What Changed
Microsoft Entra ID Assets connector expanded from 7 to 9 data streams, adding EntraDevices and EntraOrgContacts tables. Configuration names standardized to match table names (e.g., “Applications” → “EntraApplications”).
Security Impact (Visibility & Fidelity)
The addition of device and organizational contact tables fills visibility gaps in hybrid identity environments:
- EntraDevices: Enables monitoring of device join/unjoin events, compliance state changes, and stale device detection — critical for device-based lateral movement detection and Zero Trust compliance posture
- EntraOrgContacts: Provides external contact visibility for external collaboration monitoring and potential social engineering vector identification
Per PR context: these tables support BloodHound graph building for attack path analysis, providing more complete scope of Entra assets for threat hunting and privilege escalation detection.
Data Source Enhancement
The connector now ingests 9 distinct Entra ID asset types:
- EntraApplications (existing)
- EntraDevices (new) — registered/joined devices, compliance status
- EntraGroupMemberships (existing)
- EntraGroups (existing)
- EntraMembers (existing)
- EntraOrgContacts (new) — external organizational contacts
- EntraOrganizations (existing)
- EntraServicePrincipals (existing)
- EntraUsers (existing)
Configuration label standardization eliminates confusion between UI display names and actual table destinations.
Affected Files
Solutions/Microsoft Entra ID Assets/Data Connectors/EntraIDAssets_DataConnectorDefinition.json
(packaging artefacts: 3.0.2.zip, ReleaseNotes.md, Solution_MicrosoftEntraAssets.json, mainTemplate.json)