AzureAD Signin Logs - ObjectID in Identity field

%3CLINGO-SUB%20id%3D%22lingo-sub-1392234%22%20slang%3D%22en-US%22%3EAzureAD%20Signin%20Logs%20-%20ObjectID%20in%20Identity%20field%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1392234%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20been%20looking%20at%20the%20AAD%20Signin%20Logs%20for%20a%20few%20things%20now%20and%20I'm%20finding%20an%20issue%20where%20sometime%20the%20Identity%20and%20UserPrincipalName%20fields%20contain%20a%20users%20ObjectID%20rather%20than%20their%20name%20or%20UPN.%20If%20I%20resolve%20the%20objectid%20it%20is%20an%20active%20user%20in%20my%20tenant.%20It%20appears%20that%20all%20the%20records%20that%20have%20this%20issue%20have%20an%20empty%20array%20for%20AuthenticationDetails.%20Is%20anyone%20else%20seeing%20this%20and%20how%20are%20you%20handling%20it%20for%20reports%2Fdashboards%3F%20I'm%20being%20asked%20why%20I%20have%20GUIDs%20in%20my%20list%20of%20active%20users%2C%20I%20could%20filter%20our%20the%20records%20with%20object%20ID%20but%20don't%20want%20to%20do%20that%20if%20they%20reflect%20true%20user%20activity.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1392234%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1394890%22%20slang%3D%22en-US%22%3ERe%3A%20AzureAD%20Signin%20Logs%20-%20ObjectID%20in%20Identity%20field%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1394890%22%20slang%3D%22en-US%22%3E%3CP%3EI%20found%20these%20in%20my%20tenant%20too%2C%20but%20they%20were%20all%20unsuccessful%20sign-ins%20associated%20with%20two%20unique%20error%20codes%20from%20the%20error%20code%20lookup%20page%20here%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Ferror%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2Ferror%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E16000%20means%20%22%3CSPAN%3EEither%20multiple%20user%20identities%20are%20available%20for%20the%20current%20request%20or%20selected%20account%20is%20not%20supported%20for%20the%20scenario.%22%3C%2FSPAN%3E%3CBR%20%2F%3Eand%3CBR%20%2F%3EIn%20the%20case%20of%20the%2050058%20error%2C%20it%20means%3CBR%20%2F%3E%22%3CSPAN%3EThis%20means%20that%20a%20user%20is%20not%20signed%20in.%20This%20is%20a%20common%20error%20that's%20expected%20when%20a%20user%20is%20unauthenticated%20and%20has%20not%20yet%20signed%20in.%20If%20this%20error%20is%20encountered%20in%20an%20SSO%20context%20where%20the%20user%20has%20previously%20signed%20in%2C%20this%20means%20that%20the%20SSO%20session%20was%20either%20not%20found%20or%20invalid.%20This%20error%20may%20be%20returned%20to%20the%20application%20if%20prompt%3Dnone%20is%20specified.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eabout%2020%20seconds%20later%20from%20the%20same%20IP%20Address%20the%20same%20user%20signed%20in%20successfully%20with%20their%20normal%20user%20ID.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20in%20our%20case%2C%20we%20are%20going%20to%20filter%20these%20out%2C%20especially%20because%20the%2016000%20error%20code%20%22remediation%20suggestion%22%20is%20to%20%22%3CSPAN%3EHide%20in%20logs%22%20per%20the%20error%20lookup%20tool.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

 

I've been looking at the AAD Signin Logs for a few things now and I'm finding an issue where sometime the Identity and UserPrincipalName fields contain a users ObjectID rather than their name or UPN. If I resolve the objectid it is an active user in my tenant. It appears that all the records that have this issue have an empty array for AuthenticationDetails. Is anyone else seeing this and how are you handling it for reports/dashboards? I'm being asked why I have GUIDs in my list of active users, I could filter our the records with object ID but don't want to do that if they reflect true user activity.

1 Reply
Highlighted

I found these in my tenant too, but they were all unsuccessful sign-ins associated with two unique error codes from the error code lookup page here:

https://login.microsoftonline.com/error


16000 means "Either multiple user identities are available for the current request or selected account is not supported for the scenario."
and
In the case of the 50058 error, it means
"This means that a user is not signed in. This is a common error that's expected when a user is unauthenticated and has not yet signed in. If this error is encountered in an SSO context where the user has previously signed in, this means that the SSO session was either not found or invalid. This error may be returned to the application if prompt=none is specified."

 

about 20 seconds later from the same IP Address the same user signed in successfully with their normal user ID.

So in our case, we are going to filter these out, especially because the 16000 error code "remediation suggestion" is to "Hide in logs" per the error lookup tool.