On premise AD objectGUID is different than object id in Microsoft Graph

Question

I have a question similar to: On premise Active Directory ObjectId is different than Azure Active Directory ObjectId

We used objectGUID in AD to uniquely identify the users and groups. We also maintain the group memberships using objectGUID. When querying Microsoft tenant using Microsoft Graph, what we see for the id from User or Group objects is different from what we get from the on-prem AD. This makes it difficult to correlate the AAD and AD resources.

I tried to use onPremisesImmutableId using the request below, only to find that this id is my employee id.

/v1.0/me?$select=id,userPrincipalName,onPremisesSecurityIdentifier,displayName,onPremisesImmutableId

Any idea how to retrieve the same objectGUID in the AAD world? I could not find anything close by looking at the User documentation.

Also for Group objects, I could not find the property onPremisesDomainName, similar to that in User objects. Is this by design?

Answer 1

That was the correct answer back when was written but things have changed a bit since then. There is an excellent blog post at Azure AD Connect: objectGUID vs. mS-DS-ConsistencyGuid that discusses this change. Specifically this bit:

Before Azure AD Connect version 1.1.524.0, Azure AD Connect (but also Azure AD Sync and DirSync) defaulted to the objectGUID attribute for objects as the source anchor. Azure AD Connect version 1.1.553.0, and beyond, defaults to the mS-DS-ConsistencyGuid for user objects, but objectGUID for groups and computer objects.

In your case, it sounds like your particular tenant mapping was configured differently (i.e. your employee id).

Given the issues raised in the blog post, I'd recommend against using objectGUID for this purpose altogether. If you're looking for a single property across both User and Group resources, I'd suggest looking at onPremisesSecurityIdentifier instead. This holds the SID from your on-prem AD.