diff --git a/.github/workflows/verify-prs-and-commits.yml b/.github/workflows/verify-prs-and-commits.yml
new file mode 100644
index 00000000..7eeec5cd
--- /dev/null
+++ b/.github/workflows/verify-prs-and-commits.yml
@@ -0,0 +1,17 @@
+name: Verify PRs and commits
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ "master", "dev" ]
+  pull_request:
+    branches: [ "master", "dev" ]
+
+jobs:
+  call-build:
+    uses: Yvand/AzureCP/.github/workflows/reusable-build.yml@master
+    with:
+      project-name: ${{ vars.PROJECT_NAME }}
+      version-major-minor: ${{ vars.VERSION_MAJOR_MINOR }}
+    secrets:
+      base64-encoded-signingkey: ${{ secrets.BASE64_ENCODED_SIGNINGKEY }}
diff --git a/AzureCP.Tests/AzureCP.Tests.csproj b/AzureCP.Tests/AzureCP.Tests.csproj
index 06f19a4b..5b5f61c5 100644
--- a/AzureCP.Tests/AzureCP.Tests.csproj
+++ b/AzureCP.Tests/AzureCP.Tests.csproj
@@ -74,13 +74,13 @@
       <Version>1.0.12</Version>
     </PackageReference>
     <PackageReference Include="Newtonsoft.Json">
-      <Version>13.0.1</Version>
+      <Version>13.0.2</Version>
     </PackageReference>
     <PackageReference Include="NUnit">
       <Version>3.13.3</Version>
     </PackageReference>
     <PackageReference Include="NUnit3TestAdapter">
-      <Version>4.2.1</Version>
+      <Version>4.4.2</Version>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>
diff --git a/AzureCP.Tests/EntityTestsBase.cs b/AzureCP.Tests/EntityTestsBase.cs
index 61bb0aff..7ef4c070 100644
--- a/AzureCP.Tests/EntityTestsBase.cs
+++ b/AzureCP.Tests/EntityTestsBase.cs
@@ -114,9 +114,9 @@ public void DEBUG_SearchEntitiesFromCollection(string inputValue, string expecte
             UnitTestsHelper.TestSearchOperation(inputValue, Convert.ToInt32(expectedCount), expectedClaimValue);
         }
 
-        [TestCase(@"AADGroup1", 1, "5b0f6c56-c87f-44c3-9354-56cba03da433")]
+        [TestCase(@"AADGroup1", 1, "30ef0958-c003-4667-a0ad-ef9783acaf25")]
         [TestCase(@"xyzguest", 0, "xyzGUEST@contoso.com")]
-        [TestCase(@"AzureGr}", 1, "141cfd15-3941-4cbc-859f-d7125938fb72")]
+        [TestCase(@"AzureGr}", 1, "ef7d18e6-5c4d-451a-9663-a976be81c91e")]
         public void DEBUG_SearchEntities(string inputValue, int expectedResultCount, string expectedEntityClaimValue)
         {
             if (!TestSearch) { return; }
diff --git a/AzureCP.Tests/UnitTestsHelper.cs b/AzureCP.Tests/UnitTestsHelper.cs
index e24c44f7..47835179 100644
--- a/AzureCP.Tests/UnitTestsHelper.cs
+++ b/AzureCP.Tests/UnitTestsHelper.cs
@@ -27,7 +27,7 @@ public class UnitTestsHelper
     public const int MaxTime = 50000;
     public static readonly string FarmAdmin = TestContext.Parameters["FarmAdmin"];
 #if DEBUG
-    public const int TestRepeatCount = 5;
+    public const int TestRepeatCount = 1;
 #else
     public const int TestRepeatCount = 20;
 #endif
@@ -68,7 +68,7 @@ public static void InitializeSiteCollection()
 
 #if DEBUG
         TestSiteCollUri = new Uri("http://spsites/sites/" + TestContext.Parameters["TestSiteCollectionName"]);
-        return; // Uncommented when debugging AzureCP code from unit tests
+        //return; // Uncommented when debugging AzureCP code from unit tests
 #endif
 
 
diff --git a/AzureCP.Tests/local.runsettings b/AzureCP.Tests/local.runsettings
index 8fee1fc3..18b5d31c 100644
--- a/AzureCP.Tests/local.runsettings
+++ b/AzureCP.Tests/local.runsettings
@@ -4,15 +4,15 @@
     <TargetPlatform>x64</TargetPlatform>
   </RunConfiguration>
   <TestRunParameters>
-    <Parameter name="AzureTenantsJsonFile" value="C:\Data\Dev\AzureCP_Tenants.json" />
-    <Parameter name="DataFile_AllAccounts_Search" value="C:\Data\Dev\AzureCP_Tests_AllAccounts_Search.csv" />
-    <Parameter name="DataFile_AllAccounts_Validate" value="C:\Data\Dev\AzureCP_Tests_AllAccounts_Validate.csv" />
-    <Parameter name="DataFile_GuestAccountsUPN_Search" value="C:\Data\Dev\AzureCP_Tests_GuestAccountsUPN_Search.csv" />
-    <Parameter name="DataFile_GuestAccountsUPN_Validate" value="C:\Data\Dev\AzureCP_Tests_GuestAccountsUPN_Validate.csv" />
+    <Parameter name="AzureTenantsJsonFile" value="C:\YvanData\Dev\AzureCP_Tenants.json" />
+    <Parameter name="DataFile_AllAccounts_Search" value="C:\YvanData\Dev\AzureCP_Tests_AllAccounts_Search.csv" />
+    <Parameter name="DataFile_AllAccounts_Validate" value="C:\YvanData\Dev\AzureCP_Tests_AllAccounts_Validate.csv" />
+    <Parameter name="DataFile_GuestAccountsUPN_Search" value="C:\YvanData\Dev\AzureCP_Tests_GuestAccountsUPN_Search.csv" />
+    <Parameter name="DataFile_GuestAccountsUPN_Validate" value="C:\YvanData\Dev\AzureCP_Tests_GuestAccountsUPN_Validate.csv" />
     <Parameter name="FarmAdmin" value="i:0#.w|contoso\yvand" />
     <Parameter name="TestSiteCollectionName" value="AzureCP.UnitTests" />
     <Parameter name="TrustedGroupToAdd_ClaimType" value="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" />
-    <Parameter name="TrustedGroupToAdd_ClaimValue" value="99abdc91-e6e0-475c-a0ba-5014f91de853" />
+    <Parameter name="TrustedGroupToAdd_ClaimValue" value="30ef0958-c003-4667-a0ad-ef9783acaf25" />
     <Parameter name="ClaimsProviderConfigName" value="AzureCPConfig" />
     <Parameter name="TestLogFileName" value="AzureCPIntegrationTests.log" />
   </TestRunParameters>
diff --git a/AzureCP.sln b/AzureCP.sln
index c7496b71..ca725e22 100644
--- a/AzureCP.sln
+++ b/AzureCP.sln
@@ -1,7 +1,7 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio 15
-VisualStudioVersion = 15.0.27130.2020
+# Visual Studio Version 17
+VisualStudioVersion = 17.4.33110.190
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AzureCP", "AzureCP\AzureCP.csproj", "{EEC47949-34B5-4805-A04D-A372BE75D3CB}"
 EndProject
diff --git a/AzureCP/AzureCP.cs b/AzureCP/AzureCP.cs
index 161f66d8..23fa9ab2 100644
--- a/AzureCP/AzureCP.cs
+++ b/AzureCP/AzureCP.cs
@@ -7,6 +7,7 @@
 using System.Collections.Generic;
 using System.Diagnostics;
 using System.Linq;
+using System.Net.Http;
 using System.Reflection;
 using System.Text;
 using System.Threading;
@@ -401,9 +402,61 @@ public static SPTrustedLoginProvider GetSPTrustAssociatedWithCP(string providerI
         /// <returns>Null if property doesn't exist, String.Empty if property exists but has no value, actual value otherwise</returns>
         public static string GetPropertyValue(object directoryObject, string propertyName)
         {
-            if (directoryObject == null) { return null; }
+            if (directoryObject == null)
+            {
+                return null;
+            }
+
+            if (propertyName.StartsWith("extensionAttribute"))
+            {
+                try
+                {
+                    var returnString = string.Empty;
+                    if (directoryObject is User)
+                    {
+                        var userobject = (Microsoft.Graph.User)directoryObject;
+                        if (userobject.AdditionalData != null)
+                        {
+                            var obj = userobject.AdditionalData.FirstOrDefault(s => s.Key.EndsWith(propertyName));
+                            if (obj.Value != null)
+                            {
+                                returnString = obj.Value.ToString();
+                            }
+                            else
+                            {
+                                return null;
+                            }
+                        }
+                    }
+                    else if (directoryObject is Group)
+                    {
+                        var groupobject = (Microsoft.Graph.Group)directoryObject;
+                        if (groupobject.AdditionalData != null)
+                        {
+                            var obj = groupobject.AdditionalData.FirstOrDefault(s => s.Key.EndsWith(propertyName));
+                            if (obj.Value != null)
+                            {
+                                returnString = obj.Value.ToString();
+                            }
+                            else
+                            {
+                                return null;
+                            }
+                        }
+                    }
+                    return returnString == null ? propertyName : returnString;
+                }
+                catch
+                {
+                    return null;
+                }
+            }
+
             PropertyInfo pi = directoryObject.GetType().GetProperty(propertyName);
-            if (pi == null) { return null; }   // Property doesn't exist
+            if (pi == null)
+            {
+                return null;
+            }   // Property doesn't exist
             object propertyValue = pi.GetValue(directoryObject, null);
             return propertyValue == null ? String.Empty : propertyValue.ToString();
         }
@@ -436,20 +489,27 @@ protected virtual PickerEntity CreatePickerEntityHelper(AzureCPResult result)
                 isMappedClaimTypeConfig = true;
             }
 
+            entity.EntityType = result.ClaimTypeConfig.SharePointEntityType;
             if (result.ClaimTypeConfig.UseMainClaimTypeOfDirectoryObject)
             {
                 string claimValueType;
                 if (result.ClaimTypeConfig.EntityType == DirectoryObjectType.User)
                 {
                     permissionClaimType = IdentityClaimTypeConfig.ClaimType;
-                    entity.EntityType = SPClaimEntityTypes.User;
                     claimValueType = IdentityClaimTypeConfig.ClaimValueType;
+                    if (String.IsNullOrEmpty(entity.EntityType))
+                    {
+                        entity.EntityType = SPClaimEntityTypes.User;
+                    }
                 }
                 else
                 {
                     permissionClaimType = MainGroupClaimTypeConfig.ClaimType;
-                    entity.EntityType = ClaimsProviderConstants.GroupClaimEntityType;
                     claimValueType = MainGroupClaimTypeConfig.ClaimValueType;
+                    if (String.IsNullOrEmpty(entity.EntityType))
+                    {
+                        entity.EntityType = ClaimsProviderConstants.GroupClaimEntityType;
+                    }
                 }
                 permissionValue = FormatPermissionValue(permissionClaimType, permissionValue, isMappedClaimTypeConfig, result);
                 claim = CreateClaim(
@@ -464,7 +524,10 @@ protected virtual PickerEntity CreatePickerEntityHelper(AzureCPResult result)
                     permissionClaimType,
                     permissionValue,
                     result.ClaimTypeConfig.ClaimValueType);
-                entity.EntityType = result.ClaimTypeConfig.EntityType == DirectoryObjectType.User ? SPClaimEntityTypes.User : ClaimsProviderConstants.GroupClaimEntityType;
+                if (String.IsNullOrEmpty(entity.EntityType))
+                {
+                    entity.EntityType = result.ClaimTypeConfig.EntityType == DirectoryObjectType.User ? SPClaimEntityTypes.User : ClaimsProviderConstants.GroupClaimEntityType;
+                }
             }
 
             entity.Claim = claim;
@@ -476,16 +539,21 @@ protected virtual PickerEntity CreatePickerEntityHelper(AzureCPResult result)
                 result.QueryMatchValue);
 
             int nbMetadata = 0;
-            // Populate metadata of new PickerEntity
-            foreach (ClaimTypeConfig ctConfig in MetadataConfig.Where(x => x.EntityType == result.ClaimTypeConfig.EntityType))
+            // If current result is a SharePoint group but was found on an AAD User object, then 1 to many User objects could match so no metadata from the current match should be set
+            if (!String.Equals(result.ClaimTypeConfig.SharePointEntityType, ClaimsProviderConstants.GroupClaimEntityType, StringComparison.InvariantCultureIgnoreCase) ||
+                result.ClaimTypeConfig.EntityType != DirectoryObjectType.User )
             {
-                // if there is actally a value in the GraphObject, then it can be set
-                string entityAttribValue = GetPropertyValue(result.UserOrGroupResult, ctConfig.DirectoryObjectProperty.ToString());
-                if (!String.IsNullOrEmpty(entityAttribValue))
+                // Populate metadata of new PickerEntity
+                foreach (ClaimTypeConfig ctConfig in MetadataConfig.Where(x => x.EntityType == result.ClaimTypeConfig.EntityType))
                 {
-                    entity.EntityData[ctConfig.EntityDataKey] = entityAttribValue;
-                    nbMetadata++;
-                    ClaimsProviderLogging.Log($"[{ProviderInternalName}] Set metadata '{ctConfig.EntityDataKey}' of new entity to '{entityAttribValue}'", TraceSeverity.VerboseEx, EventSeverity.Information, TraceCategory.Claims_Picking);
+                    // if there is actally a value in the GraphObject, then it can be set
+                    string entityAttribValue = GetPropertyValue(result.UserOrGroupResult, ctConfig.DirectoryObjectProperty.ToString());
+                    if (!String.IsNullOrEmpty(entityAttribValue))
+                    {
+                        entity.EntityData[ctConfig.EntityDataKey] = entityAttribValue;
+                        nbMetadata++;
+                        ClaimsProviderLogging.Log($"[{ProviderInternalName}] Set metadata '{ctConfig.EntityDataKey}' of new entity to '{entityAttribValue}'", TraceSeverity.VerboseEx, EventSeverity.Information, TraceCategory.Claims_Picking);
+                    }
                 }
             }
             entity.DisplayText = FormatPermissionDisplayText(entity, isMappedClaimTypeConfig, result);
@@ -571,7 +639,11 @@ protected virtual List<PickerEntity> CreatePickerEntityForSpecificClaimTypes(str
                 PickerEntity entity = CreatePickerEntity();
                 entity.Claim = claim;
                 entity.IsResolved = true;
-                entity.EntityType = ctConfig.EntityType == DirectoryObjectType.User ? SPClaimEntityTypes.User : ClaimsProviderConstants.GroupClaimEntityType;
+                entity.EntityType = ctConfig.SharePointEntityType;
+                if (String.IsNullOrEmpty(entity.EntityType))
+                {
+                    entity.EntityType = ctConfig.EntityType == DirectoryObjectType.User ? SPClaimEntityTypes.User : ClaimsProviderConstants.GroupClaimEntityType;
+                }
                 //entity.EntityGroupName = "";
                 entity.Description = String.Format(PickerEntityOnMouseOver, ctConfig.DirectoryObjectProperty.ToString(), input);
 
@@ -1187,6 +1259,12 @@ protected virtual void BuildFilter(OperationContext currentContext, List<AzureTe
             foreach (ClaimTypeConfig ctConfig in currentContext.CurrentClaimTypeConfigList)
             {
                 string currentPropertyString = ctConfig.DirectoryObjectProperty.ToString();
+
+                if (currentPropertyString.StartsWith("extensionAttribute"))
+                {
+                    currentPropertyString = String.Format("{0}_{1}_{2}", "extension", "EXTENSIONATTRIBUTESAPPLICATIONID", currentPropertyString);
+                }
+
                 string currentFilter;
                 if (!ctConfig.SupportsWildcard)
                 {
@@ -1290,9 +1368,14 @@ protected virtual void BuildFilter(OperationContext currentContext, List<AzureTe
 
             foreach (AzureTenant tenant in azureTenants)
             {
+                string encodedUserFilterForTenant = encodedUserFilter.Replace("EXTENSIONATTRIBUTESAPPLICATIONID", tenant.ExtensionAttributesApplicationId.ToString("N"));
+                string encodedUserSelectForTenant = encodedUserSelect.Replace("EXTENSIONATTRIBUTESAPPLICATIONID", tenant.ExtensionAttributesApplicationId.ToString("N"));
+                string encodedGroupFilterForTenant = encodedGroupFilter.Replace("EXTENSIONATTRIBUTESAPPLICATIONID", tenant.ExtensionAttributesApplicationId.ToString("N"));
+                string encodedGroupSelectForTenant = encodedgroupSelect.Replace("EXTENSIONATTRIBUTESAPPLICATIONID", tenant.ExtensionAttributesApplicationId.ToString("N"));
+
                 if (firstUserObjectProcessed)
                 {
-                    tenant.UserFilter = encodedUserFilter;
+                    tenant.UserFilter = encodedUserFilterForTenant;
                     //if (tenant.MemberUserTypeOnly)
                     //    tenant.UserFilter += encodedMemberOnlyUserTypeFilter;
                     //else if (tenant.ExcludeGuestUsers)
@@ -1306,15 +1389,15 @@ protected virtual void BuildFilter(OperationContext currentContext, List<AzureTe
 
                 if (firstGroupObjectProcessed)
                 {
-                    tenant.GroupFilter = encodedGroupFilter;
+                    tenant.GroupFilter = encodedGroupFilterForTenant;
                 }
                 else
                 {
                     tenant.GroupFilter = String.Empty;
                 }
 
-                tenant.UserSelect = encodedUserSelect;
-                tenant.GroupSelect = encodedgroupSelect;
+                tenant.UserSelect = encodedUserSelectForTenant;
+                tenant.GroupSelect = encodedGroupSelectForTenant;
             }
         }
 
@@ -1386,18 +1469,37 @@ protected virtual async Task<AzureADResult> QueryAzureADTenantAsync(OperationCon
                         // Initialize requests and variables that will receive the result
                         IGraphServiceUsersCollectionPage usersFound = null;
                         IGraphServiceGroupsCollectionPage groupsFound = null;
-                        IGraphServiceUsersCollectionRequest userRequest = tenant.GraphService.Users.Request().Select(tenant.UserSelect).Filter(tenant.UserFilter).Top(currentContext.MaxCount);
+
+                        // Allow Advanced query as documented in https://learn.microsoft.com/en-us/graph/aad-advanced-queries?tabs=http :
+                        // Add ConsistencyLevel header to eventual and $count=true to fix $filter on CompanyName - https://github.com/Yvand/AzureCP/issues/166
+                        // Only work for non-batched requests
+                        List<Option> nonBatchedUserQueryOptions = new List<Option>
+                        {
+                            new QueryOption("$count", "true"),
+                            new HeaderOption("ConsistencyLevel", "eventual")
+                        };
+                        IGraphServiceUsersCollectionRequest userRequest = tenant.GraphService.Users.Request(nonBatchedUserQueryOptions).Select(tenant.UserSelect).Filter(tenant.UserFilter).Top(currentContext.MaxCount);
                         IGraphServiceGroupsCollectionRequest groupRequest = tenant.GraphService.Groups.Request().Select(tenant.GroupSelect).Filter(tenant.GroupFilter).Top(currentContext.MaxCount);
 
                         // Do a batch query only if necessary
                         if (!String.IsNullOrWhiteSpace(tenant.UserFilter) && !String.IsNullOrWhiteSpace(tenant.GroupFilter))
                         {
+                            // Fix https://github.com/Yvand/AzureCP/issues/175: Create the BatchRequestStep manually to be able to set the HTTP header ConsistencyLevel: eventual
+                            // Implememted as shown in https://learn.microsoft.com/en-us/graph/sdks/batch-requests?tabs=csharp#implementing-batching-using-batchrequestcontent-batchrequeststep-and-httprequestmessage
+                            // How header "ConsistencyLevel" must be set in batching: https://learn.microsoft.com/en-us/graph/json-batching#first-json-batch-request
+                            var httpUserRequestMessage = new HttpRequestMessage(HttpMethod.Get, $"https://graph.microsoft.com/v1.0/users/?$count=true&$select={tenant.UserSelect}&$filter={tenant.UserFilter}");
+                            httpUserRequestMessage.Content = new StringContent(String.Empty, Encoding.UTF8, "application/json");    // Create a fake content to be able to set the header below
+                            httpUserRequestMessage.Content.Headers.Add("ConsistencyLevel", "eventual");
+                            string userRequestId = Guid.NewGuid().ToString();
+                            BatchRequestStep requestStep = new BatchRequestStep(userRequestId, httpUserRequestMessage);
+
                             // https://docs.microsoft.com/en-us/graph/sdks/batch-requests?tabs=csharp
                             BatchRequestContent batchRequestContent = new BatchRequestContent();
-                            var userRequestId = batchRequestContent.AddBatchRequestStep(userRequest);
+                            //var userRequestId = batchRequestContent.AddBatchRequestStep(userRequest); // Use httpUserRequestMessage instead
+                            batchRequestContent.AddBatchRequestStep(requestStep);
                             var groupRequestId = batchRequestContent.AddBatchRequestStep(groupRequest);
                             var batchResponse = await tenant.GraphService.Batch.Request().PostAsync(batchRequestContent).ConfigureAwait(false);
-
+                            
                             // De - serialize batch response based on known return type
                             GraphServiceUsersCollectionResponse usersBatchResponse = await batchResponse.GetResponseByIdAsync<GraphServiceUsersCollectionResponse>(userRequestId).ConfigureAwait(false);
                             usersFound = usersBatchResponse.Value;
diff --git a/AzureCP/AzureCP.csproj b/AzureCP/AzureCP.csproj
index fbf33347..2469f139 100644
--- a/AzureCP/AzureCP.csproj
+++ b/AzureCP/AzureCP.csproj
@@ -65,16 +65,20 @@
     <Compile Include="AzureCP.cs" />
     <Compile Include="AzureCPConfig.cs" />
     <Compile Include="AzureCPLogging.cs" />
-    <Compile Include="AzureCPUserControl.cs" />
+    <Compile Include="AzureCPUserControl.cs">
+      <SubType>ASPXCodeBehind</SubType>
+    </Compile>
     <Compile Include="ClaimTypeConfig.cs" />
     <Compile Include="TEMPLATE\ADMIN\AzureCP\ClaimTypesConfig.ascx.cs">
       <DependentUpon>ClaimTypesConfig.ascx</DependentUpon>
+      <SubType>ASPXCodeBehind</SubType>
     </Compile>
     <Compile Include="TEMPLATE\ADMIN\AzureCP\ClaimTypesConfig.ascx.designer.cs">
       <DependentUpon>ClaimTypesConfig.ascx.cs</DependentUpon>
     </Compile>
     <Compile Include="TEMPLATE\ADMIN\AzureCP\AzureCPGlobalSettings.ascx.cs">
       <DependentUpon>AzureCPGlobalSettings.ascx</DependentUpon>
+      <SubType>ASPXCodeBehind</SubType>
     </Compile>
     <Compile Include="TEMPLATE\ADMIN\AzureCP\AzureCPGlobalSettings.ascx.designer.cs">
       <DependentUpon>AzureCPGlobalSettings.ascx.cs</DependentUpon>
@@ -89,6 +93,7 @@
       <SharePointProjectItemId>{c15a0bf3-126a-42e6-af6b-5880f2e9af42}</SharePointProjectItemId>
     </None>
     <None Include="AzureCP.snk" />
+    <None Include="AzureCPKrueger.snk" />
     <None Include="Features\AzureCP\AzureCP.feature">
       <FeatureId>{70b104e2-19df-4cb1-9802-c98eaf14d84e}</FeatureId>
     </None>
diff --git a/AzureCP/AzureCPConfig.cs b/AzureCP/AzureCPConfig.cs
index 748c6a0a..01dd3e2d 100644
--- a/AzureCP/AzureCPConfig.cs
+++ b/AzureCP/AzureCPConfig.cs
@@ -4,10 +4,12 @@
 using Microsoft.SharePoint.Administration;
 using Microsoft.SharePoint.Administration.Claims;
 using Microsoft.SharePoint.WebControls;
+using Microsoft.Web.Hosting.Administration;
 using System;
 using System.Collections.Generic;
 using System.Collections.ObjectModel;
 using System.Diagnostics;
+using System.IO;
 using System.Linq;
 using System.Reflection;
 using System.Security.Cryptography;
@@ -743,6 +745,18 @@ public bool ExcludeGuests
         [Persisted]
         private bool ExcludeGuestUsers = false;
 
+        /// <summary>
+        /// Client ID of AD Connect used in extension attribues
+        /// </summary>
+        [Persisted]
+        private Guid ExtensionAttributesApplicationIdPersisted;
+
+        public Guid ExtensionAttributesApplicationId
+        {
+            get => ExtensionAttributesApplicationIdPersisted;
+            set => ExtensionAttributesApplicationIdPersisted = value;
+        }
+
         public X509Certificate2 ClientCertificatePrivateKey
         {
             get
@@ -752,17 +766,17 @@ public X509Certificate2 ClientCertificatePrivateKey
             set
             {
                 if (value == null) { return; }
+                m_ClientCertificatePrivateKey = value;
                 try
                 {
-                    // To get the raw data with the private key, it is required to call method Export() instead of just reading the property RawData
-                    // If the certificate submitted does not have its private key exportable, Export() will throw a CryptographicException "Key not valid for use in specified state."
-                    m_ClientCertificatePrivateKeyRawData = value.Export(X509ContentType.Pkcs12, ClaimsProviderConstants.ClientCertificatePrivateKeyPassword);
-                    m_ClientCertificatePrivateKey = value;
+                    // https://stackoverflow.com/questions/32354790/how-to-check-is-x509certificate2-exportable-or-not
+                    m_ClientCertificatePrivateKeyRawData = value.Export(X509ContentType.Pfx, ClaimsProviderConstants.ClientCertificatePrivateKeyPassword);
                 }
                 catch (CryptographicException ex)
                 {
-                    ClaimsProviderLogging.LogException(AzureCP._ProviderInternalName, $"while setting the certificate for tenant '{this.Name}'. Is the private key of the certificate exportable?", TraceCategory.Core, ex);
-                    throw;  // The caller should be informed that the certificate could not be set
+                    // X509Certificate2.Export() is expected to fail if the private key is not exportable, which depends on the X509KeyStorageFlags used when creating the X509Certificate2 object
+                    //ClaimsProviderLogging.LogException(AzureCP._ProviderInternalName, $"while setting the certificate for tenant '{this.Name}'. Is the private key of the certificate exportable?", TraceCategory.Core, ex);
+                    //throw;  // The caller should be informed that the certificate could not be set
                 }
             }
         }
@@ -781,7 +795,7 @@ public string AuthenticationMode
         public AzureCloudInstance CloudInstance
         {
             get => (AzureCloudInstance)Enum.Parse(typeof(AzureCloudInstance), m_CloudInstance);
-            set => m_CloudInstance =  value.ToString();
+            set => m_CloudInstance = value.ToString();
         }
         [Persisted]
         private string m_CloudInstance = AzureCloudInstance.AzurePublic.ToString();
@@ -808,8 +822,8 @@ protected override void OnDeserialization()
             {
                 try
                 {
-                    // Flag UserKeySet avoid access denied error. Flag Exportable allows to export the certificate with its private key
-                    m_ClientCertificatePrivateKey = new X509Certificate2(m_ClientCertificatePrivateKeyRawData, ClaimsProviderConstants.ClientCertificatePrivateKeyPassword, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.UserKeySet);
+                    // EphemeralKeySet: Keep the private key in-memory, it won't be written to disk - https://www.pkisolutions.com/handling-x509keystorageflags-in-applications/
+                    m_ClientCertificatePrivateKey = ImportPfxCertificateBlob(m_ClientCertificatePrivateKeyRawData, ClaimsProviderConstants.ClientCertificatePrivateKeyPassword, X509KeyStorageFlags.EphemeralKeySet);
                 }
                 catch (CryptographicException ex)
                 {
@@ -907,6 +921,31 @@ public void SetCredentials(string applicationId, X509Certificate2 certificate)
             this.ApplicationSecret = String.Empty;
             this.ClientCertificatePrivateKey = certificate;
         }
+
+        /// <summary>
+        /// Import the input blob certificate into a pfx X509Certificate2 object
+        /// </summary>
+        /// <param name="blob"></param>
+        /// <param name="certificatePassword"></param>
+        /// <param name="keyStorageFlags"></param>
+        /// <returns></returns>
+        public static X509Certificate2 ImportPfxCertificateBlob(byte[] blob, string certificatePassword, X509KeyStorageFlags keyStorageFlags)
+        {
+            if (X509Certificate2.GetCertContentType(blob) != X509ContentType.Pfx)
+            {
+                return null;
+            }
+
+            if (String.IsNullOrWhiteSpace(certificatePassword))
+            {
+                // If passwordless, import private key as documented in https://support.microsoft.com/en-us/topic/kb5025823-change-in-how-net-applications-import-x-509-certificates-bf81c936-af2b-446e-9f7a-016f4713b46b
+                return new X509Certificate2(blob, (string)null, keyStorageFlags);
+            }
+            else
+            {
+                return new X509Certificate2(blob, certificatePassword, keyStorageFlags);
+            }
+        }
     }
 
     /// <summary>
@@ -1180,7 +1219,22 @@ public enum AzureADObjectProperty
         AboutMe,
         MySite,
         PreferredName,
-        ODataType
+        ODataType,
+        extensionAttribute1,
+        extensionAttribute2,
+        extensionAttribute3,
+        extensionAttribute4,
+        extensionAttribute5,
+        extensionAttribute6,
+        extensionAttribute7,
+        extensionAttribute8,
+        extensionAttribute9,
+        extensionAttribute10,
+        extensionAttribute11,
+        extensionAttribute12,
+        extensionAttribute13,
+        extensionAttribute14,
+        extensionAttribute15
     }
 
     public enum DirectoryObjectType
diff --git a/AzureCP/ClaimTypeConfig.cs b/AzureCP/ClaimTypeConfig.cs
index a0e72f6d..345c9828 100644
--- a/AzureCP/ClaimTypeConfig.cs
+++ b/AzureCP/ClaimTypeConfig.cs
@@ -70,6 +70,23 @@ public DirectoryObjectType EntityType
         [Persisted]
         private int _DirectoryObjectType;
 
+        /// <summary>
+        /// Set if this will create a User or a Group permission. Values allowed are "User" or "FormsRole"
+        /// </summary>
+        public string SharePointEntityType
+        {
+            get { return _SharePointEntityType; }
+            set
+            {
+                if (String.Equals(value, "User", StringComparison.CurrentCultureIgnoreCase) || String.Equals(value, ClaimsProviderConstants.GroupClaimEntityType, StringComparison.CurrentCultureIgnoreCase))
+                {
+                    _SharePointEntityType = value;
+                }
+            }
+        }
+        [Persisted]
+        private string _SharePointEntityType;
+
         public string ClaimType
         {
             get { return _ClaimType; }
@@ -206,9 +223,14 @@ public ClaimTypeConfig CopyConfiguration()
         /// <param name="configToApply"></param>
         internal void ApplyConfiguration(ClaimTypeConfig configToApply)
         {
-            // Copy non-inherited private fields
-            FieldInfo[] fieldsToCopy = this.GetType().GetFields(BindingFlags.NonPublic | BindingFlags.Instance | BindingFlags.DeclaredOnly);
-            foreach (FieldInfo field in fieldsToCopy)
+            // Copy non-inherited private fields of type ClaimTypeConfig, and also IdentityClaimTypeConfig if current object is of this type
+            List<FieldInfo> fieldsToCopyList = new List<FieldInfo>();
+            fieldsToCopyList.AddRange(typeof(ClaimTypeConfig).GetFields(BindingFlags.NonPublic | BindingFlags.Instance | BindingFlags.DeclaredOnly));
+            if (this is IdentityClaimTypeConfig == true)
+            {
+                fieldsToCopyList.AddRange(this.GetType().GetFields(BindingFlags.NonPublic | BindingFlags.Instance | BindingFlags.DeclaredOnly));
+            }
+            foreach (FieldInfo field in fieldsToCopyList)
             {
                 field.SetValue(this, field.GetValue(configToApply));
             }
diff --git a/AzureCP/Properties/AssemblyInfo.cs b/AzureCP/Properties/AssemblyInfo.cs
index b449a4a7..ed37581c 100644
--- a/AzureCP/Properties/AssemblyInfo.cs
+++ b/AzureCP/Properties/AssemblyInfo.cs
@@ -33,5 +33,7 @@
 // You can specify all the values or you can default the Build and Revision Numbers 
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
+#pragma warning disable CS7035 // The specified version string does not conform to the recommended format - major.minor.build.revision 
 [assembly: AssemblyVersion("1.0.0.0")]
 [assembly: AssemblyFileVersion("1.0.0.0")]
+#pragma warning restore CS7035
diff --git a/AzureCP/TEMPLATE/ADMIN/AzureCP/AzureCPGlobalSettings.ascx b/AzureCP/TEMPLATE/ADMIN/AzureCP/AzureCPGlobalSettings.ascx
index f389e301..e987d9b4 100644
--- a/AzureCP/TEMPLATE/ADMIN/AzureCP/AzureCPGlobalSettings.ascx
+++ b/AzureCP/TEMPLATE/ADMIN/AzureCP/AzureCPGlobalSettings.ascx
@@ -137,6 +137,7 @@
 					<asp:BoundField HeaderText="Tenant name" DataField="TenantName"/>
 					<asp:BoundField HeaderText="Application ID" DataField="ClientID"/>
                     <asp:BoundField HeaderText="Cloud instance" DataField="CloudInstance" />
+                    <asp:BoundField HeaderText="AD Connect Client ID" DataField="ExtensionAttributesApplicationId" />
 					<asp:CommandField HeaderText="Action" ButtonType="Button" DeleteText="Remove" ShowDeleteButton="True" />
 				</Columns>
 			</wssawc:SPGridView>
@@ -183,11 +184,15 @@
 						<wssawc:InputFormTextBox title="Certificate password" class="ms-input" ID="InputClientCertPassword" Columns="50" Runat="server" MaxLength="255" TextMode="Password" />
 					</li>
 					<li>
-						<label for="<%=ChkMemberUserTypeOnly.ClientID %>">Filter out <a href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-user-properties" target="_blank">Guest users</a> on this tenant:</label>
+						<label for="<%= ChkMemberUserTypeOnly.ClientID %>">Filter out <a href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-user-properties" target="_blank">Guest users</a> on this tenant:</label>
 						<table border="0" cellpadding="0" cellspacing="0" style="display: inline;">
 						<wssawc:InputFormCheckBox class="ms-input" ID="ChkMemberUserTypeOnly" ToolTip="Filter out Guest users" runat="server" />
 						</table>
 					</li>
+                    <li>
+                        <label for="<%= TxtExtensionAttributesApplicationId.ClientID %>">AD Connect Client ID for extension attributes</label>
+			            <wssawc:InputFormTextBox title="AD Connect Client ID" class="ms-input" ID="TxtExtensionAttributesApplicationId" Columns="50" Runat="server" MaxLength="36" />
+                    </li>
 				</ul>
 				<div class="divbuttons">
 					<asp:Button runat="server" ID="BtnTestAzureTenantConnection" Text="Test connection to tenant" ToolTip="Make sure this server has access to Internet before you click" onclick="BtnTestAzureTenantConnection_Click" class="ms-ButtonHeightWidth" />
diff --git a/AzureCP/TEMPLATE/ADMIN/AzureCP/AzureCPGlobalSettings.ascx.cs b/AzureCP/TEMPLATE/ADMIN/AzureCP/AzureCPGlobalSettings.ascx.cs
index 62b71231..a7026f6e 100644
--- a/AzureCP/TEMPLATE/ADMIN/AzureCP/AzureCPGlobalSettings.ascx.cs
+++ b/AzureCP/TEMPLATE/ADMIN/AzureCP/AzureCPGlobalSettings.ascx.cs
@@ -25,6 +25,7 @@ public partial class AzureCPGlobalSettings : AzureCPUserControl
         readonly string TextErrorTestAzureADConnection = "Unable to get access token for tenant '{0}': {1}";
         readonly string TextConnectionSuccessful = "Connection successful.";
         readonly string TextErrorNewTenantCreds = "Specify either a client secret or a client certificate, but not both.";
+        readonly string TextErrorExtensionAttributesApplicationId = "Please specify a valid Client ID for AD Connect.";
 
         protected void Page_Load(object sender, EventArgs e)
         {
@@ -59,7 +60,7 @@ void PopulateConnectionsGrid()
                 PropertyCollectionBinder pcb = new PropertyCollectionBinder();
                 foreach (AzureTenant tenant in PersistedObject.AzureTenants)
                 {
-                    pcb.AddRow(tenant.Identifier, tenant.Name, tenant.ApplicationId, tenant.CloudInstance.ToString());
+                    pcb.AddRow(tenant.Identifier, tenant.Name, tenant.ApplicationId, tenant.CloudInstance.ToString(), tenant.ExtensionAttributesApplicationId);
                 }
                 pcb.BindGrid(grdAzureTenants);
             }
@@ -260,6 +261,20 @@ void AddTenantConnection()
                 return;
             }
 
+            if (!string.IsNullOrWhiteSpace(this.TxtExtensionAttributesApplicationId.Text))
+            {
+                try
+                {
+                    Guid extensionAttributesApplicationId = Guid.Parse(this.TxtExtensionAttributesApplicationId.Text);
+                }
+                catch (Exception)
+                {
+
+                    this.LabelErrorTestLdapConnection.Text = TextErrorExtensionAttributesApplicationId;
+                }
+
+            }
+
             if ((InputClientCertFile.PostedFile == null && String.IsNullOrWhiteSpace(this.TxtClientSecret.Text)) ||
                 (InputClientCertFile.PostedFile != null && InputClientCertFile.PostedFile.ContentLength == 0 && String.IsNullOrWhiteSpace(TxtClientSecret.Text)) ||
                 (InputClientCertFile.PostedFile != null && InputClientCertFile.PostedFile.ContentLength != 0 && !String.IsNullOrWhiteSpace(TxtClientSecret.Text)))
@@ -272,7 +287,9 @@ void AddTenantConnection()
             if (String.IsNullOrWhiteSpace(this.TxtClientSecret.Text))
             {
                 if (ValidateUploadedCertFile(InputClientCertFile, this.InputClientCertPassword.Text, out cert) == false)
-                { return; }
+                {
+                    return;
+                }
             }
 
             if (PersistedObject.AzureTenants == null)
@@ -287,7 +304,8 @@ void AddTenantConnection()
                     ApplicationSecret = this.TxtClientSecret.Text,
                     ExcludeGuests = this.ChkMemberUserTypeOnly.Checked,
                     ClientCertificatePrivateKey = cert,
-                    CloudInstance = (AzureCloudInstance)Enum.Parse(typeof(AzureCloudInstance), this.DDLAzureCloudInstance.SelectedValue)
+                    CloudInstance = (AzureCloudInstance)Enum.Parse(typeof(AzureCloudInstance), this.DDLAzureCloudInstance.SelectedValue),
+                    ExtensionAttributesApplicationId = string.IsNullOrWhiteSpace(this.TxtExtensionAttributesApplicationId.Text) ? Guid.Empty : Guid.Parse(this.TxtExtensionAttributesApplicationId.Text)
                 });
 
             CommitChanges();
@@ -298,6 +316,7 @@ void AddTenantConnection()
             this.TxtClientId.Text = String.Empty;
             this.TxtClientSecret.Text = String.Empty;
             this.InputClientCertPassword.Text = String.Empty;
+            this.TxtExtensionAttributesApplicationId.Text = String.Empty;
             this.DDLAzureCloudInstance.SelectedValue = AzureCloudInstance.AzurePublic.ToString();
         }
 
@@ -335,15 +354,16 @@ private bool ValidateUploadedCertFile(
             {
                 byte[] buffer = new byte[inputFile.PostedFile.ContentLength];
                 inputFile.PostedFile.InputStream.Read(buffer, 0, buffer.Length);
-                cert = new X509Certificate2(buffer, certificatePassword, X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.Exportable);
-                if (cert.HasPrivateKey == false)
+                // The certificate must be exportable so it can be saved in the persisted object
+                cert = AzureTenant.ImportPfxCertificateBlob(buffer, certificatePassword, X509KeyStorageFlags.Exportable);
+                if (cert == null)
                 {
                     this.LabelErrorTestLdapConnection.Text = $"Certificate does not contain the private key.";
                     return false;
                 }
 
                 // Try to export the certificate with its private key to validate that it succeeds
-                cert.Export(X509ContentType.Pkcs12, "Yvan");
+                cert.Export(X509ContentType.Pfx, "Yvan");
             }
             catch (CryptographicException ex)
             {
@@ -364,9 +384,10 @@ public PropertyCollectionBinder()
             PropertyCollection.Columns.Add("ClientID", typeof(string));
             //PropertyCollection.Columns.Add("MemberUserTypeOnly", typeof(bool));
             PropertyCollection.Columns.Add("CloudInstance", typeof(string));
+            PropertyCollection.Columns.Add("ExtensionAttributesApplicationId", typeof(Guid));
         }
 
-        public void AddRow(Guid Id, string TenantName, string ClientID, string CloudInstance)
+        public void AddRow(Guid Id, string TenantName, string ClientID, string CloudInstance, Guid ExtensionAttributesApplicationId)
         {
             DataRow newRow = PropertyCollection.Rows.Add();
             newRow["Id"] = Id;
@@ -374,6 +395,7 @@ public void AddRow(Guid Id, string TenantName, string ClientID, string CloudInst
             newRow["ClientID"] = ClientID;
             //newRow["MemberUserTypeOnly"] = MemberUserTypeOnly;
             newRow["CloudInstance"] = CloudInstance;
+            newRow["ExtensionAttributesApplicationId"] = ExtensionAttributesApplicationId;
         }
 
         public void BindGrid(SPGridView grid)
diff --git a/AzureCP/TEMPLATE/ADMIN/AzureCP/AzureCPGlobalSettings.ascx.designer.cs b/AzureCP/TEMPLATE/ADMIN/AzureCP/AzureCPGlobalSettings.ascx.designer.cs
index c7ba4eb6..cb08e82b 100644
--- a/AzureCP/TEMPLATE/ADMIN/AzureCP/AzureCPGlobalSettings.ascx.designer.cs
+++ b/AzureCP/TEMPLATE/ADMIN/AzureCP/AzureCPGlobalSettings.ascx.designer.cs
@@ -122,6 +122,15 @@ public partial class AzureCPGlobalSettings
         /// </remarks>
         protected global::Microsoft.SharePoint.WebControls.InputFormCheckBox ChkMemberUserTypeOnly;
 
+        /// <summary>
+        /// TxtExtensionAttributesApplicationId control.
+        /// </summary>
+        /// <remarks>
+        /// Auto-generated field.
+        /// To modify move field declaration from designer file to code-behind file.
+        /// </remarks>
+        protected global::Microsoft.SharePoint.WebControls.InputFormTextBox TxtExtensionAttributesApplicationId;
+
         /// <summary>
         /// BtnTestAzureTenantConnection control.
         /// </summary>
diff --git a/AzureCP/TEMPLATE/ADMIN/AzureCP/ClaimTypesConfig.ascx.cs b/AzureCP/TEMPLATE/ADMIN/AzureCP/ClaimTypesConfig.ascx.cs
index 9763ed40..9608a5d9 100644
--- a/AzureCP/TEMPLATE/ADMIN/AzureCP/ClaimTypesConfig.ascx.cs
+++ b/AzureCP/TEMPLATE/ADMIN/AzureCP/ClaimTypesConfig.ascx.cs
@@ -309,11 +309,17 @@ private void BuildGraphPropertyDDLs(KeyValuePair<int, ClaimTypeConfig> azureObje
                 // Ensure property exists for the current object type
                 if (azureObject.Value.EntityType == DirectoryObjectType.User)
                 {
-                    if (AzureCP.GetPropertyValue(new User(), prop.ToString()) == null) { continue; }
+                    if (AzureCP.GetPropertyValue(new User(), prop.ToString()) == null)
+                    {
+                        continue;
+                    }
                 }
                 else
                 {
-                    if (AzureCP.GetPropertyValue(new Group(), prop.ToString()) == null) { continue; }
+                    if (AzureCP.GetPropertyValue(new Group(), prop.ToString()) == null) 
+                    { 
+                        continue; 
+                    }
                 }
 
                 graphPropertySelected = azureObject.Value.DirectoryObjectProperty == prop ? "selected" : String.Empty;
diff --git a/CHANGELOG.md b/CHANGELOG.md
index acda680d..0a0d65a4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Change log for AzureCP
 
+## AzureCP 21.0
+
+* Fixed "Unsupported or invalid query filter" when AzureCP queries some properties like 'companyName' - (https://github.com/Yvand/AzureCP/pull/172 and https://github.com/Yvand/AzureCP/pull/177)
+* Add support for extension attributes ([#174](https://github.com/Yvand/AzureCP/pull/174))
+* Fix multiple reliability issues when using a certificate to authenticate in Azure AD
+* Fix the properties of the identity claim type not updated (https://github.com/Yvand/AzureCP/pull/171)
+* Switch from Azure DevOps to GitHub Actions to build the project and create the unit tests environments
+
 ## AzureCP 20.0.20220421.1391 enhancements & bug-fixes - Published in April 21, 2022
 
 * Fix: In claims configurfation page, the values in the list of "PickerEntity metadata" was not populated correctly, which caused an issue with the "Title" (and a few others)
diff --git a/testEnvironments.json b/testEnvironments.json
new file mode 100644
index 00000000..a110b57d
--- /dev/null
+++ b/testEnvironments.json
@@ -0,0 +1,17 @@
+{
+  "version": "1",
+  "environments": [
+    // See https://aka.ms/remotetesting for more details
+    // about how to configure remote environments.
+    //{
+    //  "name": "WSL Ubuntu",
+    //  "type": "wsl",
+    //  "wslDistribution": "Ubuntu"
+    //},
+    //{
+    //  "name": "Docker dotnet/sdk",
+    //  "type": "docker",
+    //  "dockerImage": "mcr.microsoft.com/dotnet/sdk"
+    //}
+  ]
+}
\ No newline at end of file