Convert Entra Roles to SIDs
Let me just quickly show you how you can get a SID (security identifier) from an Entra role ID. This is usually required, when you are working with the local user & group membership on Windows devices.
Entra doesn’t ‘understand’ the concept of SID’s, this is why you need to convert them.
Step by step instruction
- Leverage Microsoft Graph Explorer
- Perform a GET method to the following URL:
https://graph.microsoft.com/v1.0/directoryRoles/3. Search your desired role from the response (tip: CTRL+F 😉)
4. Copy the ID
Alternate method if you can’t use Graph Explorer due to not given consent:
a. Open a CMD and type
Connect-Mggraph -Scope Directory.Read.Allb. Now perform the same request as in Explorer
$roles = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/directoryRoles/" -OutputType
PSObjectc. Find the ID here with looking at the output
$roles.value
5. Use the Azure AD Object ID to SID Converter Website and paste the ID in, hit Convert to Azure AD SID
Here you go! There is the SID of that role 🥳 and it aligns with the lusrmgr.msc on the Windows device:
Where would you use this in Intune?
There are a few security related use cases where you would need this SID. Some common scenarios:
- Remove these roles from the local administrator group
- Block these SID’s from sign-in (Read more in this dedicated post)
To achieve this, you would need an Account Protection>Local User Group Membership policy from Endpoint Security.
It is maybe an even better option to choose Add (Replace) — this will remove all members, expect the ones specified in this policy.
