Start typing and press
Enter to search

PowerShell Script Helper to convert Azure AD object ID to SID

By: Oliver Kieselbach May 13, 2020December 23, 2020

Articles, AzureAD, Coding, Enterprise Mobility, Intune, ScriptingAzure AD, ObjectID, PowerShell, PowerShell Scripts, SID

PowerShell Helpers to convert Azure AD Object IDs and SIDs

If you work with Azure AD and especially in my case with Intune and Azure AD you have probably seen Object IDs in the Azure AD portal on the user objects, group objects, or in the Intune log files.

Here a portal screenshot of a demo user:

Here a screenshot of the Intune Management Extension log file:

Another ID is the Security Identifier (SID) which you might have seen here and there. A famous command to show the SID of the user is whoami

On an Azure AD joined device in the local Administrators group you will find Azure AD SIDs:

Local Administrators groups with Azure AD SIDs

These IDs have a relationship and they can be converted to each other. For example wouldn’t it be nice to take the SID from the local administrators group and convert it to the Object ID to know which AAD group it represents or vice versa?

PowerShell Convert AzureAD SID to Object ID

If we lookup the Azure AD roles we get the Object ID of the Device Administrators group for the converted SID:

And as I said they can be converted vice versa so here we convert the Object ID back to the SID:

PowerShell Convert AzureAD Object ID to SID

This can be helpful in scripts here you see SIDs or ObjectIDs. You are now able to convert

Azure AD Group Object ID to SIDs
Azure AD User Object IDs to SIDs

and vice versa (that’s what I tested…).

You can get both code samples from my GitHub (Convert-AzureAdSidToObjectId.ps1 and Convert-AzureAdObjectIdToSid.ps1) or here:

https://github.com/okieselbach/Intune

I think Michael will like it as well for its Get-AutopilotESPStatus script here 🙂

Another new Get-AutopilotESPStatus script posted
https://oofhours.com/2020/04/08/another-new-get-autopilotespstatus-script-posted

I hope this small helper will not just help Michael and me from time to time 👍

Let’s have some PowerShell converting fun.

9 replies to PowerShell Helpers to convert Azure AD Object IDs and SIDs

Jos Lieben says:

May 20, 2020 at 1:44 pm

Nice post Oliver! Already used it at least once 🙂

I was wondering, do you know how to translate a tenant ID (GUID) to the .onmicrosoft.com default domain, without logging in? Can be useful in determining SpO / ODM URL’s beforehand.

Reply
1. Oliver Kieselbach says:
  
  May 20, 2020 at 1:51 pm
  
  Thanks Jos! Actually I was looking for a tenant translation as well, the other way is fairly easy, there are even websites for it like whatismytenantid.com… but I don’t know a way from GUID to DNS name… If you find a way let me know 🙂
  
  Reply
Tony says:

February 4, 2021 at 8:31 pm

The function you have on GitHub didn’t work for me. I fixed it and submitted a PR for you.
https://github.com/okieselbach/Intune/pull/6

Reply
1. Oliver Kieselbach says:
  
  February 7, 2021 at 1:05 pm
  
  Cool, will have a look into it and see if I have the same issue.
  
  Reply
Pingback: Manage Local Admin Accounts with Microsoft Intune - MDM Tech Space
Pingback: Simon does... Five Approaches For Local Admin Access On The Azure AD Joined PC
Pingback: PowerShell is fun :) Custom Compliance PowerShell script for detecting additional local Administrators
Stevie says:

July 12, 2023 at 12:31 pm

This is great work, thanks Oliver.
Have incorporated the “SID to OID” function in another function which gets the local admins from an Azure AD-joined device. Works like a charm!

Reply
Pingback: PowerShell DCR Log Analytics for Windows Endpoints Part 1.6: Admin Inventory Workbook – Getting the Most Out of Azure

Share this:

Related

9 replies to PowerShell Helpers to convert Azure AD Object IDs and SIDs

Leave a comment Cancel reply