0 votes

If we want to obtain the Object ID for the corresponding 365 object of a user, we would use the logic:

[Guid]$Context.TargetObject.Get("adm-O365ObjectId")

-if such a value is not available, we assume the user object does not have a corresponding Microsoft 365 account.

Is there equivelent logic/code, that Adaxes recommends we use, for determing if a user object definitively belongs to an on-premises Active Directory domain or a cloud Azure AD domain?

by (210 points)

1 Answer

0 votes
by (289k points)

Hello,

The approach you specified does not provide you with a possibility to distinguish Azure AD and on-premises AD accounts. You need to use the AzureID property. For details, have a look at the following article: https://www.adaxes.com/sdk/IAdmTop/#AzureId_details.

0

The approach I specified was just an example of utilising an attribute to determine the status of something, not a specific example of what I was asking about.

0

Hello,

Sure, totally understandable. We just wanted to point that out so that anybody else reding this thread can see that as well and use the proper approach for the specific task.

0

Would this check be correct?

$ObjectGUID = try { [Guid]$Context.TargetObject.Get("objectGUID") } catch { <# This should never throw an exception? #> } 
$ObjectAzureID = try { [Guid]$Context.TargetObject.Get("adm-AzureID") } catch {}
if($null -eq $ObjectAzureID -or $ObjectGUID -ne $ObjectAzureID) {
    # Object belongs to Active Directory domain
} else {
    # Object belongs to Azure domain
}
0

Hello,

There is no need to check the objectGUID property as it can never be empty. Finally, you can have a script like the following:

try
{
    $identifier = [Guid]$Context.TargetObject.Get("adm-AzureID")
}
catch
{
    # The account belongs to on-premises AD.
}
0

I'm primarily comparing objectGUID against adm-AzureID.

I don't believe what you said is correct, I've seen AD Users and Azure Users with populated adm-AzureID attributes.

I've created, and tested, this following Cmdlet:

<#
.SYNOPSIS
Returns whether or not the given Object belongs to an Azure domain

.DESCRIPTION
Checks if InputObject's objectGUID matches it's adm-AzureID

.PARAMETER InputObject
The Adaxes Object that is to be checked. Typically this will be $Context.TargetObject or an object with a base type of Softerra.Adaxes.Adsi.AdmObject

.EXAMPLE
PS> Get-AdxNativeAzureObjectStatus -InputObject $Context.TargetObject

.EXAMPLE
PS> ,$Context.TargetObject | Get-AdxNativeAzureObjectStatus

.NOTES
Take note of the "," prefix in the pipelined example as it's a workaround to prevent array unrolling
#>
Function Get-AdxNativeAzureObjectStatus {
    Param(
        [Parameter(Mandatory=$true,ValueFromPipeline=$true)]
        [Softerra.Adaxes.Adsi.AdmObject]$InputObject
    )
    $ObjectGUID = try { [Guid]$InputObject.Get("objectGUID") } catch { } 
    $ObjectAzureID = try { [Guid]$InputObject.Get("adm-AzureID") } catch {}
    $null -ne $ObjectAzureID -and $null -ne $ObjectGUID -and $ObjectGUID -eq $ObjectAzureID
}
0

Hello,

Sorry for the confusion, you are right. The adm-AzureID property is only empty for on-premises AD accounts not associated with a Microsoft 365 tenant in Adaxes. You approach should work just fine.

Related questions

0 votes
1 answer

A little bit of context: There are 3 departments that share 1 Active Directory. Now each department has its own OU. I would like to have an email sent when a user is ... if this is possible without Powershell? If not, is there a pre-existing script for this?

asked Oct 3, 2023 by Cas (200 points)
0 votes
1 answer

I gone throught Adaxes License is based and its based on user. I wanted to understand, does the license user count is on technical assistance user or AD objects?

asked Jan 23, 2020 by subbu (20 points)
0 votes
1 answer

My situation is we give user's mailbox delagation without automapping somewhat randomly so in the web ui form we would like them to be able to select ad users in the input field

asked Jan 18, 2022 by Keonip (180 points)
0 votes
1 answer

I want to create a scheduled task to disable a user if he is inactive for 30days, the task must check inacivity o AD and Azure.

asked May 16 by johanpr (120 points)
0 votes
1 answer

We used to use a script to check if an AD user's MFA was set in Azure (Hybrid AD/AAD set up). I do not think it is relevant any longer. Is there another script that handles this or some other functionality in order to check a user's Azure MFA status?

asked Aug 23 by msheppard (470 points)
3,548 questions
3,238 answers
8,232 comments
547,811 users