MC1052160 - Microsoft Defender XDR services: Changes to the IdentityInfo table in Advanced Hunting

Message ID

MC1052160

View in Message Center

Service

Microsoft Defender XDR

Published

Apr 10, 2025

Tag

Major change

Feature update

Admin impact

More information

Coming soon: We will unify the Microsoft Defender for Identity (MDI) and Microsoft Sentinel IdentityInfo tables in Advanced Hunting into a single table.

With this unification, we are adding new identity attributes from the Sentinel UEBA service while also adjusting to support third-party Identity Providers (IDPs). Some of these updates include breaking changes, which may require you to update your existing queries.

When this will happen:

General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out early May 2025 and expect to complete by late May 2025.

How this will affect your organization:

After this rollout, identity-related insights will be enriched with these new columns:

Column name	Type	Description	Comment
`OnPremObjectId`	String	Active Directory object ID of the user	New column
`TenantMembershipType`	String	User type in Microsoft Entra ID. Possible values: `Guest`, `Member`	New column
`RiskStatus`	String	Status of the user's risk. Possible values: `None`, `ConfirmedSafe`, `Remediated`, `Dismissed`, `AtRisk`, `ConfirmedCompromised`, `UnknownFutureValue`	New column
`UserAccountControlSettings`	Dynamic	Security attributes of the user account in Active Directory	New column

To help you adjust existing queries, this table shows how Sentinel UEBA fields map to the new unified IdentityInfo table’s schema:

Sentinel UEBA Column	Unified `IdentityInfo` Column	Comments
`AccountCloudSID`	`CloudSid`
`AccountSID`	`OnPremSid`
`AccountCreationTime`	`CreatedDateTime`
`AccountDisplayName`	`AccountDisplayName`
`AccountDomain`	`AccountDomain`	Values might be different
`AccountName`	`AccountName`	Values might be different
`AccountTenantId`	`TenantId`
`AccountUPN`	`AccountUpn`
`AdditionalMailAddresses`	`OtherMailAddresses`
`MailAddress`	`EmailAddress`
`OnPremisesDistinguishedName`	`DistinguishedName`
`SAMAccountName`	`AccountName`
`StreetAddress`	`Address`
`UserType`	`TenantMembershipType`

Breaking Changes

Changes to support third-party identity providers (IDPs):

To accommodate third-party IDPs, we are modifying these existing columns:

Column Name	Type	Change
`IdentityEnvironment`	String	Replaces the `SourceProvider` column. Specifies now the environment where the identity is used. Possible values: `CloudOnly`, `Hybrid`, `On-premises`
`SourceProviders`	Dynamic	New column listing identity sources. Possible values: `ActiveDirectory`, `EntraID`, `Okta`

What you need to do to prepare:

To ensure a smooth transition, we recommend you:

Review the new columns and their impact on your security workflows.
Prepare to update and adjust any queries, custom alert rules, playbooks, workbooks, watchlists or automations that reference the IdentityInfo table and would be impacted by the changes.
You may also want to update any relevant internal documentation you might have.

This rollout will happen automatically by the specified dates with no admin action required before the rollout.

Learn more: IdentityInfo table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn (will be updated before rollout)

Before rollout, we will update this post with new documentation.