12: How do I get Azure AD SIDs and use them with Item Level Targeting?

1. Before you can use Azure Accounts under Item Level Targeting you first need to know the Azure AD SIDs for any of the Azure Accounts you wish to target. To find an Azure Account’s SID you can:

   1. Look in the Windows Registry of a computer where that Azure User has successfully logged on to at least once. The registry path to look under is:

      Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

      Once at that path you can select each folder until you find the AAD SID that matches the Azure User account you wish to target. In my example below that would be:

      SID: S-1-12-1-3603547745-1252762009-756918658-301435180
      AAD User: [email protected]

      

   2. Have the Azure user run "WHOAMI /User" from a CMD prompt once logged in to the computer, then copy the SID text and send to you.

      

   3. Use PowerShell to connect to Azure, then use a function to convert Object IDs to SIDs: 

      #Run PowerShell As Administrator
      Set-ExecutionPolicy Bypass -scope Process -Force 
      Install-Module -Name AzureAD -Force
      Import-Module -Name AzureAD
      #Answer YES if prompted to install NuGet

      
      #Once modules above are installed you can use the command below to connect to Azure
      # Use an account without MFA enabled
      Connect-AzureAD 

      function Convert-ObjectIdToSid
      {
          param([String] $ObjectId)

          $d=[UInt32[]]::new(4);[Buffer]::BlockCopy([Guid]::Parse($ObjectId).ToByteArray(),0,$d,0,16);"S-1-12-1-$d".Replace(' ','-')
      }

      # Examples of conversion commands to run:
      # Get and convert all Azure Users:
      Get-AzureADUser | ForEach { [pscustomobject] @{ Name= $_.DisplayName; Sid=Convert-ObjectIdToSid($_.ObjectId)}}

      #Get and convert Azure Users whose names begin with "EastSalesUser"
      Get-AzureADUser -SearchString "EastSalesUser" | ForEach { [pscustomobject] @{ Name= $_.DisplayName; Sid=Convert-ObjectIdToSid($_.ObjectId)}}

2. Once you have the SID, you should be all set, edit your PolicyPak Policy rule and enable Item Level Targeting then click the “Edit…” button.

   

3. Expand the drop-down list under “New Item” and select “User”, put in ANY ON PREM USER and select MATCH BY SID then save the policy.

   

4. Right click the policy and then EXPORT the policy as XML.

   

5. Open the XML in notepad, notepad++, etc. Then CAREFULLY replace the SID by hand in the XML with what you got in step 1, (optionally replace name as well).

   BEFORE:

   

   AFTER:

   

6. Now save the edited XML with a descriptive name, the new XML file can now be used as per normal within PolicyPak for the module the policy was created for. In the example above the policy was created for Least Privilege Manager so this XML can be used for LPM in Cloud, MDM, or the GPO version of PolicyPak.

   After importing the new XML into PolicyPak the ILT will show the correct values for the Azure account.

   

   Note: Azure GROUPS don’t have SID translations at all, so in all cases, you’ll have to jam in MULTIPLE user SIDS if you want MULTIPLE people to be able to do the activity.

   Other Considerations:
   For MDM when using an XML created this way in the Exporter Tool, you must change the “Install For” option to “Computer”.

   

   

   Once the policy is applied you can launch the application then run task manager and add the “Elevated” column to verify that the policy applied.

   

   Or alternatively check the PolicyPak event log: