Dex

๐Ÿ” Recipe ยท Entra ID & Identity

Identify What an Unknown Entra ID GUID Refers To

Resolve a mystery GUID to a user, group, app, service principal, role, license, or other directory object โ€” then count assignments

Complexity

Intermediate

Impact

troubleshooting + audit + identity + access-review

Context

Why This Matters

Administrators routinely encounter bare GUIDs in audit logs, sign-in logs, conditional access reports, Intune exports, PowerShell output, and support tickets with no indication of what type of object they refer to. A GUID like 7a896ff9-8734-4cc8-b7d0-cb2c312c96b1 could be any of the following:

  • A user object ID
  • A group object ID
  • An application (App registration) object ID or App ID
  • A service principal object ID or App ID
  • A directory role definition or template ID
  • A license SKU ID
  • An administrative unit ID
  • A conditional access policy ID
  • A managed device (Intune) ID
  • A tenant ID

This recipe provides a deterministic probe sequence that tests the GUID against each object type in Microsoft Graph until one responds with a match, and then โ€” if the match is an application or group โ€” counts the users effectively assigned.

Expected Outcomes

After completing this recipe you will have:

  • Positively identified the object type associated with the unknown GUID
  • The human-readable display name and description of the object
  • (If applicable) A deduplicated count of users assigned to the object, including users inherited via nested group membership
  • A repeatable script you can run whenever a mystery GUID appears

Risks & Considerations

Things to watch for

  • App ID vs Object ID collision. An application has two GUIDs: its object id (id) and its app id (appId). The same app's service principal has its own object id but shares the appId. Probe both.
  • SKU filter quirk. subscribedSkus does not support $filter. You must list all SKUs and match client-side.
  • 403 vs 404. A 403 means the token is missing the scope for that resource type (e.g. Policy.Read.All for conditional access), not that the object doesn't exist. Treat 403 as "inconclusive" and continue probing.
  • Group assignments inflate user counts. When counting users assigned to an enterprise app, expand each assigned group to its members and deduplicate โ€” users often appear in multiple assigned groups.
  • Nested groups. /members returns direct members only. Use /transitiveMembers if nested group membership is in use.
  • Do not log the GUID externally until you know what it is โ€” it may reference a privileged role or sensitive service principal.

Required Permissions

PermissionWhy It's Needed
Directory.Read.AllRead users, groups, applications, service principals, administrative units, and directory roles
Application.Read.AllRead applications and service principals and their app role assignments
Organization.Read.AllRead subscribedSkus to identify license SKU IDs
DeviceManagementManagedDevices.Read.AllRead Intune managed devices if the GUID may refer to a device
Policy.Read.AllRead conditional access policies if the GUID may refer to a CA policy
RoleManagement.Read.DirectoryRead directory role definitions and assignments

The fastest way to get this done โ€” just ask Dex. Copy the prompt below and paste it into your Dex conversation.

For IT Admins

Paste into Dex CoAdmin

Identify what the Entra ID GUID {guid} refers to (user, group, app, service principal, role, SKU, AU, CA policy, or device). Once identified, if it is an application or group, count the total unique users effectively assigned โ€” expanding any assigned groups transitively and deduplicating. Return the object type, display name, and user count.
Try in Dex CoAdmin