The “Create Profile for Primary Person” task’s logic says that if on-premises sync is enabled and the user has a value for “On-premises security identifier”, it will use the “On-premises security identifier” (AD domain user SID) as the profile SID. Otherwise, it converts the Entra user’s Object ID to a SID and uses that.
This works for many device join scenarios like domain join, hybrid join, and Entra join if the user account isn’t AD synced. The scenario we are running into issues for is Entra joined devices with a user that is AD synced. The desired result is that it that the user profile is created with their cloud user SID (converted from the Entra user Object ID), but currently it creates it with the AD domain user SID. This causes the device onboarding in ImmyBot to run any user specific setup against a user profile that will never be used. As soon as the user signs in with their Entra user a new profile is created with the correct SID.
I don’t see a way to dynamically determine if it’s creating the user profile in a hybrid join vs Entra join scenario, so I think the easiest solution would be to add a bool parameter like “UseDomainSIDForADSyncedUsers” that can be used to force it one way or the other.
I’d be interested if you have some time to share how you worked around this – we have a similar issue that’s causing some strange issues because of the duplicate profile names on the device, and would love to come up with a way around it. Appreciate any help you might be able to share.
The main issue with the profile script (as it was then), was that it assumed the User SID should be different depending if it was a synced object or not - not if the device was Entra ID Joined or Hybrid Joined.
I basically just copy/pasted the original Create Profile Script (as it looked over a year ago), and tweaked it considered AzureAD/Entra ID Joined machines AND OnPrem synced users.
I created a new Combined Script
$TestResult = $true
$Computer = Get-ImmyComputer
$Member = $PrimaryPersonEmail
if($Member){
$PrimaryUserInAD = Is-PrimaryUserADSynced
## PrimaryPerson is OnPremises AD Synced
if($PrimaryUserInAD)
{
## Azure AD Joined machines do not use the OnPremisesSecurityIdentifer attribute in Azure, even if the user is AD Synced
$computerJoinStatus = Get-AzureADJoinStatus
if(($computerJoinStatus.DeviceState.AzureAdJoined) -and (!$computerJoinStatus.DeviceState.DomainJoined)){
$SID = Convert-AzureAdObjectIdToSid -ObjectId $Computer.PrimaryPersonPrincipalId
Write-Host "User is OnPremises AD Synced, but Device is AzureAD Joined - Using Azure generated SID $SID"
}
elseif($computerJoinStatus.DeviceState.DomainJoined){
$Member = $PrimaryPersonEmail
$User = Invoke-ImmyDomainController {
$Member = $using:Member
Get-ADUser -Filter {UserPrincipalName -eq $Member}
}
$SID = $User.SID.Value
Write-Host "Using OnPremisesSID: $SID"
}
else{
Write-host "The device is neither Azure AD or OnPremises Domain Joined!"
}
}
## PrimaryPerson is AzureAD Only account
elseif($Computer.PrimaryPersonPrincipalId)
{
$SID = Convert-AzureAdObjectIdToSid -ObjectId $Computer.PrimaryPersonPrincipalId
Write-Host "Using Azure SID $SID"
}
else
{
throw "Unable to find primary user"
}
if(!$Computer.PrimaryPersonEmail)
{
throw "Unable to find UPN for user $SID"
}
$Username = $Computer.PrimaryPersonEmail -split '@' | select -first 1
if($SID){
Ensure-UserProfileExists -UserName $Username -SID $SID
}
else{
write-host "Unable to create profile"
return $false
}
}
else{
## No Primary User assigned to the device
Write-Host "No Primary User Assigned"
# If
if($ADUserNotSynced){
$Member = $ADUser.UserPrincipalName
$User = Invoke-ImmyDomainController {
$Member = $using:Member
Get-ADUser -Filter {UserPrincipalName -eq $Member}
}
$SID = $User.SID.Value
Write-Host "Using OnPremisesSID: $SID"
}
$Username = $ADUser.UserPrincipalName -split '@' | select -first 1
if($SID){
Ensure-UserProfileExists -UserName $Username -SID $SID
}
else{
write-host "Unable to create profile"
return $false
}
}
As you can see, my script references another function “Is-PrimaryUserADSynced” - this function is required for my Profile Script to work. See below.
Is-PrimaryUserADSynced
$PrimaryUserUPN = $PrimaryPersonEmail
# Check to see if the user exists on the domain of the tenant
$PrimaryUserInAD = Invoke-ImmyDomainController {
$PrimaryUserUPN = $using:PrimaryUserUPN
Get-ADUser -Filter {UserPrincipalName -eq $PrimaryUserUPN}
}
if($PrimaryUserInAD)
{
return $true
}
else
{
return $false
}