Forum Discussion
Some accounts missing Azure AD Object ID
Hi all
There is something that has been annoying me for a while and I felt it's finally time to post abount it.
We have a hybrid AD-AAD setup with a user sync up and running since years back, that particular feature is not my area but from what I've heard the sync is working fine.
My trouble is that Sentinel seems to not be able to reslove the AAD Object ID of some users. For example if I use the Entity Behaviour feature to look up one user it's entity page show "-" as the Azure AD Object ID. Alerts and incidents are shown for the user so Sentinel seems to be able to tie the user to incidents at least. If I select another user I might get the full AAD Object ID. This is driving my crazy because I have a few playbooks where I need the AAD-ID and they don't work as it is now.
Could anyone shed some light on what process lies behind the correlation between a user and the AAD ID?
Regards
Fredrik
- Christian_BartschBrass ContributorI’m experiencing similar issues for a long time. I ended up creating a KQL query within the playbooks that correlates the ID or UPN (what ever is missing) from the SignInLogs or IdentityInfo table to extract whatever is missing for my playbook‘s logic. Hope that helps!
- TheHoff70Brass ContributorInteresting. This I'll have to try out. Many thanks.
- BillClarksonAntillIron Contributor
TheHoff70 the analytics that are mapped to the playbook, have they been mapped with the appropriate entities for azure object IDs?
This will surface the specific information for the playbooks to fire properly against the alert when it is triggered?
Check out this link to further information
Map data fields to Microsoft Sentinel entities | Microsoft Learn
- TheHoff70Brass ContributorI've been trying back and forth with both with different entity mappings like DNS domain+UPN, "Full Name" or domain+UPN but so far no luck.