cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Some accounts missing Azure AD Object ID

TheHoff70
Brass Contributor

‎Aug 16 2023 04:42 AM

‎Aug 16 2023 04:42 AM

Some accounts missing Azure AD Object ID

Hi all

There is something that has been annoying me for a while and I felt it's finally time to post abount it.

We have a hybrid AD-AAD setup with a user sync up and running since years back, that particular feature is not my area but from what I've heard the sync is working fine.

My trouble is that Sentinel seems to not be able to reslove the AAD Object ID of some users. For example if I use the Entity Behaviour feature to look up one user it's entity page show "-" as the Azure AD Object ID. Alerts and incidents are shown for the user so Sentinel seems to be able to tie the user to incidents at least. If I select another user I might get the full AAD Object ID. This is driving my crazy because I have a few playbooks where I need the AAD-ID and they don't work as it is now.

Could anyone shed some light on what process lies behind the correlation between a user and the AAD ID? 

 

Regards

Fredrik

Labels:
2,871 Views
2 Likes
4 Replies
Reply
4 Replies
BillClarksonAntill

‎Sep 15 2023 07:08 PM - edited ‎Sep 15 2023 07:09 PM

‎Sep 15 2023 07:08 PM - edited ‎Sep 15 2023 07:09 PM

Re: Some accounts missing Azure AD Object ID

@TheHoff70 the analytics that are mapped to the playbook, have they been mapped with the appropriate entities for azure object IDs?

 

This will surface the specific information for the playbooks to fire properly against the alert when it is triggered?

 

Check out this link to further information

Map data fields to Microsoft Sentinel entities | Microsoft Learn

0 Likes
Reply
Christian_Bartsch

‎Sep 17 2023 03:57 PM

‎Sep 17 2023 03:57 PM

Re: Some accounts missing Azure AD Object ID

I’m experiencing similar issues for a long time. I ended up creating a KQL query within the playbooks that correlates the ID or UPN (what ever is missing) from the SignInLogs or IdentityInfo table to extract whatever is missing for my playbook‘s logic. Hope that helps!
1 Like
Reply
TheHoff70

‎Sep 17 2023 10:44 PM

‎Sep 17 2023 10:44 PM

Re: Some accounts missing Azure AD Object ID

I've been trying back and forth with both with different entity mappings like DNS domain+UPN, "Full Name" or domain+UPN but so far no luck.
0 Likes
Reply
TheHoff70

‎Sep 17 2023 10:45 PM

‎Sep 17 2023 10:45 PM

Re: Some accounts missing Azure AD Object ID

Interesting. This I'll have to try out. Many thanks.
0 Likes
Reply