Merge pull request #239447 from davidmu1/filerename1

file rename and move

Author: American-Dipper

.openpublishing.redirection.active-directory.json

@@ -1,5 +1,10 @@
 {
   "redirections": [
+    {
+      "source_path_from_root": "/articles/active-directory/develop/active-directory-schema-extensions.md",
+      "redirect_url": "/azure/active-directory/develop/schema-extensions",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/active-directory/develop/active-directory-optional-claims.md",
       "redirect_url": "/azure/active-directory/develop/optional-claims",

articles/active-directory/develop/TOC.yml

@@ -84,7 +84,7 @@
           href: custom-extension-overview.md
         - name: Custom claims provider
           href: custom-claims-provider-overview.md
-    - name: Security best practices
+    - name: Security
       displayName: least privilege, secure app configuration, conditional access
       items:
         - name: Application security
@@ -93,8 +93,22 @@
           href: secure-least-privileged-access.md
         - name: Secure access control using groups
           href: secure-group-access-control.md
-        - name: Validate claims
-          href: claims-validation.md
+        - name: Tokens and claims
+          items:
+            - name: Tokens and claims overview
+              href: security-tokens.md
+            - name: Access tokens
+              href: access-tokens.md
+            - name: Directory extension attributes
+              href: schema-extensions.md
+            - name: ID tokens
+              href: id-tokens.md
+            - name: Refresh tokens
+              href: refresh-tokens.md
+            - name: Token lifetime
+              href: configurable-token-lifetimes.md
+            - name: Validate claims
+              href: claims-validation.md
         - name: Zero Trust
           href: zero-trust-for-developers.md
     - name: Identity platform best practices
@@ -448,8 +462,7 @@
               href: saml-claims-customization.md
             - name: Set an access token lifetime policy
               href: configure-token-lifetimes.md
-            - name: Directory extension attributes
-              href: active-directory-schema-extensions.md
+            
             - name: SAML app multi-instancing
               displayName: Configure SAML app multi-instancing for an application
               href: reference-app-multi-instancing.md
@@ -799,17 +812,6 @@
                   href: v2-oauth-ropc.md
                 - name: OpenID Connect
                   href: v2-protocols-oidc.md
-            - name: Security tokens
-              displayName: bearer, ID token, access token
-              items:
-                - name: Access tokens
-                  href: access-tokens.md
-                - name: ID tokens
-                  href: id-tokens.md
-                - name: Refresh tokens
-                  href: refresh-tokens.md
-                - name: Token lifetime
-                  href: configurable-token-lifetimes.md
             - name: OAuth 2.0 application types
               displayName: App types, OAuth
               href: v2-app-types.md

articles/active-directory/develop/active-directory-schema-extensions.md

@@ -0,0 +1,74 @@
+---
+title: Directory extension attributes in claims
+description: Describes directory extension attributes that are used for sending user data to applications in token claims.
+services: active-directory
+author: davidmu1
+manager: CelesteDG
+ms.service: active-directory
+ms.subservice: develop
+ms.custom: aaddev, curation-claims
+ms.workload: identity
+ms.topic: conceptual
+ms.date: 05/26/2023
+ms.author: davidmu
+ms.reviewer: ludwignick, rahulnagraj, alamaral
+---
+# Directory extension attributes in claims
+
+Directory extension attributes provide a way to store more data on directory objects such as users. Only extension attributes on user objects can be used for emitting claims to applications. This article describes how to use directory extension attributes for sending user data to applications in token claims.
+
+> [!NOTE]
+> Microsoft Graph provides three other extension mechanisms to customize Graph objects. These are the extension attributes 1-15, open extensions, and schema extensions. See the [Microsoft Graph documentation](/graph/extensibility-overview) for details. Data stored on Microsoft Graph objects using open and schema extensions aren't available as sources for claims in tokens.
+
+Directory extension attributes are always associated with an application in the tenant. The name of the directory attribute includes the *appId* of the application in its name.
+
+The identifier for a directory extension attribute is of the form `extension_xxxxxxxxx_AttributeName`.  Where `xxxxxxxxx` is the *appId* of the application the extension was defined for, with only characters 0-9 and A-Z.
+
+## Register and use directory extensions
+
+Register directory extension attributes in one of the following ways:
+
+- Configure Azure AD Connect to create them and to sync data into them from on-premises. See [Azure AD Connect Sync Directory Extensions](../hybrid/how-to-connect-sync-feature-directory-extensions.md).
+- Use Microsoft Graph to register, set the values of, and read from [directory extensions](/graph/extensibility-overview#directory-azure-ad-extensions). [PowerShell cmdlets](/powershell/azure/active-directory/using-extension-attributes-sample) are also available.
+
+### Emit claims with data from Azure AD Connect
+
+Directory extension attributes created and synced using Azure AD Connect are always associated with the application ID used by Azure AD Connect. These attributes can be used as a source for claims both by configuring them as claims in **Enterprise Applications** configuration in the Portal. After a directory extension attribute is created using AD Connect, it's displayed in the SAML SSO claims configuration.
+
+### Emit claims using Graph or PowerShell
+
+If a directory extension attribute is registered for using Microsoft Graph or PowerShell, the application can be configured to receive data in that attribute when the user signs in. The application can be configured to receive data in directory extensions that are registered on the application using [optional claims](optional-claims.md) that can be set in the application manifest. 
+
+Multi-tenant applications can then register directory extension attributes for their own use. When the application is provisioned into a tenant, the associated directory extensions become available and consumed for users in that tenant. After the directory extension is available, it can be used to store and retrieve data using Microsoft Graph. The directory extension can also map to claims in tokens the Microsoft identity platform emits to applications.
+
+If an application needs to send claims with data from an extension attribute that's registered on a different application, a [claims mapping policy](active-directory-claims-mapping.md) must be used to map the extension attribute to the claim. 
+
+A common pattern for managing directory extension attributes is to register an application specifically for all the directory extensions that you need. When you use this type of application, all the extensions have the same appID in their name.
+
+For example, the following code shows a claims-mapping policy to emit a single claim from a directory extension attribute in an OAuth/OIDC token:
+
+```json
+{
+    "ClaimsMappingPolicy": {
+        "Version": 1,
+        "IncludeBasicClaimSet": "false",
+        "ClaimsSchema": [{
+                "Source": "User",
+                "ExtensionID": "extension_xxxxxxx_test",
+                "JWTClaimType": "http://schemas.contoso.com/identity/claims/exampleclaim"
+            },
+        ]
+    }
+}
+```
+
+Where `xxxxxxx` is the appID (or Client ID) of the application that the extension was registered with.
+
+> [!WARNING]
+> When you define a claims mapping policy for a directory extension attribute, use the `ExtensionID` property instead of the `ID` property within the body of the `ClaimsSchema` array, as shown in the previous example.
+
+> [!TIP]
+> Case consistency is important when you set directory extension attributes on objects. Extension attribute names aren't case sensitive when being set up, but they are case sensitive when being read from the directory by the token service. If an extension attribute is set on a user object with the name "LegacyId" and on another user object with the name "legacyid", when the attribute is mapped to a claim using the name "LegacyId" the data is successfully retrieved and the claim included in the token for the first user but not the second.
+
+## Next steps
+- Learn how to [customize claims emitted in tokens for a specific app](active-directory-claims-mapping.md).