Microsoft Entra’s new linkable token identifiers, now generally available, enable precise tracing of user sessions across Microsoft 365 workloads. This innovation enhances threat detection and incident response by linking authentication events with activities, helping security teams quickly identify and mitigate attacks.
Microsoft Entra’s New Linkable Token Identifiers: A Game Changer for Identity Threat Detection
Microsoft just rolled out linkable token identifiers, now generally available, to boost identity threat detection and response. This new feature lets security teams trace user sessions seamlessly across multiple Microsoft 365 and Microsoft Graph workloads. It’s a major leap for incident response and anomaly detection, especially against threats like remote phishing and malware attacks.
What’s New?
Linkable token identifiers create a unique session ID during authentication. This ID travels with the user’s activity across services like Microsoft Teams, SharePoint Online, Exchange Online, and Microsoft Graph. Instead of juggling complicated table joins, analysts can now track attacker actions precisely within a single session.
“A unique linkable token identifier marks each malicious session started with compromised credentials, distinguishing it from valid sessions.”
This means you get better visibility into how an attacker moves laterally across services after breaching an account. For example, Microsoft Security Research highlighted an Adversary-in-the-Middle (AiTM) attack where stolen credentials were used to create persistent backdoors and exfiltrate data. With linkable tokens, such attacks become easier to detect and investigate.
Major Updates and Benefits
- Logs now include device and session context, not just user accounts.
- Security teams no longer rely on noisy signals like IP addresses to infer device activity.
- Malicious sessions from unfamiliar devices can be quickly flagged as remote phishing attempts.
- Trusted device anomalies often hint at local malware infections.
Once a suspicious session is identified, security operations can isolate and analyze it with greater precision. This streamlined approach reduces investigation time and helps contain threats faster.
Integration with Microsoft Defender XDR
Linkable token identifiers also integrate with Microsoft Defender XDR, linking authentication requests with Microsoft Graph actions. This connection allows SOC teams to trace malicious activity across sessions and identify attack patterns more effectively. Custom detections for future threats become easier to build.
“Authentication requests can now be linked with Microsoft Graph actions, allowing SOCs to trace malicious activity through session IDs.”
Why It Matters for Security Teams
Attackers often target multiple services in complex ways. Sharing identity insights across workloads is crucial. Linkable token identifiers provide that shared context, empowering security teams to respond faster and smarter. For anyone managing Microsoft 365 environments, this feature is a must-have for enhancing threat detection and response capabilities.
To dive deeper, Microsoft offers public documentation and workbooks demonstrating how to leverage these identifiers for investigations. Check out the Microsoft Entra resources to get started.
Stay ahead of identity threats with this powerful new tool from Microsoft Entra. It’s a smart, efficient way to track, analyze, and stop attackers in their tracks.
From the Microsoft Entra Blog articles
