Origin of user SID for Azure AD Joined device

Question

On a Windows 10 Azure AD Joined device the local Administrators group includes:
AzureAD\Admin (S-1-12-1-38678509…)
S-1-12-1-3346315821-114…
S-1-12-1-445845933-119…

Note that in this example the device was joined to Azure AD via Settings after already being set up with a local admin account.

That list would include the Azure AD user that performed the join and I assume the Azure AD global administrator role and Azure AD device administrator role. (based on info here https://learn.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin)

It seems that the SIDs are being generated by Azure AD and are pushed (along with other bits of info) to the client in an ID token (based on info here https://jairocadena.com/2016/02/01/azure-ad-join-what-happens-behind-the-scenes/comment-page-1/#comment-3506)

However I can't find any tools that show a SID associated with an Azure AD entity. Does Azure AD in fact generate these SIDs and if so, is there any way to expose them to verify which SIDs match an entity?

Answer 1

I found an answer to this old question, and i think there are still people who can benefit from the answer. Before getting to the truth i tried to convert those SIDs to AAD usernames. Only to discover there is no SIDs in AAD only (cloud only) users.

https://www.petervanderwoude.nl/post/managing-local-administrators-via-windows-10-mdm/

Every Azure AD joined device contains two SIDs (one representing the Global administrator role and one representing the Device administrator role) that are by default part of the local administrators.

AAD Joinded device Administrator group

Answer 2

The SID of the Azure AD user is S-1-12-1- followed by the unsigned integer representation (4 parts) of the Azure AD Object ID.

https://kb.policypak.com/kb/article/862-how-do-i-get-azure-ad-sids-and-use-them-with-item-level-targeting/