Entra External Data Connections: Expanded Person Labels and What Admins Should Do Next

WHAT JUST CHANGED: Expanded Person Labels in External Data Connections
Microsoft has released new members to the label enumeration in Entra ID’s External Data Connections feature, effective June 2024. This update is now Generally Available (GA) for all tenants utilizing Microsoft Graph and Entra’s external data connection APIs.
The following person-centric labels are now available:
- personEmails
- personAddresses
- personAnniversaries
- personName
- personNote
- personPhones
- personCurrentPosition
- personWebAccounts
- personWebSite
- personSkills
- personProjects
- personAccount
- personAwards
- personCertifications
- personAssistants
- personColleagues
- personManager
- personAlternateContacts
- personEmergencyContacts
All tenants with custom integrations, business process applications, or third-party systems connecting via Microsoft Graph’s externalConnection endpoints are affected. The enhancement is visible in both API responses and the Entra admin center UI wherever external data connections are managed.
WHO’S AFFECTED
- Tenants with external data connections enabled.
- Organizations integrating HR, CRM, or custom apps via Microsoft Graph.
- Admins using person-centric enrichment or profile extensions within Entra ID.
- Developers consuming Microsoft Graph, especially
/external/connections. - Licensing: No additional premium requirements beyond standard Entra ID/Graph API access.
WHAT’S NEXT ON THE ROADMAP
Microsoft is accelerating the expansion of external data integration and enrichment in Entra ID:
- External Data Source Management: Expect granular controls for onboarding, updating, and retiring external connections directly from the Entra admin center.
- Automated Data Mapping: Preview features for automatic mapping of external person attributes to Entra user profiles, reducing manual schema management.
- Lifecycle Synchronization: Announced at Build 2024, future updates will support lifecycle event triggers (onboarding/offboarding) across external data sources.
- Graph API Expansion: Look for new endpoints and enhanced filtering for person-related labels, allowing selective sync and audit.
- Consent and Privacy Controls: Upcoming previews will give admins more control over which external attributes are imported and who can view them in the tenant.
WHY THIS DIRECTION IS BETTER
The expanded label enumeration offers several concrete advantages:
- Granularity: Instead of generic external profile blobs, admins can now specify exactly which person attributes to ingest, audit, or sync.
- Interoperability: Standardized labels improve mapping between Entra ID and external platforms (e.g., Workday, Salesforce, custom HR apps).
- Security: Fine-tuned labels allow for more granular Conditional Access and privacy policies. Competing IdPs often require workarounds or custom schema extensions.
- Automation: The new enumeration aligns with upcoming Microsoft Graph automation, making it easier to build flows for onboarding, offboarding, or attribute verification.
- User Experience: Enhanced person profile enrichment means more complete and accurate information in apps, Teams, and SharePoint integrations.
ADJACENT ENTRA ID CHANGES YOU SHOULD CARE ABOUT
- Microsoft Graph ExternalConnection Schema Updates: Recent releases now support querying and updating the new person labels via modern Graph endpoints.
- Entra Admin Center Navigation: The External Data Connections UI is now reorganized for better visibility of person attributes and data mapping.
- Conditional Access for External Data: You can now target Conditional Access policies based on enriched person attributes, such as manager, skills, or certifications.
- Graph PowerShell Module Evolution: The
Microsoft.Graph.ExternalConnectorsmodule is updated to support these new labels for both reporting and management.
WHAT TO DO: Step-by-Step Admin Actions
- Review all external data connections in your tenant for person enrichment requirements.
- Update your mapping schemas to leverage the new label options for more granular profiles.
- Audit which apps are consuming these person attributes and verify privacy/compliance boundaries.
- Test lifecycle processes (e.g., onboarding/offboarding) to ensure new attributes are correctly processed.
- Prepare for future automation by reviewing Graph API usage and updating PowerShell scripts.
CHECK IT YOURSELF: PowerShell Reporting
Use the modern Microsoft.Graph module (never AzureAD or MSOnline) to enumerate all external data connections and report label usage. This script audits which connections utilize the new person labels, with error handling and pagination. No changes are made — this is a dry-run report only.
# Requires Microsoft.Graph.ExternalConnectors module
Import-Module Microsoft.Graph.ExternalConnectors
# Authenticate (interactive)
Connect-MgGraph -Scopes 'ExternalConnectors.Read.All'
# Get all external connections (with pagination)
$connections = @()
$uri = 'https://graph.microsoft.com/v1.0/external/connections'
while ($uri) {
try {
$response = Invoke-MgGraphRequest -Uri $uri -Method GET
$connections += $response.value
$uri = $response.'@odata.nextLink'
} catch {
Write-Warning "Failed to enumerate external connections: $_"
break
}
}
# Check each connection for label usage
$personLabels = @("personEmails","personAddresses","personAnniversaries","personName","personNote","personPhones","personCurrentPosition","personWebAccounts","personWebSite","personSkills","personProjects","personAccount","personAwards","personCertifications","personAssistants","personColleagues","personManager","personAlternateContacts","personEmergencyContacts")
foreach ($conn in $connections) {
try {
$schemas = Invoke-MgGraphRequest -Uri ("https://graph.microsoft.com/v1.0/external/connections/$($conn.id)/schema") -Method GET
$usedLabels = $schemas.properties | Where-Object { $_.labels -ne $null } | ForEach-Object { $_.labels }
$matchedLabels = $usedLabels | Where-Object { $personLabels -contains $_ }
if ($matchedLabels) {
Write-Output "Connection: $($conn.name) [$($conn.id)] uses person labels: $($matchedLabels -join ', ')"
} else {
Write-Output "Connection: $($conn.name) [$($conn.id)] does not use new person labels."
}
} catch {
Write-Warning "Failed to check schema for connection $($conn.id): $_"
}
}
PORTAL PATH: Where to Find This in Entra Admin Center
- Go to Entra admin center.
- Navigate to External Identities > Data Connections.
- Select a data connection and choose Schema or Attributes tab.
- Review available labels — the new person members are selectable for mapping and enrichment.
BOTTOM LINE: Prioritised Recommendation
- High Priority: Audit all external data connections for person attribute mapping and update schemas to leverage new labels for granular enrichment.
- Medium Priority: Review privacy, compliance, and Conditional Access policies for exposure of new person attributes.
- Low Priority: Prepare scripts and automation for future lifecycle and attribute management as the Graph roadmap evolves.
Action: Run the PowerShell audit now, verify in portal, update mappings, and monitor roadmap for further enhancements.