onPremisesSecurityIdentifier is missing from graph api /devices endpoint

Question

We are synchronizing Computer objects from on-prem Active Directory to Entra ID via Entra ID Connect. We want to correlate the information between on-prem Computer objects and Entra ID devices.

From my understanding, it can be done by matching up the onPremisesSecurityIdentifier attribute from Entra ID devices with the objectGUID from Active Directory. But when I tried to list the devices and their onPremisesSecurityIdentifier from Graph API, the onPremisesSecurityIdentifier is always missing.

I am calling the following endpoint from MS Graph API:

Invoke-MgGraphRequest -uri "https://graph.microsoft.com/beta/devices?$select=onPremisesSecurityIdentifier" -Method GET -OutputType Json

The following is an excerpt of one of the object I received. No onPremisesSecurityIdentifier is returned.

{

"enrollmentType": "OnPremiseCoManaged",

"managementType": "MDM",

"onPremisesLastSyncDateTime": "2024-06-19T01:31:57Z",

"onPremisesSyncEnabled": true,

"operatingSystem": "Windows",

"operatingSystemVersion": "10.0.19045.4412",  

...

}

See if anything else is missing. Thank you.

Answer 1

The onPremisesSecurityIdentifier property is not returned by default, you have to specifically request it, as you have tried above. The problem with your example is that PowerShell treats the "$" character to designate variables, and in this case it's effectively looking for $select variable, which does not exist. In turn, you get the "standard" output, without the requested property. To work around this, you need to escape the $ char or use single quotes instead. Any of these would do:

$res = Invoke-MgGraphRequest -uri "https://graph.microsoft.com/v1.0/devices?`$select=id,onPremisesSecurityIdentifier"
$res = Invoke-MgGraphRequest -uri 'https://graph.microsoft.com/v1.0/devices?$select=id,onPremisesSecurityIdentifier'
$res.value