MC1052160 – (Updated) Microsoft Defender XDR services: Changes to the IdentityInfo table in Advanced Hunting (archived)

Product:

Defender, Defender for Identity, Defender XDR, Entra

Platform:

Online, US Instances, World tenant

Status:

Change type:

Admin impact, Feature update, Updated message

Links:

Details:

Summary:
Microsoft Defender XDR will unify the IdentityInfo tables from Microsoft Defender for Identity and Microsoft Sentinel in Advanced Hunting. The update, rolling out in May 2025, includes new identity attributes and support for third-party IDPs, requiring updates to existing queries. New columns and mappings are provided.

Details:
Updated May 19, 2025: We have updated the content. Thank you for your patience.
Coming soon: We will unify the Microsoft Defender for Identity (MDI) and Microsoft Sentinel IdentityInfo tables in Advanced Hunting into a single table.
With this unification, we are adding new identity attributes from the Sentinel UEBA service while also adjusting to support third-party Identity Providers (IDPs). Some of these updates include breaking changes, which may require you to update your existing queries.
[When this will happen:]
General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out early May 2025 and expect to complete by late May 2025.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-04-10

updated:
2025-05-20

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Unification of IdentityInfo Tables
Existing queries may break due to changes in the schema, leading to potential data retrieval issues.
   - roles: Security Analyst, IT Administrator
   - references: https://learn.microsoft.com/defender-xdr/advanced-hunting-identityinfo-table, https://techcommunity.microsoft.com/blog/microsoftsentinelblog/the-power-of-a-unified-siemxdr-identityinfo-schema/4410824

Introduction of New Identity Attributes
New identity attributes may not be recognized by existing systems, causing confusion and misinterpretation of data.
   - roles: Data Analyst, Security Operations Center (SOC) Analyst
   - references: https://learn.microsoft.com/defender-xdr/advanced-hunting-identityinfo-table, https://techcommunity.microsoft.com/blog/microsoftsentinelblog/the-power-of-a-unified-siemxdr-identityinfo-schema/4410824

Support for Third-Party IDPs
Changes to accommodate third-party IDPs may lead to integration issues with current systems, affecting user access and security monitoring.
   - roles: Identity Management Specialist, IT Security Manager
   - references: https://learn.microsoft.com/defender-xdr/advanced-hunting-identityinfo-table, https://techcommunity.microsoft.com/blog/microsoftsentinelblog/the-power-of-a-unified-siemxdr-identityinfo-schema/4410824

Breaking Changes in Existing Columns
Modifications to existing columns may lead to data inconsistencies and require immediate updates to internal documentation and workflows.
   - roles: Compliance Officer, IT Support Specialist
   - references: https://learn.microsoft.com/defender-xdr/advanced-hunting-identityinfo-table, https://techcommunity.microsoft.com/blog/microsoftsentinelblog/the-power-of-a-unified-siemxdr-identityinfo-schema/4410824

Need for Query Adjustments
Failure to update queries may result in loss of critical security insights, impacting incident response capabilities.
   - roles: Incident Response Team Member, Security Engineer
   - references: https://learn.microsoft.com/defender-xdr/advanced-hunting-identityinfo-table, https://techcommunity.microsoft.com/blog/microsoftsentinelblog/the-power-of-a-unified-siemxdr-identityinfo-schema/4410824

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

XXXXXXX ... free basic plan only

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

Imagine you have a large filing cabinet where you store all your client information. Each drawer represents a different source of information, like your paper files and digital records. Over time, you realize that having separate drawers makes it hard to find everything you need quickly. So, you decide to combine all the relevant documents into one comprehensive folder, making it easier to access and manage.

This is similar to what Microsoft is doing with its Defender XDR services. They are merging two separate tables, Microsoft Defender for Identity and Microsoft Sentinel IdentityInfo, into a single, unified table. This change is like consolidating all your client files into one folder, making it easier to search and retrieve information.

As part of this update, new identity attributes are being added, and support for third-party identity providers (IDPs) is being included. Think of this as adding new sections to your folder for additional details, like including notes from third-party consultants. This means you'll have more comprehensive information at your fingertips.

However, just like you might need to reorganize your folder or update your filing system to accommodate these changes, you may need to adjust your existing queries and processes. For instance, if you have specific ways of searching through your client files, you might need to tweak those methods to work with the new, unified folder.

Microsoft is also introducing new columns and mappings, which is like adding new tabs or labels to your folder to better categorize and find information. This will enhance the insights you can gain from the data, similar to how having well-organized files can help you quickly understand a client's history and needs.

To ensure a smooth transition, it's recommended to review these changes and prepare to update any related processes or documentation. This is akin to taking a moment to familiarize yourself with the new organization of your filing system to ensure you can continue working efficiently.

These updates will be rolled out automatically, so no immediate action is required on your part. However, being aware of the changes and preparing for them will help you make the most of the new system, just as staying organized helps you manage your client information effectively.