Forum Discussion

TheHoff70's avatar
TheHoff70
Brass Contributor
Aug 16, 2023

Some accounts missing Azure AD Object ID

Hi all

There is something that has been annoying me for a while and I felt it's finally time to post abount it.

We have a hybrid AD-AAD setup with a user sync up and running since years back, that particular feature is not my area but from what I've heard the sync is working fine.

My trouble is that Sentinel seems to not be able to reslove the AAD Object ID of some users. For example if I use the Entity Behaviour feature to look up one user it's entity page show "-" as the Azure AD Object ID. Alerts and incidents are shown for the user so Sentinel seems to be able to tie the user to incidents at least. If I select another user I might get the full AAD Object ID. This is driving my crazy because I have a few playbooks where I need the AAD-ID and they don't work as it is now.

Could anyone shed some light on what process lies behind the correlation between a user and the AAD ID? 

 

Regards

Fredrik

  • I’m experiencing similar issues for a long time. I ended up creating a KQL query within the playbooks that correlates the ID or UPN (what ever is missing) from the SignInLogs or IdentityInfo table to extract whatever is missing for my playbook‘s logic. Hope that helps!
    • TheHoff70's avatar
      TheHoff70
      Brass Contributor
      Interesting. This I'll have to try out. Many thanks.
    • TheHoff70's avatar
      TheHoff70
      Brass Contributor
      I've been trying back and forth with both with different entity mappings like DNS domain+UPN, "Full Name" or domain+UPN but so far no luck.

Resources