Identity Spine — Attribute Map
How every AD and Entra attribute maps into the unified Identity spine. Verified against Microsoft Entra Connect documentation (2026-07-02). 100 attributes · 29 conformed · 41 AD-only · 30 Entra-only.
Verified against Microsoft docs — 3 corrections applied:
- Extension attributes are conformed. On-prem AD extensionAttribute1–15 sync to Graph onPremisesExtensionAttributes by default (read-only in Entra) — same value, so Ext1–15 are one conformed set, not two.
- Created is AD-sourced. AD whenCreated ≠ Graph createdDateTime (= creation in Entra). Kept separate.
- EmployeeType doesn't sync AD→Entra by default — effectively AD-sourced.
| # | Type | AD LDAP attribute | AD model | Identity | Report label | Entra Graph property | Entra model | Synced | Notes |
|---|---|---|---|---|---|---|---|---|---|
| 1 | Conformed | (derived: presence in AD/Entra/both) | (derived: presence in AD/Entra/both) | IdentitySource | Identity Source | (derived: presence in AD/Entra/both) | (derived: presence in AD/Entra/both) | Y | |
| 2 | Conformed | displayName | Users[DisplayName] | DisplayName | Display Name | displayName | EntraUsers[DisplayName] | Y | |
| 3 | Conformed | userPrincipalName | Users[UPN] | UPN | UPN | userPrincipalName | EntraUsers[UserPrincipalName] | Y | Alternate-ID setups: on-prem UPN → onPremisesUserPrincipalName instead. |
| 4 | Conformed | sAMAccountName | Users[SAM] | SAM | SAM Account | onPremisesSamAccountName | EntraUsers[OnPremisesSamAccountName] | Y | |
| 5 | Conformed | Users[Email] | EntraUsers[Mail] | Y | |||||
| 6 | Conformed | lastLogonTimestamp | Users[ADLastLogon] | LastActivity | Last Activity (hybrid) | lastActivity | EntraUsers[LastActivity] | Y | |
| 7 | Conformed | department | Users[Department] | Department | Department | department | EntraUsers[Department] | Y | |
| 8 | Conformed | company | Users[Company] | Company | Company | companyName | EntraUsers[CompanyName] | Y | |
| 9 | Conformed | l | Users[City] | City | City | city | EntraUsers[City] | Y | |
| 10 | Conformed | co / c / countryCode | Users[Country] | Country | Country | country | EntraUsers[Country] | Y | AD co/c/countryCode → Graph country mapping underdocumented by MS; verify empirically. |
| 11 | Conformed | employeeID | Users[EmpID] | EmployeeId | Employee ID | employeeId | EntraUsers[EmployeeId] | Y | |
| 12 | Conformed | employeeType | Users[EmpType] | EmployeeType | Employee Type | employeeType | EntraUsers[EmployeeType] | Y | CAVEAT: AD employeeType does NOT sync by default; Entra side usually null → effectively AD-sourced. |
| 13 | Conformed | (domain FQDN) | Users[Domain] | Domain | Domain | onPremisesDomainName | EntraUsers[OnPremisesDomainName] | Y | |
| 14 | Conformed | proxyAddresses | Users[ProxyAddresses] | ProxyAddresses | Proxy Addresses | proxyAddresses | EntraUsers[ProxyAddresses] | Y | |
| 15 | Conformed | extensionAttribute1 | Users[Ext1] | Ext1 | Extension 1 | extensionAttribute1 | EntraUsers[ExtensionAttribute1] | Y | |
| 16 | Conformed | extensionAttribute2 | Users[Ext2] | Ext2 | Extension 2 | extensionAttribute2 | EntraUsers[ExtensionAttribute2] | Y | |
| 17 | Conformed | extensionAttribute3 | Users[Ext3] | Ext3 | Extension 3 | extensionAttribute3 | EntraUsers[ExtensionAttribute3] | Y | |
| 18 | Conformed | extensionAttribute4 | Users[Ext4] | Ext4 | Extension 4 | extensionAttribute4 | EntraUsers[ExtensionAttribute4] | Y | |
| 19 | Conformed | extensionAttribute5 | Users[Ext5] | Ext5 | Extension 5 | extensionAttribute5 | EntraUsers[ExtensionAttribute5] | Y | |
| 20 | Conformed | extensionAttribute6 | Users[Ext6] | Ext6 | Extension 6 | extensionAttribute6 | EntraUsers[ExtensionAttribute6] | Y | |
| 21 | Conformed | extensionAttribute7 | Users[Ext7] | Ext7 | Extension 7 | extensionAttribute7 | EntraUsers[ExtensionAttribute7] | Y | |
| 22 | Conformed | extensionAttribute8 | Users[Ext8] | Ext8 | Extension 8 | extensionAttribute8 | EntraUsers[ExtensionAttribute8] | Y | |
| 23 | Conformed | extensionAttribute9 | Users[Ext9] | Ext9 | Extension 9 | extensionAttribute9 | EntraUsers[ExtensionAttribute9] | Y | |
| 24 | Conformed | extensionAttribute10 | Users[Ext10] | Ext10 | Extension 10 | extensionAttribute10 | EntraUsers[ExtensionAttribute10] | Y | |
| 25 | Conformed | extensionAttribute11 | Users[Ext11] | Ext11 | Extension 11 | extensionAttribute11 | EntraUsers[ExtensionAttribute11] | Y | |
| 26 | Conformed | extensionAttribute12 | Users[Ext12] | Ext12 | Extension 12 | extensionAttribute12 | EntraUsers[ExtensionAttribute12] | Y | |
| 27 | Conformed | extensionAttribute13 | Users[Ext13] | Ext13 | Extension 13 | extensionAttribute13 | EntraUsers[ExtensionAttribute13] | Y | |
| 28 | Conformed | extensionAttribute14 | Users[Ext14] | Ext14 | Extension 14 | extensionAttribute14 | EntraUsers[ExtensionAttribute14] | Y | |
| 29 | Conformed | extensionAttribute15 | Users[Ext15] | Ext15 | Extension 15 | extensionAttribute15 | EntraUsers[ExtensionAttribute15] | Y | |
| 30 | AD-only | userAccountControl | Users[Disabled] | ADDisabled | AD Disabled | N/A | N/A | — | |
| 31 | AD-only | lastLogonTimestamp | Users[ADLastLogon] | ADLastLogon | AD Last Logon | N/A | N/A | — | |
| 32 | AD-only | (derived) | Users[SeverityTier] | SeverityTier | Severity (staleness) | N/A | N/A | — | |
| 33 | AD-only | (derived) | Users[Findings] | Findings | Findings | N/A | N/A | — | |
| 34 | AD-only | division | Users[Division] | Division | Division | N/A | N/A | — | |
| 35 | AD-only | physicalDeliveryOfficeName | Users[Office] | Office | Office | N/A | N/A | — | |
| 36 | AD-only | st | Users[State] | State | State | N/A | N/A | — | |
| 37 | AD-only | employeeNumber | Users[EmpNumber] | EmployeeNumber | Employee Number | N/A | N/A | — | |
| 38 | AD-only | distinguishedName (derived) | Users[TopOU] | TopOU | Top OU | N/A | N/A | — | |
| 39 | AD-only | distinguishedName (derived) | Users[ParentOU] | ParentOU | Parent OU | N/A | N/A | — | |
| 40 | AD-only | proxyAddresses (derived) | Users[PrimarySMTP] | PrimarySMTP | Primary SMTP | N/A | N/A | — | |
| 41 | AD-only | (derived) | Users[MailProvStatus] | MailProvStatus | Mail Provisioning Status | N/A | N/A | — | |
| 42 | AD-only | targetAddress | Users[TargetAddress] | TargetAddress | Target Address | N/A | N/A | — | |
| 43 | AD-only | msExchRecipientTypeDetails | Users[MailboxType] | MailboxType | Mailbox Type | N/A | N/A | — | |
| 44 | AD-only | memberOf | Users[Groups] | ADGroups | AD Group Membership | N/A | N/A | — | |
| 45 | AD-only | distinguishedName | Users[DN] | DN | Distinguished Name | N/A | N/A | — | |
| 46 | AD-only | adminCount | Users[AdminCount] | AdminCount | Admin Count | N/A | N/A | — | |
| 47 | AD-only | (derived) | Users[IsTierZero] | IsTierZero | Is Tier Zero | N/A | N/A | — | |
| 48 | AD-only | (derived) | Users[AdminAccount] | AdminAccount | Admin Account | N/A | N/A | — | |
| 49 | AD-only | (derived) | Users[TierZeroFinding] | TierZeroFinding | Tier Zero Finding | N/A | N/A | — | |
| 50 | AD-only | userAccountControl | Users[TrustedForDelegation] | TrustedForDelegation | Trusted For Delegation | N/A | N/A | — | |
| 51 | AD-only | msDS-AllowedToDelegateTo | Users[ConstrainedDelegation] | ConstrainedDelegation | Constrained Delegation | N/A | N/A | — | |
| 52 | AD-only | msDS-AllowedToActOnBehalfOfOtherIdentity | Users[HasRBCD] | HasRBCD | Has RBCD | N/A | N/A | — | |
| 53 | AD-only | userAccountControl | Users[DontRequirePreAuth] | DontRequirePreAuth | Dont Require PreAuth | N/A | N/A | — | |
| 54 | AD-only | userAccountControl | Users[UseDesKeyOnly] | UseDesKeyOnly | Use DES Key Only | N/A | N/A | — | |
| 55 | AD-only | userAccountControl | Users[ProtocolTransition] | ProtocolTransition | Protocol Transition | N/A | N/A | — | |
| 56 | AD-only | userAccountControl | Users[NotDelegated] | NotDelegated | Not Delegated | N/A | N/A | — | |
| 57 | AD-only | servicePrincipalName | Users[SPN] | SPN | SPN | N/A | N/A | — | |
| 58 | AD-only | sIDHistory | Users[SIDHistoryCount] | SIDHistoryCount | SID History Count | N/A | N/A | — | |
| 59 | AD-only | msDS-SupportedEncryptionTypes | Users[KerbEncTypes] | KerbEncTypes | Kerberos Enc Types | N/A | N/A | — | |
| 60 | AD-only | passwordLastSet | Users[PwdLastSet] | PwdLastSet | Password Last Set | N/A | N/A | — | |
| 61 | AD-only | userAccountControl | Users[PwdNotReq] | PwdNotReq | Password Not Required | N/A | N/A | — | |
| 62 | AD-only | userAccountControl | Users[PwdNoExpiry] | PwdNoExpiry | Password Never Expires | N/A | N/A | — | |
| 63 | AD-only | whenCreated | Users[Created] | ADCreated | AD Created | N/A | N/A | — | |
| 64 | AD-only | whenChanged | Users[Modified] | ADModified | AD Modified | N/A | N/A | — | |
| 65 | AD-only | description | Users[Description] | Description | Description | N/A | N/A | — | |
| 66 | AD-only | (derived) | Users[MaturityContribution] | MaturityContribution | Maturity Contribution | N/A | N/A | — | |
| 67 | AD-only | (derived) | Users[CleanupCategory] | CleanupCategory | Cleanup Category | N/A | N/A | — | |
| 68 | AD-only | objectGUID | Users[GUID] | GUID | AD Object GUID | N/A | N/A | — | |
| 69 | AD-only | objectSid | Users[SID] | SID | AD SID | N/A | N/A | — | |
| 70 | AD-only | whenCreated | Users[Created] | Created | Created | N/A | N/A | — | CORRECTED: AD whenCreated (AD-sourced). Graph createdDateTime = Entra creation, NOT AD creation — kept separate as EntraCreated. |
| 71 | Entra-only | N/A | N/A | HybridState | Hybrid State | hybridState | EntraUsers[HybridState] | cloud-native | |
| 72 | Entra-only | N/A | N/A | MatchQuality | Match Quality | matchQuality | EntraUsers[MatchQuality] | cloud-native | |
| 73 | Entra-only | N/A | N/A | EntraEnabled | Entra Account Enabled | accountEnabled | EntraUsers[AccountEnabled] | cloud-native | |
| 74 | Entra-only | N/A | N/A | JobTitle | Job Title | jobTitle | EntraUsers[JobTitle] | cloud-native | |
| 75 | Entra-only | N/A | N/A | HireDate | Hire Date | employeeHireDate | EntraUsers[EmployeeHireDate] | cloud-native | |
| 76 | Entra-only | N/A | N/A | LeaveDate | Leave Date | employeeLeaveDateTime | EntraUsers[EmployeeLeaveDateTime] | cloud-native | |
| 77 | Entra-only | N/A | N/A | EntraObjectId | Entra Object ID | entraObjectId | EntraUsers[EntraObjectId] | cloud-native | |
| 78 | Entra-only | N/A | N/A | UserType | User Type | userType | EntraUsers[UserType] | cloud-native | |
| 79 | Entra-only | N/A | N/A | CreationType | Creation Type | creationType | EntraUsers[CreationType] | cloud-native | |
| 80 | Entra-only | N/A | N/A | ExternalUserState | External User State | externalUserState | EntraUsers[ExternalUserState] | cloud-native | |
| 81 | Entra-only | N/A | N/A | OnPremSyncEnabled | On-Prem Sync Enabled | onPremisesSyncEnabled | EntraUsers[OnPremisesSyncEnabled] | Y (synced onPrem* prop) | |
| 82 | Entra-only | N/A | N/A | OnPremLastSync | On-Prem Last Sync | onPremisesLastSyncDateTime | EntraUsers[OnPremisesLastSyncDateTime] | Y (synced onPrem* prop) | |
| 83 | Entra-only | N/A | N/A | OnPremSID | On-Prem SID (Entra) | onPremisesSecurityIdentifier | EntraUsers[OnPremisesSecurityIdentifier] | Y (synced onPrem* prop) | |
| 84 | Entra-only | N/A | N/A | LastInteractiveSignIn | Last Interactive Sign-In | lastInteractiveSignIn | EntraUsers[LastInteractiveSignIn] | cloud-native | |
| 85 | Entra-only | N/A | N/A | LastNonInteractiveSignIn | Last Non-Interactive Sign-In | lastNonInteractiveSignIn | EntraUsers[LastNonInteractiveSignIn] | cloud-native | |
| 86 | Entra-only | N/A | N/A | SignInAgeBand | Sign-In Age Band | signInAgeBand | EntraUsers[SignInAgeBand] | cloud-native | |
| 87 | Entra-only | N/A | N/A | NeverSignedIn | Never Signed In | neverSignedIn | EntraUsers[NeverSignedIn] | cloud-native | |
| 88 | Entra-only | N/A | N/A | GroupMembershipCount | Group Membership Count | groupMembershipCount | EntraUsers[GroupMembershipCount] | cloud-native | |
| 89 | Entra-only | N/A | N/A | EntraCreated | Entra Created | createdDateTime | EntraUsers[CreatedDateTime] | cloud-native | |
| 90 | Entra-only | N/A | N/A | EntraDeleted | Entra Deleted | deletedDateTime | EntraUsers[DeletedDateTime] | cloud-native | |
| 91 | Entra-only | N/A | N/A | LicenseStatus | License Status | licenseStatus | EntraUsers[LicenseStatus] | cloud-native | |
| 92 | Entra-only | N/A | N/A | AssignedLicenseSkus | Assigned License SKUs | assignedLicenseSkus | EntraUsers[AssignedLicenseSkus] | cloud-native | |
| 93 | Entra-only | N/A | N/A | AssignmentDetails | Assignment Details | assignmentDetails | EntraUsers[AssignmentDetails] | cloud-native | |
| 94 | Entra-only | N/A | N/A | HasDirectAssignment | Has Direct Assignment | hasDirectAssignment | EntraUsers[HasDirectAssignment] | cloud-native | |
| 95 | Entra-only | N/A | N/A | HasE1 | Has E1 | hasE1 | EntraUsers[HasE1] | cloud-native | |
| 96 | Entra-only | N/A | N/A | HasE5 | Has E5 | hasE5 | EntraUsers[HasE5] | cloud-native | |
| 97 | Entra-only | N/A | N/A | HasEMSE3 | Has EMS E3 | hasEMSE3 | EntraUsers[HasEMSE3] | cloud-native | |
| 98 | Entra-only | N/A | N/A | AssignedPlanCount | Assigned Plan Count | assignedPlanCount | EntraUsers[AssignedPlanCount] | cloud-native | |
| 99 | Entra-only | N/A | N/A | UsageLocation | Usage Location | usageLocation | EntraUsers[UsageLocation] | cloud-native | |
| 100 | Entra-only | N/A | N/A | PreferredLanguage | Preferred Language | preferredLanguage | EntraUsers[PreferredLanguage] | cloud-native |
Sources: Entra Connect sync attributes · Graph user resource · Directory extensions. Generated by scripts/dev/build_identity_spine_map.py from src/semantic-model/model.bim — do not hand-edit; see BACKLOG 1.224.