Unknown SID in the Administrators group

Recently I was working on an Azure AD joined devices project where a security audit flagged a “security issue” caused by “unknown” members of the Local Administrators group on all Azure AD joined devices.

The issue happens because the name of the object is not listed anywhere and when you open the Administrators group properties or use the whoami /all command line it only brings a SID, that do are not converted to any known object.

In this post I will try explaining how you can discover who those users are in an easy way.

As those machines are Azure AD joined machines, the 1st step in the “investigation” is to convert the SID to Object ID (that is what Azure AD uses). At first you may think this is a difficult task, however, it is trivial and can be achieved with just couple of lines of PowerShell as per my example below:

$SID = ‘S-1-12-1-1934170543-1079698928-1100291729-732628452’

([guid][byte[]]([int[]]$sid.Replace(‘S-1-12-1-‘, ”).Split(‘-‘) | %{ [System.BitConverter]::GetBytes($_) })).Guid

After getting the Azure AD object ID, you now need to discover what object in the Azure AD correspond to the object ID. You may be eager to find out and will probably end up going to https://portal.azure.com and searching for all users and groups but you will not find it. So, the question remains, how do I know who the user is?

A simple to answer, use the Get-AzureADDirectoryRole PowerShell cmdlet from the AzureAD module.

Start by installing the module (if you do not have it installed). Just type Install-Module AzureAD and follow the instructions.

Once the module has been installed, connect to the Azure AD using the cmdlet Connect-AzureAD and enter your credentials.

Finally, you can use the Get-AzureADDirectoryRole

In my environment, these 2 SIDs are converted to the Company Administrator and Device Administrators. However, what are those? I cannot find them under the Roles and Administrators in the Azure AD.

The answer to this question can be found in the documentation https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles

“In the Microsoft Graph API and Azure AD PowerShell, this role is identified as “Company Administrator”. It is “Global Administrator” in the Azure portal.”

And what about the Device Administrators? On the same link you get “Users assigned to this role are added to the local administrators group on Azure AD-joined devices.”

Article originally published on LinkedIn.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *