• Azure AD (Entra ID) does not use Security Identifiers (SIDs) in the same way as on-premise Active Directory.
  • Instead, it uses a combination of unique identifiers and security tokens for authentication and authorization in the cloud.
  • This combination generates a Group ID or Object ID rather than a SID.
• App Control currently does not support these differences when attempting to retrieve the SID from a specified Azure AD or Entra ID Username and/or Group Name.

A feature request was opened and tracked under EPCB-17112 for future consideration. In the meantime, specifying the SID directly in the Custom Rule will work. To do this, choose one of the following options:

• Use PowerShell with Get-AzAdUser or Get-AzureADDirectoryRole
• Use Microsoft Graph Explorer to convert Entra Roles to SIDs
• Open a ticket with Microsoft to request assistance in determining the relevant SID
• Use a third-party tool (such as Convert-AzureAdObjectIdToSid) to help convert Azure Object IDs to SIDs