The "Create Profile for Primary Person" task incorrectly assumes the SID to use in some scenarios

Chris_Word · May 22, 2024, 4:13pm

The “Create Profile for Primary Person” task’s logic says that if on-premises sync is enabled and the user has a value for “On-premises security identifier”, it will use the “On-premises security identifier” (AD domain user SID) as the profile SID. Otherwise, it converts the Entra user’s Object ID to a SID and uses that.

This works for many device join scenarios like domain join, hybrid join, and Entra join if the user account isn’t AD synced. The scenario we are running into issues for is Entra joined devices with a user that is AD synced. The desired result is that it that the user profile is created with their cloud user SID (converted from the Entra user Object ID), but currently it creates it with the AD domain user SID. This causes the device onboarding in ImmyBot to run any user specific setup against a user profile that will never be used. As soon as the user signs in with their Entra user a new profile is created with the correct SID.

I don’t see a way to dynamically determine if it’s creating the user profile in a hybrid join vs Entra join scenario, so I think the easiest solution would be to add a bool parameter like “UseDomainSIDForADSyncedUsers” that can be used to force it one way or the other.

MrBock · May 23, 2024, 7:10am

I discovered this over a year ago, and had to manually create a workaround script.

It has been working perfectly, so I haven’t gotten around to actually make a post, but this post describes the issue perfectly.

I’d like to see this scenario fixed in the Global deployment.

hoosiernick · June 13, 2024, 12:03am

I’d be interested if you have some time to share how you worked around this – we have a similar issue that’s causing some strange issues because of the duplicate profile names on the device, and would love to come up with a way around it. Appreciate any help you might be able to share.

DimitriRodis · June 13, 2024, 5:40am

@DarrenDK any thoughts here? Perhaps create the profile after domain/azure join, and do so based on that?

MrBock · June 13, 2024, 12:59pm

I’ll share my current setup here.

The main issue with the profile script (as it was then), was that it assumed the User SID should be different depending if it was a synced object or not - not if the device was Entra ID Joined or Hybrid Joined.

I basically just copy/pasted the original Create Profile Script (as it looked over a year ago), and tweaked it considered AzureAD/Entra ID Joined machines AND OnPrem synced users.

I created a new Combined Script

$TestResult = $true
$Computer = Get-ImmyComputer
$Member = $PrimaryPersonEmail
if($Member){
    $PrimaryUserInAD = Is-PrimaryUserADSynced
    ## PrimaryPerson is OnPremises AD Synced
    if($PrimaryUserInAD)
    {
        ## Azure AD Joined machines do not use the OnPremisesSecurityIdentifer attribute in Azure, even if the user is AD Synced
        $computerJoinStatus = Get-AzureADJoinStatus
        if(($computerJoinStatus.DeviceState.AzureAdJoined) -and (!$computerJoinStatus.DeviceState.DomainJoined)){
            $SID = Convert-AzureAdObjectIdToSid -ObjectId $Computer.PrimaryPersonPrincipalId
            Write-Host "User is OnPremises AD Synced, but Device is AzureAD Joined - Using Azure generated SID $SID"
        }
        elseif($computerJoinStatus.DeviceState.DomainJoined){
            $Member = $PrimaryPersonEmail
            $User = Invoke-ImmyDomainController {
                $Member = $using:Member
                Get-ADUser -Filter {UserPrincipalName -eq $Member}
            }
            $SID = $User.SID.Value
            Write-Host "Using OnPremisesSID: $SID"
        }
        else{
            Write-host "The device is neither Azure AD or OnPremises Domain Joined!"
        }  
    }
    ## PrimaryPerson is AzureAD Only account
    elseif($Computer.PrimaryPersonPrincipalId)
    {
        $SID = Convert-AzureAdObjectIdToSid -ObjectId $Computer.PrimaryPersonPrincipalId
        Write-Host "Using Azure SID $SID"
    }
    else
    {
        throw "Unable to find primary user"
    }
    if(!$Computer.PrimaryPersonEmail)
    {
        throw "Unable to find UPN for user $SID"
    }
    $Username = $Computer.PrimaryPersonEmail -split '@' | select -first 1
    if($SID){
        Ensure-UserProfileExists -UserName $Username -SID $SID
    }   
    else{
        write-host "Unable to create profile"
        return $false
    }   
}
else{
    ## No Primary User assigned to the device
    Write-Host "No Primary User Assigned"
    # If
    if($ADUserNotSynced){
        $Member = $ADUser.UserPrincipalName
        $User = Invoke-ImmyDomainController {
            $Member = $using:Member
            Get-ADUser -Filter {UserPrincipalName -eq $Member}
        }
        $SID = $User.SID.Value
        Write-Host "Using OnPremisesSID: $SID"
    }
    $Username = $ADUser.UserPrincipalName -split '@' | select -first 1
    if($SID){
        Ensure-UserProfileExists -UserName $Username -SID $SID
    }   
    else{
        write-host "Unable to create profile"
        return $false
    }
}

As you can see, my script references another function “Is-PrimaryUserADSynced” - this function is required for my Profile Script to work. See below.

Is-PrimaryUserADSynced

$PrimaryUserUPN = $PrimaryPersonEmail
# Check to see if the user exists on the domain of the tenant
$PrimaryUserInAD = Invoke-ImmyDomainController {
    $PrimaryUserUPN = $using:PrimaryUserUPN
    Get-ADUser -Filter {UserPrincipalName -eq $PrimaryUserUPN}
}
if($PrimaryUserInAD)
{
    return $true
}
else
{
    return $false
}