In this post, we’ll go over how to use extension attributes on Azure AD devices to enhance Conditional Access policies. We’ll also walk through how to automate the assignment of extension attributes using Azure Logic Apps, ensuring the devices are tagged correctly all the time.
What is extension attributes and why are the useful?
Extension attributes are a set of additional, customizable properties provided by Microsoft Azure Active Directory (Azure AD) that can be used to store extra information (metadata) on objects like users and devices. In this case we will add custom data to devices.
Any type of Azure AD device object is supported, this means you can add it on iPhones, Androids, Macs, Linux, Windows etc.
So why use it? Well in this blog post, we’ll focus on using extension attributes to filter devices so that specific Conditional Access rules only apply to certain groups of devices.
Automating Extension Attribute Assignment with Logic Apps
I created a simple Logic App that allows you to manage device groups and assign custom tags to those groups. In its current setup, the Logic App updates the extensionAttribute15 on each device, but you can easily customize it to use any other extension attribute that fits your needs.
The Logic App works by looping through all devices in each specified group, checking if the device already has the correct tag assigned. If the tag is missing or incorrect, it updates the device with the appropriate tag automatically. This approach ensures your device metadata stays accurate and up to date without manual effort.
You can configure as many groups and corresponding tags as you like—each group has a one-to-one relationship with a tag, making it straightforward to maintain targeted Conditional Access policies based on these attributes.
Download the ARM template for the Logic App
Download the JSON for the Logic App
How to setup the logic app?
Creating the logic app
Go to the Azure Portal and search for Logic Apps.
Select Create new logic app.
Select your plan, in this case we will use “Consumption“
The cost for running this is very very low below 1 euro per month
Create your name for you resource and select resource groups and location….
Now that you have created your Logic App we will configured it to use a Managed Identity
Go to your newly created Logic app and under Settings select Identity and under System assigned set the Status to On you have now turned on managed identity for your logic app.
Next we need to give permissions to our Managed Identity so it have the right permissions to set the extension attribute using Graph on the devices.
The permissions we require to make the logic app work is “Device.ReadWrite.All” and “GroupMember.Read.All” this allows the managed identity to write and read attributes on the devices and to read members of a group, the app is reading devices that are members of hte groups you select and this is why this is required.
To give a Managed Identity permissions we will use PowerShell the script below will add only the two required permissions for the application, you must modify the name of your managed idenitity.
Now that our managed identity have the required permissions we are ready to create the logic app, below is a pre-made JSON file that we will import to setup the workflow in the logic app.
Import logic app JSON
Download Pre-made logic app JSON
You will need to add your own Groups and Tags in the Variable.
Go to your newly created logic app: Logic apps – Microsoft Azure
- In Overview select Edit
- Select Code View
- Copy the entire JSON you downloaded before and past it in and click Save
You can now go back to designer mode and make the changes you wish, for example changing the running time, “Currently it runs at 22.00 CET everyday”.
You will be required to add your own groups and tags,
you do this by modifying the GroupTagPairs variable,
you can add as many groups and tags you like.
To change which Extension Attribute the tag is written to,
modify the HTTP - Update ExtensionAttribute15
located in the Scope under "For each - Add tag to device".
The workflow runs in a Scope allowing us to to add email or Teams notifcation if the worklfow fails, this is not added in the JSON and needs to be added manually, steps for doing this is below but not required.
Adding notification on Error
You can get an notification if the workflow fails for any reason.
- Add a Post message in a chat or channel or Send an Email after the Scope.
Set the “Run after” to only execute if the scope have “Timed Out”, “Is Skipped” or “Has Failed”.
You will now recive a notification if the workflow fails in anyway. (Never had it fail)
Applying Conditional Access Based on Extension Attributes
So what can we use this for?
Most Conditional Access policies are built using user identities, group memberships, or default device properties. But what if you want more control and flexability — like tagging certain devices as “Privileged,” “Pilot,” or “BYOD”? That’s where Extension Attributes come into play.
Example scenario I will use for the CA created below, you only want your Admins to be able to access certain resources from specific devices. (PAW, Priviliaged Access Workstation)
Why are privileged access devices important – Privileged access | Microsoft Learn
- Go to Entra and the Condtional Access section
- Create a new CA, in my example i name it: ADMINS – CA109 – BLOCK – Require PAW
- Users: you select your specific users/groups or roles that you want to be affected.
- Resources: in my example I will select Graph Explorer, Microsoft Intune PowerShell, Windows Azure Service Management API
- Conditions: Select “Filter for devices“, we want to Exclude the devices that are tagged correctly as they are the only devices that should not be enforced by this CA.
- Grant: Block access
Now you are done, if the admins/users selected in this Conditonal Access policy try to access any of the selected services from a devices that does not have the tag ExtensionAttribute15 = “Admin”, they will be blocked and we successfully force admins to use specific devices to access sensitive resources.
Recommend to run this in Report-Only so you can verify everything is working according to your requirements before turning it on.
You are done 😁
