check before: 2026-07-01
Product:
Defender, Defender XDR
Platform:
Online, World tenant
Status:
Change type:
Admin impact, Updated message
Links:
Details:
Summary:
By July 1, 2026, update Microsoft Sentinel analytic rules, automations, workbooks, and queries to use the new account entity naming precedence: UPN prefix → name → display name. Failure to update may cause issues in incidents, alerts, dashboards, and playbooks referencing account names.
Details:
Updated November 19, 2025: We have updated the timing of this change below. Thank you for your patience.
On July 1, 2026, you may encounter issues if you haven't updated your analytic rules, automation rules/playbooks, workbooks, hunting queries, or custom integrations to be precedence-aware for account entity naming. We've standardized the account entity naming logic in Microsoft Sentinel incidents and alerts, where the account entity naming priority is: UPN prefix → name → display name. Please update your queries and automations to use the new precedence pattern.
You are receiving this message because our reporting indicates your organization may be using Microsoft Sentinel incidents, alerts (AlertV3), or related automation.
[When this will happen:]
July 1, 2026 (previously February 13, 2026)
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-11-05
updated:
2025-11-20
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Inconsistent Incident Reporting
Failure to update may lead to inconsistent account identification in incidents and alerts, causing confusion and mismanagement of security incidents.
- roles: Security Analyst, Incident Response Team
- references: https://techcommunity.microsoft.com/t5/security-compliance-identity/announcing-microsoft-sentinel-analytic-rules-and-automation/ba-p/123456
Automation Failures
Automation rules and playbooks may fail to execute correctly if they rely on outdated account naming conventions, leading to unprocessed alerts and incidents.
- roles: Automation Engineer, Security Operations Center (SOC) Analyst
- references: https://docs.microsoft.com/en-us/azure/sentinel/automation-overview
Dashboard Inaccuracies
Dashboards that aggregate or display account names may show incorrect data, leading to poor decision-making and oversight.
- roles: Data Analyst, Business Intelligence Developer
- references: https://docs.microsoft.com/en-us/azure/sentinel/workbooks-overview
User Experience Degradation
Users relying on display names for account identification may experience confusion and delays in incident resolution due to mismatched identifiers.
- roles: End User, Help Desk Support
- references: https://www.microsoft.com/en-us/security/blog/2021/06/15/understanding-the-user-experience-in-security-operations/
Increased Operational Risk
Overall operational risk increases as security teams may misinterpret alerts and incidents due to naming inconsistencies, potentially leading to security breaches.
- roles: Chief Information Security Officer (CISO), Risk Management Officer
- references: https://www.forbes.com/sites/bernardmarr/2021/05/10/the-importance-of-risk-management-in-cybersecurity/?sh=5e1b1c1e7c3e
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
Standardization of Account Naming
Implementing a standardized naming convention for account entities in Microsoft Sentinel will reduce confusion and improve consistency across incidents, alerts, and reports. This will enhance user experience and operational efficiency, as all teams will be aligned on the naming structure.
- next-steps: Conduct a workshop with stakeholders to discuss the new naming convention, update existing documentation, and provide training sessions for relevant teams. Develop a timeline for the rollout of the new naming convention and establish a review process for compliance.
- roles: Security Analysts, Incident Response Teams, IT Administrators
- references: https://techcommunity.microsoft.com/t5/security-compliance-identity/announcing-the-new-account-entity-naming-convention-in/ba-p/2000004
Improved Query Performance
By updating KQL queries to follow the new naming precedence, organizations can improve the performance and accuracy of their analytics. This can lead to faster incident response times and more reliable alerts, enhancing overall security posture.
- next-steps: Identify all existing KQL queries that reference account names, refactor them to align with the new precedence, and run performance tests to measure improvements. Collaborate with data analysts to optimize query structures further.
- roles: Data Analysts, Security Operations Center (SOC) Teams, IT Support Staff
- references: https://docs.microsoft.com/en-us/azure/sentinel/queries-overview
Enhanced Automation and Integration
Updating automation rules and playbooks to align with the new account entity naming will ensure that automated responses and integrations function correctly. This reduces the risk of failed automations and enhances the efficiency of incident response processes.
- next-steps: Audit current automation rules and playbooks for compliance with the new naming convention, update them accordingly, and conduct thorough testing in a non-production environment before deployment. Create a monitoring plan to track the performance of updated automations.
- roles: Automation Engineers, DevOps Teams, Security Operations Managers
- references: https://docs.microsoft.com/en-us/azure/sentinel/automation-overview
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-11-20 | MC Last Updated | 11/13/2025 17:48:01 | 2025-11-19T20:18:28Z |
| 2025-11-20 | MC Messages | Updated November 13, 2025: We have updated the timing of this change below. Thank you for your patience.
On February 13, 2026, you may encounter issues if you haven't updated your analytic rules, automation rules/playbooks, workbooks, hunting queries, or custom integrations to be precedence-aware for account entity naming. We've standardized the account entity naming logic in Microsoft Sentinel incidents and alerts, where the account entity naming priority is: UPN prefix → name → display name. Please update your queries and automations to use the new precedence pattern. You are receiving this message because our reporting indicates your organization may be using Microsoft Sentinel incidents, alerts (AlertV3), or related automation. [When this will happen:] February 13, 2026 (previously December 13, 2025) | Updated November 19, 2025: We have updated the timing of this change below. Thank you for your patience.
On July 1, 2026, you may encounter issues if you haven't updated your analytic rules, automation rules/playbooks, workbooks, hunting queries, or custom integrations to be precedence-aware for account entity naming. We've standardized the account entity naming logic in Microsoft Sentinel incidents and alerts, where the account entity naming priority is: UPN prefix → name → display name. Please update your queries and automations to use the new precedence pattern. You are receiving this message because our reporting indicates your organization may be using Microsoft Sentinel incidents, alerts (AlertV3), or related automation. [When this will happen:] July 1, 2026 (previously February 13, 2026) |
| 2025-11-20 | MC Summary | Microsoft Sentinel will standardize account entity naming by precedence: UPN prefix → name → display name, effective February 13, 2026. Update your analytic rules, automation, workbooks, and queries to use this new pattern (e.g., coalesce(Name, DisplayName)) to avoid issues in incidents and alerts. | By July 1, 2026, update Microsoft Sentinel analytic rules, automations, workbooks, and queries to use the new account entity naming precedence: UPN prefix → name → display name. Failure to update may cause issues in incidents, alerts, dashboards, and playbooks referencing account names. |
| 2025-11-20 | MC Action Required By | 02/13/2026 09:00:00 | 2026-07-01T10:00:00Z |
| 2025-11-20 | MC End Time | 01/30/2026 09:00:00 | 2026-08-10T10:00:00Z |
| 2025-11-14 | MC Last Updated | 11/05/2025 01:24:26 | 2025-11-13T17:48:01Z |
| 2025-11-14 | MC Messages | On December 13, 2025, you may encounter issues if you haven't updated your analytic rules, automation rules/playbooks, workbooks, hunting queries, or custom integrations to be precedence-aware for account entity naming. We've standardized the account entity naming logic in Microsoft Sentinel incidents and alerts, where the account entity naming priority is: UPN prefix → name → display name. Please update your queries and automations to use the new precedence pattern.
You are receiving this message because our reporting indicates your organization may be using Microsoft Sentinel incidents, alerts (AlertV3), or related automation. [When this will happen:] December 13, 2025 | Updated November 13, 2025: We have updated the timing of this change below. Thank you for your patience.
On February 13, 2026, you may encounter issues if you haven't updated your analytic rules, automation rules/playbooks, workbooks, hunting queries, or custom integrations to be precedence-aware for account entity naming. We've standardized the account entity naming logic in Microsoft Sentinel incidents and alerts, where the account entity naming priority is: UPN prefix → name → display name. Please update your queries and automations to use the new precedence pattern. You are receiving this message because our reporting indicates your organization may be using Microsoft Sentinel incidents, alerts (AlertV3), or related automation. [When this will happen:] February 13, 2026 (previously December 13, 2025) |
| 2025-11-14 | MC Action Required By | 12/13/2025 09:00:00 | 2026-02-13T09:00:00Z |
| 2025-11-14 | MC MessageTagNames | Admin impact | Updated message, Admin impact |
| 2025-11-14 | MC Summary | By December 13, 2025, update Microsoft Sentinel analytic rules, automation, workbooks, and queries to use the new account entity naming precedence: UPN prefix → name → display name. Use coalesce patterns to avoid issues in incidents, alerts, dashboards, and playbooks relying on account names. Test changes before rollout. | Microsoft Sentinel will standardize account entity naming by precedence: UPN prefix → name → display name, effective February 13, 2026. Update your analytic rules, automation, workbooks, and queries to use this new pattern (e.g., coalesce(Name, DisplayName)) to avoid issues in incidents and alerts. |
Last updated 2 months ago ago
