User AD attributes & Tokens

CodeTwo Email Signatures 365 allows you to add Entra ID (Azure AD) attributes of your users to their email signatures and automatic replies (out of office messages). The program supports all the single-value attributes available in Microsoft 365 (Entra ID) and Microsoft Graph API. Multivalue attributes are not supported (learn more).

By default, the most common attributes related to message sender and message properties are available in the signature template editor (Fig. 1.). Additional attributes (such as extension attributes or user-defined attributes) may require further configuration to be accessible, as described later in this article.

The Placeholder menu allows you to insert Entra ID attributes to signatures.
Fig. 1. The Placeholder menu allows you to insert Entra ID attributes to signatures.

You can manage attribute related options by opening your Microsoft 365 tenant's settings in CodeTwo Admin Panel (Fig. 2.). To access them, sign in to CodeTwo Admin Panel, select your tenant on the Tenants page, and go to User AD attributes.

The User AD attributes settings in CodeTwo Admin Panel.
Fig. 2. The User AD attributes settings in CodeTwo Admin Panel.

Admin roles in CodeTwo Email Signatures 365

Read this article to find out who can perform the actions discussed further in the article.

Azure AD cache

CodeTwo Email Signatures 365 stores required user attributes in an internal cache and automatically synchronizes them with your tenant's Microsoft Entra ID (Azure Active Directory) every 20 minutes. This is necessary both to quickly add signatures with placeholders to emails sent by specific users based on current rules and to keep Entra ID load at a minimum. If necessary, you can manually update the Azure AD cache via the Update cache manually now button (Fig. 3.).

Manually updating user attributes in CodeTwo Azure AD cache.
Fig. 3. Manually updating user attributes in CodeTwo Azure AD cache.

First synchronization

The first synchronization (after you registered a new tenant) might take longer and depends on the size and structure of your Microsoft Entra ID. It usually takes a few minutes to complete if you have less than a thousand users. It may take even a few hours if you have thousands of users.

Additional attributes

The most common Entra ID (Azure AD) attributes, including Exchange Online (Microsoft 365) custom attributes 1-15, as well as CodeTwo custom attributes (as shown in Fig. 4.) are available in the signature template editor and can be inserted to email signatures and automatic replies as placeholders. Depending on your environment, you can also use additional attributes shown in the table below.

Exchange Online (Microsoft 365) custom attributes 1-15 and CodeTwo custom attributes available under the Placeholder menu.
Fig. 4. Exchange Online (Microsoft 365) custom attributes 1-15 and CodeTwo custom attributes available under the Placeholder menu.


Attributes
Are these attributes available in the signature editor?
Cloud (non-hybrid) environments Hybrid environments
Common AD / Entra ID attributes related to message sender (see full list here) Yes Yes
Exchange Online (Microsoft 365) custom attributes 1-15 Yes Yes
CodeTwo custom attributes (learn more) Yes Yes
Exchange Online (Microsoft 365) additional attributes: Initials, Notes, P.O. Box, Pager, Web page, Home phone Yes (additional synchronization required) Yes* (additional synchronization required)
Exchange Server custom attributes (extension attributes) 1-15; other local single-value attributes such as homePhone, info, etc.; non-standard attributes created in AD and synced to Entra ID No Yes (additional synchronization required)

* The listed Exchange Online additional attributes have their on-premises Exchange Server counterparts. Some of them can be used in email signatures in a hybrid environment only after performing an additional synchronization by using the Microsoft Entra Connect (Azure AD Connect) tool (for more information, refer to this section). In such case, on-premises attributes’ values will be mapped to Exchange Online ones (e.g. wWWHomePage will be mapped to Web page). At the same time, Exchange Online attribute names will be displayed in the signature template editor. Keep in mind that multivalue on-premises attributes (such as postOfficeBox) are not supported.

Choose your environment type to learn more about the available additional attributes.

Important

Exchange Online additional attributes can be used in the template editor only. On the other hand, you can use common attributes, Exchange Online custom attributes, attributes synced from on-prem Exchange Server, and CodeTwo custom attributes also when defining conditions of an email signature rule or an autoresponder rule (the Azure AD filter option).

Cloud (non-hybrid) environments

The following additional attributes: Initials, HomePhone, Notes, Pager, PostOfficeBox and WebPage are managed in the Exchange Online admin center. They are not automatically synced to CodeTwo and PowerShell commands need to be used to access them. If you want to use them in email signatures in the same way as other generally available placeholders (see details earlier in the article), you need to synchronize them with our service.

To do this, sign in to CodeTwo Admin Panel and select the Microsoft 365 tenant on the Tenants page for which you want to perform the sync. Next, go to User AD attributes and click the Synchronize attributes button in the Additional attributes section (Fig. 5.).

Starting the synchronization of additional attributes.
Fig. 5. Starting the synchronization of additional attributes.

Info

If you work in a non-hybrid environment but the Synchronize attributes button is not displayed, contact CodeTwo Support.

The Synchronize additional attributes pop-up window opens. We need your authorization to sync your additional attributes. Click Esig - Copy button to copy the temporary authorization code (Fig. 6.) and click Authorize. This will open a Microsoft sign-in page in a new tab in your browser.

The authorization code in the additional attribute synchronization window.
Fig. 6. The authorization code in the additional attribute synchronization window.

Paste the code and click Next. Sign in as a global admin of your Microsoft 365 tenant to proceed with the synchronization. Note that CodeTwo does not store, copy or have access to your admin credentials in the process.

When you're successfully signed in, the sign-in page will close. Back in the Synchronize additional attributes window, click OK to begin synchronizing additional attributes from your tenant with CodeTwo. The progress is shown in the Additional attributes section (Fig. 7.) – refresh the page to check the progress.

Synchronization of additional attributes in progress.
Fig. 7. Synchronization of additional attributes in progress.

When the status changes to Synchronized, you can start using the additional attributes in email signatures and automatic replies. They are now available in the signature template editor in the Placeholder > Message Sender menu (see Fig. 1.).

You need to run the synchronization wizard each time you make changes to these attributes in Exchange Online. Otherwise, outdated information will appear in your signatures.

Important

Shared mailboxes are not supported by this synchronization. However, if you need an extra set of additional attributes e.g. to use in an email signature for a shared mailbox, you can take advantage of our Attributes manager to create custom attributes and apply them in your signature template. Learn more

Hybrid environments

Hybrid Exchange & Microsoft 365 organizations can use on-premises directory extension attributes (such as homePhone, info, extensionAttribute1-15 and other single-value attributes from local Active Directory) in email signatures and automatic replies in the same way as other generally available placeholders (see attribute availability). But to be able to do so, these attributes need to be synchronized from on-premises Active Directory to Entra ID (Microsoft 365) using the Microsoft Entra Connect tool.

CodeTwo Admin Panel lets you verify if such synchronization is enabled for a specific Microsoft 365 tenant in your organization. To check that, sign in to CodeTwo Admin Panel, select the tenant on the Tenants page, and go to User AD attributes.

If your local AD attributes are correctly synced, the Additional attributes section looks as in Fig. 8. This means that all is set up and you can use them in email signatures - see guidelines.

This is how the Additional attributes section looks like when local attributes are synced.
Fig. 8. This is how the Additional attributes section looks like when local attributes are synced.

If your local AD attributes are not synced, the Additional attributes section looks as in Fig. 9.

This is how the section looks like when local attributes are not synced.
Fig. 9. This is how the section looks like when local attributes are not synced.

Info

If you have a hybrid environment, but you do not see the Additional attributes section as shown above, contact CodeTwo Support.

To synchronize these additional AD attributes, open your Microsoft Entra Connect (Azure AD Connect). Then, enable the Directory extension attribute sync feature in the Sync > Optional Features section, as shown in Fig. 10.

Configuration of Microsoft Entra Connect, step 1.
Fig. 10. Configuration of Microsoft Entra Connect, step 1.

Click Next to navigate to the Directory Extensions section (Fig. 11.). Select your attributes from the list on the left (you can choose any attributes from the list but they need to be single-valued to work) and move them to the list on the right. Complete the wizard by clicking Next.

Configuration of Microsoft Entra Connect, step 2.
Fig. 11. Configuration of Microsoft Entra Connect, step 2.

When you finish the configuration, the AD attributes you selected will be synchronized to Entra ID (Azure AD). The Additional attributes section in CodeTwo Admin Panel will confirm their availability (it will look like in Fig. 8.).

The additional on-premises directory extension attributes can now be used in email signatures – they are available in the Placeholder > Message Sender menu in the signature template editor (see Fig. 1.). ExtensionAttribute1-15 and less common AD attributes are available under Message Sender > Custom AD attributes, as shown in this example. Check out this article to learn how to use placeholders.

Why sometimes you can see both Microsoft 365 custom attributes 1-15 and local Extension attributes 1-15 in the signature template editor

If you're synchronizing the extensionAttribute1-15 from your local AD via Microsoft Entra Connect, their values will overwrite the values of your Microsoft 365 custom attributes 1-15. Both sets of attributes will be displayed in the editor's PlaceholderMessage Sender > Custom AD attributes menu and even though they have the same values, you need to use the Microsoft 365 custom attributes in your signatures.

CodeTwo attributes

You can manage user attributes stored in CodeTwo Azure AD cache and add new custom attributes by using the Attributes manager. Learn more

OAuth 2.0 tokens

To read users' Entra ID (Azure AD) attributes, the program accesses them via OAuth 2.0 access tokens. These tokens are generated by Microsoft’s trusted OAuth servers. By default, these tokens are generated for the global admin account used to register your Microsoft 365 tenant in CodeTwo Admin Panel, but you can use other global admin accounts within the same tenant to refresh them.

Important

Your credentials are completely safe as they are passed directly and only to Microsoft servers, which is ensured by the Azure's OAuth 2.0 authorization. CodeTwo does not store, copy or have access to your global admin credentials.

When tokens expire

Access tokens are set to not expire, but there are some exceptions. Tokens can expire if you change:

  • the password of the global admin account that was used to generate (or previously refresh) these tokens. This is usually the admin account that manages your tenant in CodeTwo Admin Panel;
  • the authentication method of that admin account, e.g. enable/disable multi-factor authentication (MFA);
  • the security settings in your organization;
  • the MFA service settings for trusted devices (learn more).

If the tokens expired, you need to refresh them or the application won't be able to read the values of user Entra ID attributes. This may lead to outdated user information appearing in your signatures.

How to refresh the OAuth 2.0 tokens

You will receive an email notification after your tokens expire. This message will contain a link to a website that allows you to refresh your tokens (you need your tenant's Microsoft 365 global admin account to do this).

You can also refresh the tokens at any time directly in CodeTwo Admin Panel. To do this, sign in to CodeTwo Admin Panel, select your tenant on the Tenants page, and go to Tokens in the left menu (Fig. 12.). Next, click Refresh tokens.

Refreshing the OAuth 2.0 tokens in CodeTwo Admin Panel.
Fig. 12. Refreshing the OAuth 2.0 tokens in CodeTwo Admin Panel.

This will open a Microsoft sign-in page in a new tab in your browser. Be sure to sign in by using the work account that belongs to a global admin of this tenant. Once done, the tokens will be refreshed automatically and the Token's status and Tokens' last refresh date fields (shown in Fig. 12.) will be updated accordingly.

See also

How to use Entra ID (Azure AD) attributes (placeholders) in the signature template editor

In this article

Was this information useful?