B2C Custom Attributes not showing when created using Graph API directory schema API

Question

Using the extension API documented here:

https://msdn.microsoft.com/en-us/library/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions

in conjuction with the B2C Graph Client sample:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet

I created a custom attribute via the AD Graph API for directory schema extensions using this API:

POST 
https://graph.windows.net/contoso.onmicrosoft.com/applications/<applicationObjectId>/extensionProperties?api-version=1.6
{
    name: "OrgRoleId",
    dataType: "String",
    targetObjects: [
        "User"
    ]
}

(Note I changed the API version to 1.6).

The API created custom attributes appear using the B2CGraphClient sample and has the same data as those registered via the Azure portal for B2C.

However, these API created custom attributes don't appear in the Azure portal 'User attributes' blade for the tenant, while those custom attributes created via the Azure portal for the B2C tenant do.

Note that I can successfully read and write these extension values for users (via the Graph API). I just cannot put them into claims because they don't appear on the 'User attributes' blade nor the policy claims blade in the Azure portal, and therefore they are not added as claims to the token.

What I am missing/doing wrong?

Output from B2C.exe Get-extension-attribute <b2c-extensions-app objectId>. *_Test1 appears (portal created), while *_UserRoleId does not (API created):

{
  "odata.metadata": "https://graph.windows.net/<tenant_id>/$metadata#directoryObjects/Microsoft.DirectoryServices.ExtensionProperty",
  "value": [
    {
      "odata.type": "Microsoft.DirectoryServices.ExtensionProperty",
      "objectType": "ExtensionProperty",
      "objectId": "f58bc813-632c-486b-bff1-61695eeab691",
      "deletionTimestamp": null,
      "appDisplayName": "",
      "name": "extension_<object_id>_Test1",
      "dataType": "String",
      "isSyncedFromOnPremises": false,
      "targetObjects": [
        "User"
      ]
    },
    {
      "odata.type": "Microsoft.DirectoryServices.ExtensionProperty",
      "objectType": "ExtensionProperty",
      "objectId": "5e69b2d9-1ab0-463f-a231-5c188e92b4a1",
      "deletionTimestamp": null,
      "appDisplayName": "",
      "name": "extension_<object_id>_UserRoleId",
      "dataType": "String",
      "isSyncedFromOnPremises": false,
      "targetObjects": [
        "User"
      ]
    }
    ...

Answer 1

When you add an extension attribute through the portal, it is created in the directory and owned by the b2c-extensions-app application and it is also added to a tenant-wide policy. That is what allows you to use them in application policies as you create them.

When you create an extension attribute using Graph API, it is not added to the policy and usually created on an application other than b2c-extensions-app. You can use these properties directly in custom policies, but they will not appear in the portal and cannot be used in the policies created through the portal.

It is a best practice to just create the extension properties through the portal so they are available for all policies. This allows customers to mix and match custom policies with built-in b2c user flows.