Intune Device Extension Attributes: Read & Update via Graph

Published:

May 27, 2025

Modified:

min read

> >

Intune Device Extension Attributes: Manage Intune with Microsoft Graph PowerShell

By:

Vasil Michev

Vasil is a nine-time Microsoft MVP and expert with over a decade of experience in Microsoft cloud, lifecycle management, migration, adoption, and automation.

Many of the day-to-day tasks involving device objects in Microsoft 365 Intune require you to filter out a subset of the available inventory in order to apply a given action or create a report. Below is a streamlined guide to list, filter, update, or bulk-edit those attributes with the Graph SDK for PowerShell.

Inside this article:

How to Authenticate for Intune Device Access
How to Report on Intune Extension Attributes for Devices
How to Filter Devices by Intune Extension Attributes via Graph PowerShell
How to Update Intune Extension Attributes for Devices

Executive Summary

This guide explains how to manage Intune device extension attributes using Microsoft Graph PowerShell. It covers the roles and permissions required to access and modify these attributes; how to authenticate and establish a session; and how to report, filter, and update attribute values across your device inventory. Learn how to handle common SDK quirks, perform bulk operations, and query extension attributes reliably—even when dealing with inconsistent API behavior. Whether you're auditing devices or applying metadata for automation and scoping, this article provides actionable, tested PowerShell commands to manage your Intune devices.

Why Use Extension Attributes in Intune Device Metadata?

One of the easiest ways to apply such filters is based on the set of “custom attributes” that the Microsoft Graph exposes via the extensionAttributes resource. Known as CustomAttribute1-15 or extensionAttribute1-15, they are quite useful in scenarios where you need a quick and easy way to stamp additional metadata on devices, especially if you are not using Intune and its scoping functionalities.

Let’s take a look at how we can list, manage or report on said attributes via the Graph SDK for PowerShell.

Setting policies or tagging devices for security compliance? See our guide on advanced Intune security best practices.

Authenticate to Microsoft Graph for Intune Device Access

There are some prerequisites we need to meet first, as this is after all an admin functionality.

Required Roles and Permissions for Reading Intune Device Attributes

In order to be able to see the values of the extensionAttribute1-15 for device objects, any of the read-only Entra ID roles would do, but to be on the safe side, we can use the Global reader one. On the Graph API side of things, the minimum permission required is the Device.Read.All one.

Required Roles and Permissions for Writing Intune Device Attributes

When it comes to updating values for the extensionAttribute1-15, things are a bit more complicated. The minimum required role is the Intune administrator one, and when it comes to the Graph permissions required, you can use Device.ReadWrite.All, even though the official documentation lists the impersonation Directory.AccessAsUser.All scope as the minimum required one.

If using the application permissions model, the permission requirements are a bit simpler. For read-only operations all you need is the Device.Read.All scope, whereas for write operations, the Device.ReadWrite.All scope will do.

Establish a Graph PowerShell Session for Intune Device Access

With the above in mind, here’s how to establish a session for working with device’ custom attributes via the Graph SDK for PowerShell:

[ps]#For read-only access
Connect-MgGraph -Scopes Device.Read.All

#For write access
Connect-MgGraph -Scopes Device.ReadWrite.All[/ps]

How to Report on Intune Extension Attributes for Devices

Now that we know what the requirements are, here are some examples on how to read and report on custom attribute values for device objects. As mentioned above, the Graph API exposes the set of 15 custom attributes under the extensionAttributes blob. Due to the oddities in implementation, the corresponding Get-MgDevice cmdlet returns them as part of another blob, the infamous additionalProperties one. This makes the process a bit more complicated than it should be.

Get Custom Attribute Values for a Single Intune Device

Here's a quick example on how to get the set of custom attributes for a given device:

[ps]Get-MgDevice -DeviceId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | select -ExpandProperty AdditionalProperties[/ps]

As you might note from the output, only attributes that have values are displayed, due to yet another known issue with the Graph SDK for PowerShell (not handling null values properly). You might also want to get an output that only lists the extensionAttributes values and nothing else. This example should do:

[ps]$device = Get-MgDevice -DeviceId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
$device.AdditionalProperties['extensionAttributes'][/ps]

Apart from having to deal with the oddities of the Graph SDK for PowerShell, the process of querying device’s extension attributes is rather simple, as you can see from the examples above. Sadly, the “specialized” Entra PowerShell module currently handles this scenario in the exact same manner, so I will not be including examples here. If you wish to use it, just replace the Get-MgDevice cmdlet with Get-EntraDevice.

Export Intune Extension Attributes for All Devices

If you want to export a report of all devices within the organization and their corresponding custom attributes, the following cmdlet should help:

[ps]$Devices = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/devices?`$select=id,deviceId,displayName,extensionAttributes" -OutputType Json

($Devices | ConvertFrom-Json).Value | select displayName,Id,deviceId -ExpandProperty extensionAttributes | Export-Csv -NTI C:\temp\device_extension_attributes.csv[/ps]

For broader insights on building reliable Intune reports, our guide to reporting the right way in Intune covers the key components to include in your reports and best practices for reporting.

Filtering Devices by Intune Extension Attributes via Graph PowerShell

The resulting CSV file will give you a breakdown of the custom attribute values for all devices, which you can then use to quickly find or filter out devices with specific custom attribute values.

Filter Devices by Specific Intune Extension Attribute Values

Alternatively, you can also do the filter via the Graph, so let’s examine a few examples of that:

[ps]#Filter all devices with specific value for extensionAttribute1
Get-MgDevice -Filter "extensionAttributes/extensionAttribute1 eq 'test value'" -ConsistencyLevel eventual -CountVariable count

#Filter all devices NOT matching the specific value for extensionAttribute1
Get-MgDevice -Filter "extensionAttributes/extensionAttribute1 ne 'test value'" -ConsistencyLevel eventual -CountVariable count[/ps]

Use Advanced Query Parameters with Graph PowerShell

Keep in mind that using a filter against the set of extensionAttributes is considered an advanced query, and as such has additional requirements. When leveraging the Graph SDK for PowerShell, advanced queries require the use of both the -ConsistencyLevel and -CountVariable parameters.

As another example of using filters, here is how to list all devices that have “empty” (null) value of a given extension attribute.

[ps]#Filter all devices with null value for extensionAttribute1
Get-MgDevice -Filter "extensionAttributes/extensionAttribute1 eq null" -ConsistencyLevel eventual -CountVariable count

#Filter all devices with non-null value for extensionAttribute1
Get-MgDevice -Filter "extensionAttributes/extensionAttribute1 ne null" -ConsistencyLevel eventual -CountVariable count[/ps]

Update Intune Extension Attributes for One or More Devices

Thus far, we only covered “read” scenarios. Now, let’s also cover how to add or remove values for the extension attributes. Just as a reminder, there are certain permission requirements for that, so make sure you’ve followed the instructions above before trying any of the examples in this section.

Before making bulk changes to Intune attributes, review how to back up and restore your Intune configuration policies to prevent accidental misconfiguration.

Update a Single Intune Extension Attribute

Let’s start with an example of updating the value of a given extension attribute. To do that, we can leverage the Update-MgDevice cmdlet from the Graph SDK for PowerShell. Unfortunately, the cmdlet does not directly expose any parameters for working with extension attributes, so we need to leverage the blanket -BodyParameter instead.

[ps]#Update the value of extension attribute 4
Update-MgDevice -DeviceId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -BodyParameter @{"extensionAttributes" = @{"extensionAttribute4"="Value"}}[/ps]

Update Multiple Intune Extension Attributes at Once

For more complex operations, such as updating multiple extension attributes at the same time, it might be easier if you prepare the JSON payload beforehand and pass it. Here’s how:

[ps]#Update multiple extension attributes
$params = @{
    extensionAttributes = @{
        extensionAttribute4 = "value"
        extensionAttribute5 = "another_value"
    }
} | ConvertTo-Json

Update-MgDevice -DeviceId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -BodyParameter $params[/ps]

If any of the attributes you specified in the cmdlets above already has a value, it will be overwritten with the newly provided value. Attributes that you do not include in the payload will not be updated, so you don’t have to worry about inadvertently overwriting their values.

Remove or Nullify an Intune Extension Attribute

To remove, or nullify the value of an extension attribute, you can use one of the following:

[ps]#Remove the value for extension attribute 4
Update-MgDevice -DeviceId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -BodyParameter @{"extensionAttributes" = @{"extensionAttribute4"=""}}[/ps]

A keen-eyed observer might notice that we passed an empty string value above, instead of an actual $null. This is yet another oddity you have to be aware of, again due to the SDK’s inability to properly handle null values. In effect, Microsoft updated the backend to allow empty string values to equate to null values, and thus get the job done.

Bulk Update Intune Attributes Based on Device Criteria

As a final example, here is how we can bulk update the value for a given extension attribute on all devices matching some criteria, such as the device being Workspace joined:

[ps]#Bulk update custom attribute 10
Get-MgDevice -Filter "trustType eq 'Workplace'" | % { Update-MgDevice -DeviceId $($_.Id) -BodyParameter @{"extensionAttributes" = @{"extensionAttribute10"="In violation"}}}[/ps]

More Resources to Automate Intune Attribute Management

Manually tagging devices—and babysitting the scripts that do it—doesn’t scale. Miss one run and you’re out of compliance. Hand the script to the wrong person and you could wipe the wrong fleet.

If you need to off-load the heavy lifting, start here:

How to Monitor and Track Events in Intune – spot the device errors and policy drifts that usually trigger re-tagging work.
9 Must-Know Intune Security Best Practices – why extension attributes matter for zero-trust segmentation and Conditional Access.

Or, if you prefer to skip the manual work, CoreView’s Task Automation engine turns your one-off PowerShell into a fully audited, self-resetting workflow. Get scoped execution (so operators run the script only against the devices they own), event-driven automation, and a full paper-trail built in.