User AD attributes & Tokens
CodeTwo Email Signatures 365 allows you to add Entra ID (Azure AD) attributes of your users to their email signatures and automatic replies (out of office messages). The program supports all the single-value attributes available in Microsoft 365 (Entra ID) and Microsoft Graph API. Multivalue attributes are not supported (learn more).
By default, the most common attributes related to message sender and message properties are available in the signature template editor (Fig. 1.). Additional attributes (such as extension attributes or user-defined attributes) may require further configuration to be accessible, as described later in this article.
You can manage attribute related options by opening your Microsoft 365 tenant's settings in CodeTwo Admin Panel (Fig. 2.). To access them, sign in to CodeTwo Admin Panel, select your tenant on the Tenants page, and go to User AD attributes.
Admin roles in CodeTwo Email Signatures 365
Read this article to find out who can perform the actions discussed further in the article.
CodeTwo Email Signatures 365 stores required user attributes in an internal cache and automatically synchronizes them with your tenant's Microsoft Entra ID (Azure Active Directory) every 20 minutes. This is necessary both to quickly add signatures with placeholders to emails sent by specific users based on current rules and to keep Entra ID load at a minimum. If necessary, you can manually update the Azure AD cache via the Update cache manually now button (Fig. 3.).
The first synchronization (after you registered a new tenant) might take longer and depends on the size and structure of your Microsoft Entra ID. It usually takes a few minutes to complete if you have less than a thousand users. It may take even a few hours if you have thousands of users.
The most common Entra ID (Azure AD) attributes, including Exchange Online (Microsoft 365) custom attributes 1-15, as well as CodeTwo custom attributes (as shown in Fig. 4.) are available in the signature template editor and can be inserted to email signatures and automatic replies as placeholders. Depending on your environment, you can also use additional attributes shown in the table below.
|Are these attributes available in the signature editor?
|Cloud (non-hybrid) environments
|Common AD / Entra ID attributes related to message sender (see full list here)
|Exchange Online (Microsoft 365) custom attributes 1-15
|CodeTwo custom attributes (learn more)
|Exchange Online (Microsoft 365) additional attributes: Initials, Notes, P.O. Box, Pager, Web page, Home phone
|Yes (additional synchronization required)
|Yes* (additional synchronization required)
|Exchange Server custom attributes (extension attributes) 1-15; other local single-value attributes such as homePhone, info, etc.; non-standard attributes created in AD and synced to Entra ID
|Yes (additional synchronization required)
* The listed Exchange Online additional attributes have their on-premises Exchange Server counterparts. Some of them can be used in email signatures in a hybrid environment only after performing an additional synchronization by using the Microsoft Entra Connect (Azure AD Connect) tool (for more information, refer to this section). In such case, on-premises attributes’ values will be mapped to Exchange Online ones (e.g. wWWHomePage will be mapped to Web page). At the same time, Exchange Online attribute names will be displayed in the signature template editor. Keep in mind that multivalue on-premises attributes (such as postOfficeBox) are not supported.
Choose your environment type to learn more about the available additional attributes.
Exchange Online additional attributes can be used in the template editor only. On the other hand, you can use common attributes, Exchange Online custom attributes, attributes synced from on-prem Exchange Server, and CodeTwo custom attributes also when defining conditions of an email signature rule or an autoresponder rule (the Azure AD filter option).
The following additional attributes: Initials, HomePhone, Notes, Pager, PostOfficeBox and WebPage are managed in the Exchange Online admin center. They are not automatically synced to CodeTwo and PowerShell commands need to be used to access them. If you want to use them in email signatures in the same way as other generally available placeholders (see details earlier in the article), you need to synchronize them with our service.
To do this, sign in to CodeTwo Admin Panel and select the Microsoft 365 tenant on the Tenants page for which you want to perform the sync. Next, go to User AD attributes and click the Synchronize attributes button in the Additional attributes section (Fig. 5.).
If you work in a non-hybrid environment but the Synchronize attributes button is not displayed, contact CodeTwo Support.
The Synchronize additional attributes pop-up window opens. We need your authorization to sync your additional attributes. Click to copy the temporary authorization code (Fig. 6.) and click Authorize. This will open a Microsoft sign-in page in a new tab in your browser.
Paste the code and click Next. Sign in as a global admin of your Microsoft 365 tenant to proceed with the synchronization. Note that CodeTwo does not store, copy or have access to your admin credentials in the process.
When you're successfully signed in, the sign-in page will close. Back in the Synchronize additional attributes window, click OK to begin synchronizing additional attributes from your tenant with CodeTwo. The progress is shown in the Additional attributes section (Fig. 7.) – refresh the page to check the progress.
When the status changes to Synchronized, you can start using the additional attributes in email signatures and automatic replies. They are now available in the signature template editor in the Placeholder > Message Sender menu (see Fig. 1.).
You need to run the synchronization wizard each time you make changes to these attributes in Exchange Online. Otherwise, outdated information will appear in your signatures.
Shared mailboxes are not supported by this synchronization. However, if you need an extra set of additional attributes e.g. to use in an email signature for a shared mailbox, you can take advantage of our Attributes manager to create custom attributes and apply them in your signature template. Learn more
Hybrid Exchange & Microsoft 365 organizations can use on-premises directory extension attributes (such as homePhone, info, extensionAttribute1-15 and other single-value attributes from local Active Directory) in email signatures and automatic replies in the same way as other generally available placeholders (see attribute availability). But to be able to do so, these attributes need to be synchronized from on-premises Active Directory to Entra ID (Microsoft 365) using the Microsoft Entra Connect tool.
CodeTwo Admin Panel lets you verify if such synchronization is enabled for a specific Microsoft 365 tenant in your organization. To check that, sign in to CodeTwo Admin Panel, select the tenant on the Tenants page, and go to User AD attributes.
If your local AD attributes are correctly synced, the Additional attributes section looks as in Fig. 8. This means that all is set up and you can use them in email signatures - see guidelines.
If you have a hybrid environment, but you do not see the Additional attributes section as shown above, contact CodeTwo Support.
To synchronize these additional AD attributes, open your Microsoft Entra Connect (Azure AD Connect). Then, enable the Directory extension attribute sync feature in the Sync > Optional Features section, as shown in Fig. 10.
Click Next to navigate to the Directory Extensions section (Fig. 11.). Select your attributes from the list on the left (you can choose any attributes from the list but they need to be single-valued to work) and move them to the list on the right. Complete the wizard by clicking Next.
When you finish the configuration, the AD attributes you selected will be synchronized to Entra ID (Azure AD). The Additional attributes section in CodeTwo Admin Panel will confirm their availability (it will look like in Fig. 8.).
The additional on-premises directory extension attributes can now be used in email signatures – they are available in the Placeholder > Message Sender menu in the signature template editor (see Fig. 1.). ExtensionAttribute1-15 and less common AD attributes are available under Message Sender > Custom AD attributes, as shown in this example. Check out this article to learn how to use placeholders.
Why sometimes you can see both Microsoft 365 custom attributes 1-15 and local Extension attributes 1-15 in the signature template editor
If you're synchronizing the extensionAttribute1-15 from your local AD via Microsoft Entra Connect, their values will overwrite the values of your Microsoft 365 custom attributes 1-15. Both sets of attributes will be displayed in the editor's Placeholder > Message Sender > Custom AD attributes menu and even though they have the same values, you need to use the Microsoft 365 custom attributes in your signatures.
You can manage user attributes stored in CodeTwo Azure AD cache and add new custom attributes by using the Attributes manager. Learn more
To read users' Entra ID (Azure AD) attributes, the program accesses them via OAuth 2.0 access tokens. These tokens are generated by Microsoft’s trusted OAuth servers. By default, these tokens are generated for the global admin account used to register your Microsoft 365 tenant in CodeTwo Admin Panel, but you can use other global admin accounts within the same tenant to refresh them.
Your credentials are completely safe as they are passed directly and only to Microsoft servers, which is ensured by the Azure's OAuth 2.0 authorization. CodeTwo does not store, copy or have access to your global admin credentials.
Access tokens are set to not expire, but there are some exceptions. Tokens can expire if you change:
- the password of the global admin account that was used to generate (or previously refresh) these tokens. This is usually the admin account that manages your tenant in CodeTwo Admin Panel;
- the authentication method of that admin account, e.g. enable/disable multi-factor authentication (MFA);
- the security settings in your organization;
- the MFA service settings for trusted devices (learn more).
If the tokens expired, you need to refresh them or the application won't be able to read the values of user Entra ID attributes. This may lead to outdated user information appearing in your signatures.
How to refresh the OAuth 2.0 tokens
You will receive an email notification after your tokens expire. This message will contain a link to a website that allows you to refresh your tokens (you need your tenant's Microsoft 365 global admin account to do this).
You can also refresh the tokens at any time directly in CodeTwo Admin Panel. To do this, sign in to CodeTwo Admin Panel, select your tenant on the Tenants page, and go to Tokens in the left menu (Fig. 12.). Next, click Refresh tokens.
This will open a Microsoft sign-in page in a new tab in your browser. Be sure to sign in by using the work account that belongs to a global admin of this tenant. Once done, the tokens will be refreshed automatically and the Token's status and Tokens' last refresh date fields (shown in Fig. 12.) will be updated accordingly.