Microsoft Entra Connect Sync : matching user SID in Entra ID and on-premise Active Directory

565 views Asked by At

I am seeing an issue in a customer environment and so would like a sanity check (meaning the code snippets below are not succeeding but was expecting they would succeed) on the following:

In an ‘Azure hybrid environment’, that is using ‘Microsoft Entra Connect Sync’ (note that this software has had a few predecessor Microsoft products: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-dirsync-deprecated ) is the ‘user SID’ the same in the Azure tenant ‘Azure Entra Id’ as it is in ‘On-premise Active Directory’ because of the sync process done by the ‘Microsoft Entra Connect Sync’ software? Please see: https://learn.microsoft.com/en-us/entra/identity/hybrid/whatis-hybrid-identity

Below is a PowerShell function named Convert-AzureAdObjectIdToSid. That function was taken off a Microsoft web site at:
https://answers.microsoft.com/en-us/msoffice/forum/all/power-shell-script-to-convert-convert-aad-object/c562dc4d-e1e4-4ef4-9dab-04466d49c425

function Convert-AzureAdObjectIdToSid {
   param([String] $ObjectId)
   $bytes = [Guid]::Parse($ObjectId).ToByteArray()
   $array = New-Object 'UInt32[]' 4
   [Buffer]::BlockCopy($bytes, 0, $array, 0, 16)
   $sid = "S-1-12-1-$array".Replace(' ', '-')
   return $sid

}

Using Graph API, we get a ‘userIds Azure ObjectId’ and then call Convert-AzureAdObjectIdToSid to get a SID. Based on the return SID, the following code snippets (error handling removed) should succeed on the ‘Azure hybrid joined Windows computer with a user who is signed in with an account that exists in Azure Entra Id and the on-premise Active Directory (again via ‘Microsoft Entra Connect Sync’):

1.

$objSID = New-Object System.Security.Principal.SecurityIdentifier($SID);
$objUser = $objSID.Translate([System.Security.Principal.NTAccount]);
$LDAPQuery = "LDAP://<SID=$SID>";
$AdRecord = [adsi]$LDAPQuery;
$RegistryDrive = New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS;
$RegistryFolder = "{0}:\{1}\Volatile Environment" -f $RegistryDrive.Name, $SID;
$UserDomain = (Get-ItemProperty -Path $RegistryFolder).USERDOMAIN;
$UserName = (Get-ItemProperty -Path $RegistryFolder).USERNAME;
$objUser = ("{0}\{1}" -f $UserDomain, $UserName);
$WmiQuery = "root\cimv2:win32_sid.sid='{0}'" -f $SID;
$WmiObject = [WMI]$WmiQuery;
$objUser = ("{0}\{1}" -f $WmiObject.AccountName, $WmiObject.ReferencedDomainName);
1

There are 1 answers

0
AlfredoRevilla-MSFT On

AD User SID and Entra ID User objectID are not related. The AD SID is stored in the user.onPremisesSecurityIdentifier attribute in MS Graph.