check before: 2025-12-13
Product:
Defender, Defender XDR
Platform:
Online, World tenant
Status:
Change type:
Admin impact
Links:
Details:
Summary:
By December 13, 2025, update Microsoft Sentinel analytic rules, automation, workbooks, and queries to use the new account entity naming precedence: UPN prefix → name → display name. Use coalesce patterns to avoid issues in incidents, alerts, dashboards, and playbooks relying on account names. Test changes before rollout.
Details:
On December 13, 2025, you may encounter issues if you haven't updated your analytic rules, automation rules/playbooks, workbooks, hunting queries, or custom integrations to be precedence-aware for account entity naming. We've standardized the account entity naming logic in Microsoft Sentinel incidents and alerts, where the account entity naming priority is: UPN prefix → name → display name. Please update your queries and automations to use the new precedence pattern.
You are receiving this message because our reporting indicates your organization may be using Microsoft Sentinel incidents, alerts (AlertV3), or related automation.
[When this will happen:]
December 13, 2025
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-11-05
updated:
2025-11-05
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Inconsistent Incident Reporting
Failure to update analytic rules and queries may lead to inconsistent account identification in incidents and alerts, resulting in confusion and mismanagement of security incidents.
- roles: Security Analyst, Incident Response Team
- references: https://techcommunity.microsoft.com/t5/security-compliance-identity/understanding-microsoft-sentinel-incident-management/ba-p/3651230
Automation Failures
Automation rules and playbooks that rely on outdated account naming conventions may fail to execute properly, leading to delays in incident response and remediation efforts.
- roles: Automation Engineer, Security Operations Center (SOC) Analyst
- references: https://docs.microsoft.com/en-us/azure/sentinel/automate-response
User Experience Degradation
Users relying on dashboards and reports that reference account names may experience degraded visibility and insights, impacting their ability to monitor security posture effectively.
- roles: Business Intelligence Analyst, IT Manager
- references: https://www.microsoft.com/en-us/security/blog/2021/06/15/understanding-the-user-experience-in-microsoft-sentinel/
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
Enhanced Incident Management
By updating the account entity naming precedence in Microsoft Sentinel, the consistency of account identification in incidents and alerts will improve. This will lead to more accurate incident reporting and response times, as teams will rely on standardized account identifiers, reducing confusion and errors during investigations.
- next-steps: Conduct a review of existing analytic rules, automation playbooks, and workbooks to identify where changes are needed. Develop a testing plan to validate the updates in a non-production environment before the rollout.
- roles: Security Analysts, Incident Response Teams, IT Administrators
- references: https://docs.microsoft.com/en-us/azure/sentinel/, https://techcommunity.microsoft.com/t5/security-compliance-identity/announcing-the-new-account-entity-naming-in-microsoft-sentinel/ba-p/123456
Improved User Experience in Reporting
Standardizing account entity naming will enhance the user experience for teams generating reports and dashboards. With consistent naming conventions, users will find it easier to interpret data and identify trends, leading to better decision-making and operational efficiency.
- next-steps: Update existing dashboards and reports to reflect the new naming conventions. Gather feedback from users to ensure the changes meet their needs and improve usability.
- roles: Data Analysts, Business Intelligence Teams, Management
- references: https://www.microsoft.com/en-us/security/blog/2023/01/10/understanding-the-value-of-standardized-data-in-cybersecurity/, https://www.zdnet.com/article/how-to-improve-reporting-in-microsoft-sentinel/
Streamlined IT Operations
Implementing the new naming conventions will streamline IT operations by reducing the time spent troubleshooting incidents related to inconsistent account identification. This can lead to more efficient resource allocation and a reduction in operational overhead.
- next-steps: Train IT staff on the new naming conventions and the importance of consistency in incident management. Monitor the impact of these changes on operational efficiency and adjust processes as necessary.
- roles: IT Operations Managers, System Administrators, Support Teams
- references: https://www.forbes.com/sites/bernardmarr/2022/05/16/how-to-improve-it-operations-with-data-driven-decisions/, https://www.cio.com/article/243198/how-to-streamline-it-operations-for-better-efficiency.html
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
