I wanted to share an interesting find I had with a customer today.

We were working on a task to populate some user collections for a deployment and we saw that one collection had a lot more users included than it should have. We figured it must be users coming from Azure AD (AAD) which made me wonder; how could we easily identify only AAD users and use that technique to exclude the unnecessary users from the collection we were creating?

First we tried using the “Agent Name” attribute on the user object. This could in theory work, since it lists the agents used for discovery.

We quickly found that the values of this property were listed as an array of strings and it eventually returned the same result as before. It turns out that WQL doesn’t support querying one exact value of an array. 🙁

We then we started thinking, there must be something that SCCM could grab from an AD user that doesn’t exist on AAD users.

Turns out there is!  On-prem AD users will always have the “DistinguishedName” (DN) attribute where AAD users will not.  AAD users will always have the “AADTenantID” where on-prem AD users will not.
User objects residing in both AD and AAD will fill both these properties with a value.

So, if the “DistinguishedName” value is null and the value of “AADTenantID” is not null, then it must be an exclusive AAD user, right? Exactly!

Only AAD users in one collection, works like a charm!

Keep in mind, the same holds true for exclusive AD users! Just flip the “is null” and “is not null” conditions like this:

I definitely learned something cool today and I hope you did too 😀