0

I'm looking some Azure SQL security alerts for a "login from a domain not seen in 60 days", however it's listed in the following format (not actual identifier)

f96bd1cf-beb7-4e82-89cc-3d7e76f1cf3c@1ed9389a-f140-4cfd-9f02-c5a6a78c2770

How would I resolve this to an actual readable username?

thanks in advance

NoCarrier
  • 2,558
  • 4
  • 33
  • 44
  • Would you be able to share some snip or reference to the log attributes? it maybe UPN@UPN of the user or service that is now removed or deleted! see if this helps https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/39459757-azure-ad-sign-in-logs-record-the-userdisplayname-a – KarthikBhyresh-MT Jul 02 '21 at 08:55
  • Was my answer helpful ? – KarthikBhyresh-MT Jul 27 '21 at 07:24

1 Answers1

0

You can try PowerShell commandlet to get ObjectId details, use Get-AzureADObjectByObjectId and Get-AzureADUserCreatedObject -ObjectId as below:

enter image description here

In your case f96bd1cf-beb7-4e82-89cc-3d7e76f1cf3c@1ed9389a-f140-4cfd-9f02-c5a6a78c2770 : the first part is the id and second is tenant

Your Tenant ID should appear under Basic information.

enter image description here

Further Get-AzureADUserCreatedObject cmdlet gets objects created by a user in Azure Active Directory (AD)

KarthikBhyresh-MT
  • 4,560
  • 2
  • 5
  • 12