Microsoft Graph can be used to modify and manage properties of objects created in Azure Active Directory. In order for graph to modify and manage properties the object in Office 365 should be a cloud only object. Objects that are synchronized have their source of authority set to on-premises locking out certain attribute sets from modification in the cloud.
I recently worked with a customer that had a custom synchronization solution. This solution utilized Microsoft Graph to manage user properties from a directory they controlled. Each object provision in Azure as a cloud only object. Their application would manage attributes including manager, proxy addresses, and custom attributes. These are the same attributes that are accessible through Exchange Online Powershell.
Due to a misconfiguration directory synchronization was enable. The solution that was utilized to provide the sync interface successfully matched each user in Azure to their corresponding entry in the database. This in turn converted the objects from cloud only to directory synchronized. When this change occurred the graph application that was previously managing the attributes was no longer able to manage them.
Once this misconfiguration was determined the customer disabled directory synchronization. The directory synchronization disablement process can take several hours to complete but was successful in converting all objects back to cloud only. Although the objects were cloud only the subsequent graph updates failed. Specifically, attributes that would typically be set through Exchange Online Powershell interfaces such as custom attributes were failing. Other attributes such as name were successful.
This is a sample error in the graph application.
Operation failed
Error:
Error executing request. An Azure Active Directory call was made to keep object in sync between Azure Active Directory and Exchange Online. However, it failed. Detailed error message: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration. DualWrite (Graph) RequestId: 689d3418-cce2-4de1-9d8a-bc8399be91f4 The issue may be transient and please retry a couple of minutes later. If issue persists, please see exception members for more information.
This error is counter intuitive as we have successfully confirmed that directory synchronization was disabled. Why would we receive an error that the object is mastered on-premises? The issue is that the object was cloud only, converted to directory synchronized, and then converted to cloud only. When the conversion process between states occurs there are certain attributes that are attributed to the workloads that they were designed for. In this case extension attributes are not natively available in Azure Active Directory but are there to service Exchange Online. These attributes are added to a hidden attribute set which locks their editing to the platform they are linked to. In this case extension attributes are present for Exchange Online so they can no longer be edited in Azure Active Directory but must be edited in Exchange Online. We were able to demonstrate that the attributes were successfully modified using Exchange Online.
If you have software that depends on utilizing the graph interfaces to manage all users attributes do not convert them to directory synchronized. There are future architectural changes to Azure Active Directory pending which will remove this limitation and allow graph updates to continue for attributes belonging to other workloads if the users are converted between cloud synchronization states.