How to determine if User is an AD User or Azure AD User?

Question

If we want to obtain the Object ID for the corresponding 365 object of a user, we would use the logic:

[Guid]$Context.TargetObject.Get("adm-O365ObjectId")

-if such a value is not available, we assume the user object does not have a corresponding Microsoft 365 account.

Is there equivelent logic/code, that Adaxes recommends we use, for determing if a user object definitively belongs to an on-premises Active Directory domain or a cloud Azure AD domain?

Answer 1

Hello,

The approach you specified does not provide you with a possibility to distinguish Azure AD and on-premises AD accounts. You need to use the AzureID property. For details, have a look at the following article: https://www.adaxes.com/sdk/IAdmTop/#AzureId_details.

Comments

The approach I specified was just an example of utilising an attribute to determine the status of something, not a specific example of what I was asking about.

---

Hello,

Sure, totally understandable. We just wanted to point that out so that anybody else reding this thread can see that as well and use the proper approach for the specific task.

---

Would this check be correct?

$ObjectGUID = try { [Guid]$Context.TargetObject.Get("objectGUID") } catch { <# This should never throw an exception? #> } 
$ObjectAzureID = try { [Guid]$Context.TargetObject.Get("adm-AzureID") } catch {}
if($null -eq $ObjectAzureID -or $ObjectGUID -ne $ObjectAzureID) {
    # Object belongs to Active Directory domain
} else {
    # Object belongs to Azure domain
}

---

Hello,

There is no need to check the objectGUID property as it can never be empty. Finally, you can have a script like the following:

try
{
    $identifier = [Guid]$Context.TargetObject.Get("adm-AzureID")
}
catch
{
    # The account belongs to on-premises AD.
}

---

I'm primarily comparing objectGUID against adm-AzureID.

I don't believe what you said is correct, I've seen AD Users and Azure Users with populated adm-AzureID attributes.

I've created, and tested, this following Cmdlet:

<#
.SYNOPSIS
Returns whether or not the given Object belongs to an Azure domain

.DESCRIPTION
Checks if InputObject's objectGUID matches it's adm-AzureID

.PARAMETER InputObject
The Adaxes Object that is to be checked. Typically this will be $Context.TargetObject or an object with a base type of Softerra.Adaxes.Adsi.AdmObject

.EXAMPLE
PS> Get-AdxNativeAzureObjectStatus -InputObject $Context.TargetObject

.EXAMPLE
PS> ,$Context.TargetObject | Get-AdxNativeAzureObjectStatus

.NOTES
Take note of the "," prefix in the pipelined example as it's a workaround to prevent array unrolling
#>
Function Get-AdxNativeAzureObjectStatus {
    Param(
        [Parameter(Mandatory=$true,ValueFromPipeline=$true)]
        [Softerra.Adaxes.Adsi.AdmObject]$InputObject
    )
    $ObjectGUID = try { [Guid]$InputObject.Get("objectGUID") } catch { } 
    $ObjectAzureID = try { [Guid]$InputObject.Get("adm-AzureID") } catch {}
    $null -ne $ObjectAzureID -and $null -ne $ObjectGUID -and $ObjectGUID -eq $ObjectAzureID
}

---

Hello,

Sorry for the confusion, you are right. The adm-AzureID property is only empty for on-premises AD accounts not associated with a Microsoft 365 tenant in Adaxes. You approach should work just fine.