From cryptic SIDs to clear names: The end of Entra identity confusion

Stella — Wed, 24 Dec 2025 07:50:05 +0000

<\/path><\/svg>"},"no_headings_message":"No headings were found on this page.","minimize_box":"yes","minimized_on":"tablet","hierarchical_view":"yes","min_height":{"unit":"px","size":"","sizes":[]},"min_height_tablet":{"unit":"px","size":"","sizes":[]},"min_height_mobile":{"unit":"px","size":"","sizes":[]}}" data-widget_type="table-of-contents.default">

One of the longest-standing pain points for administrators managing Entra-joined devices is finally being addressed. Starting with Windows Insider build 27881, Microsoft has introduced a long-awaited improvement: Windows can now automatically translate Entra group and Intune role SIDs (like Device Administrators and Company Administrators) into readable names — directly on the device.

The mysterious S-1-12-1 SIDs

If you’ve ever added an Entra group or Intune role to a local Windows group, you probably noticed that instead of a clear name, you were greeted with a cryptic S-1-12-1-xxxx SID.

While Entra users have been properly resolved for years, Entra groups and built-in roles were simply invisible to the Windows local identity system. Even critical roles like “Device Administrators” would just appear as “Unknown Account,” leaving admins guessing who actually had elevated privileges.

To make sense of those SIDs, admins relied on PowerShell scripts or community tools, since Windows itself couldn’t ask Entra who those identities really were.

What’s new in Windows Insider Build 27881

Microsoft has quietly filled that long-missing gap with a new feature known internally as AADSidToNameV2Support.
This enhancement expands the existing SID-to-name lookup process, which previously handled Entra users, to now include groups and roles as well.

Here´s what that means in practice: when Windows encounters an unfamiliar Entra SID – whether a user, group, or role – it now follows a smarter resolution process.

Check the local cache: Windows first looks for the SID in the local identity cache.

Ask Entra if necessary: If it´s not cached, Windows securely queries Entra to identify who that SID belongs to.

Cache the result: Once resolved, the translated name is stored locally so it appears instantly next time – even offline.

This entire process happens quietly in the background, using secure authentication between the device and Entra. The translation data lives under the registry path:

HKLM\SOFTWARE\Microsoft\IdentityStore\Cache\\IdentityCache
The Entra SID-to-Name Endpoint
Under the hood, Windows reaches out to a new Entra endpoint:
https://login.microsoftonline.com//sidtoname

Windows builds a device-signed JSON Web Token (JWT) proving its identity and includes the unknown SID in the request. Entra responds with the corresponding identity name and display information. If the lookup succeeds, Windows updates its local cache – meaning the SID will appear correctly from that point forward. If the lookup fails, the SID remains as-is until it can be resolved.

Backward compatibility with NT4-style names

Some legacy Windows components still expect the classic DOMAIN\User format. To support these, Windows automatically generates a compatible alias (for example, AzureAD\GroupName) using a background process called GenAndPersistNT4StyleName. This makes sure that Entra identities can be displayed consistently across both modern and legacy Windows interfaces.

Before and after: What you’ll see

With the feature disabled, the local Administrators group might show entries like:

S-1-12-1-1234567890-987654321-…

Once AADSidToNameV2Support is enabled, those same entries appear as:

Device Administrators
Company Administrators
apv2_users

In other words, Entra groups and roles now appear exactly as you expect them to – human-readable, accurate, and instantly recognizable.

Why this change matters

This improvement isn’t just about aesthetics. It’s about clarity, manageability, and security. Easier administration – No more guessing which SID corresponds to which Entra group. Better policy targeting – Intune and security baselines can now correctly identify and apply settings to named Entra groups. Improved troubleshooting – Admins can instantly see which cloud identities have local privileges, reducing confusion and potential misconfigurations.

For now, this enhancement is exclusive to Insider builds and hasn’t yet rolled out to the general release versions of Windows 11 (24H2 or 25H2). But it’s a clear signal that Windows is becoming fully Entra-aware, closing the gap between local and cloud identity management.

The bottom line

After years of seeing unintelligible SIDs in the local Administrators group, Windows finally understands Entra identities natively. With AADSidToNameV2Support, Microsoft is delivering what admins have been asking for all along: a readable and accurate view of who’s who on a device – no scripts or workarounds required.

Windows is finally learning to speak Entra fluently and that’s a big win for every IT admin managing cloud-connected devices.

Windows 11 25H2 migration with XOAP

The post From cryptic SIDs to clear names: The end of Entra identity confusion appeared first on XOAP.

microsoft Archives | XOAP