change, an Entra ID user with one of the following roles is required:

  • Hybrid Identity Administrator (suggested)
  • Global Administrator

The following are the required steps to enable directory extensions:

  1. In the machine where Entra Connect Sync is running, open the Entra Connect Sync wizard.
  2. Choose Configure, and then Customize synchronization options.
  3. Login with your Hybrid Identity Administrator or Global Administrator.
  4. Go to the Optional features page, and enable Directory extension attribute sync. Entra Connect Sync enable directory extension attribute sync
  5. In the next page, choose the Active Directory attributes you want to sync to Entra ID. Only user or group attributes are currently supported. Entra Connect Sync directory extension attribute selection
  6. Continue by saving the configuration and starting the synchronization process.

The error

At this point, the following error may appear once the configuration is complete:

Unable to configure Directory Extensions, please consult with the event log for additional information.

Following the message’s suggestion, you might check the Event Viewer on the Entra Connect Sync server, only to find that no useful events were logged for this failure. As a result of this error, the new configuration for schema extensions is not applied.

This leaves you in a frustrating situation: Microsoft advises reviewing the Event Viewer, but no relevant events are actually shown. Documentation on this issue is also very limited online, both in official resources and in blog posts, so the only real option is to investigate the root cause ourselves.

But, to effectively investigate the issue, it is important to first understand what really happens when you enable Directory extension attributes sync in Entra Connect Sync.

What happens behind the scenes

If the configuration change is successful in Entra Connect Sync wizard, a new application is registered in your tenant. This application is called Tenant Schema Extension App. Tenant Schema Extension App (from learn.microsoft.com) This application is created automatically when you save the configuration in the Entra Connect Sync wizard, and it is created using the same user account you used to sign in to the wizard before making the changes. Once created, this app cannot be deleted.

Currently, to view extended attributes synced from Entra Connect, you need to use PowerShell. These attributes are in the following format: extension_{ApplicationId}_<attributeName>, where ApplicationId is the application id of the Tenant Schema Extension App.

The fix

Now that we know what the Entra Connect Sync wizard actually does behind the scenes, and that all operations are performed with the user we used to log into the wizard, we can start by looking at the audit logs in Entra ID.

In my case, one log entry caught my attention: Audit log This log clearly states that there’s something blocking the creation of a new application in our tenant, because it does not conform to the format for UriAdditionWithoutUniqueAppIdentifier.

At this point the solution is pretty simple:

  1. In the Entra portal, go to Enterprise Apps, and the select Application policies.
  2. If you got the error displayed above, you probably have the Block identifier URIs without unique tenant identifiers policy set to On.
  3. Open the policy and under Applies to, select All applications with exclusions.
  4. Click on Excluded callers, and add the user you used to log into the Entra Connect Sync wizard.
  5. Save the policy. Edit application policy

    Note

    To make this change, your user needs the Atrribute Definition Administrator and Attribute Assignment Administrator roles.

    Now retry the steps described under Configure Entra Connect Sync for Directory Extensions section.

View synced Directory Extensions for a user

As previously said, to view directory extension attributes synced with Entra Connect from on-premises, you need to use PowerShell.

Here is a quick example on how to do it:

Connect-MgGraph -Scopes User.Read.All

$user = Get-MgBetaUser -ConsistencyLevel eventual -Filter "UserPrincipalName eq '<your_user_upn>'" -All

$user.AdditionalProperties.GetEnumerator() | Where-Object { $_.Key -like "extension_*" } | Select-Object Key, Value

Note

The Microsoft.Graph.Beta.Users module is required to retrieve the values in the AdditionalProperties property for Entra ID users, since it contains the extension attributes and other extra fields. The Microsoft.Graph.Users module does not return any values for AdditionalProperties.

Conclusion

In the end, this issue turned out to be much less mysterious than it first appeared, but finding the root cause still required a bit of manual investigation. The key takeaway is that Entra Connect Sync can fail to configure directory extensions without giving you much useful guidance in the Event Viewer, so knowing where to look and why can save a lot of time.

Hopefully, this walkthrough helps you get past the error faster and avoid the same frustration if you run into it yourself.

References & Resources

Tags :
Share :

Related Posts

Migrate Microsoft Entra Connect Sync to Cloud Sync

Migrate Microsoft Entra Connect Sync to Cloud Sync

Entra ID is a foundational component for any organization leveraging Microsoft 365. As the identity provider behind Microsoft 365, it’s essential for accessing Microsoft cloud services, as there’s simply no way around it.

Read More
Force password change at next logon for hybrid identities in Entra

Force password change at next logon for hybrid identities in Entra

Many organizations still operate in a hybrid identity environment, where on-premises Active Directory accounts are synchronized with Entra ID. In such setups, there may still be the need to enforce password changes for users, similar to how it was traditionally managed within Active Directory.

Read More
Securing Direct Send in Exchange Online: closing the gaps in EOP-based MX setups

Securing Direct Send in Exchange Online: closing the gaps in EOP-based MX setups

In the previous article we explored how to identify emails sent via Direct Send in environments where the MX endpoints are configured to route through third-party services. Now, we’ll focus on detecting and securing Direct Send usage in tenants whose MX records point to Exchange Online Protection (EOP).

Read More