What Changed
The Microsoft Entra ID Assets connector (v3.1.0) adds two new table types to its ConnectorDefinition, both marked Preview:
- EntraOwners – surfaces ownership relationships across Entra ID objects (groups, applications, service principals, etc.)
- EntraSponsors – surfaces sponsor relationships for guest users, exposing who is responsible for external identity lifecycle
Both tables are added to the connector UI config alongside existing tables: EntraDevices (Preview), EntraGroupMemberships, EntraOrgContacts (Preview), EntraOrganizations, EntraServicePrincipals, EntraUsers.
Security Impact
Ownership and sponsorship relationships in Entra ID are high-value targets for attackers performing identity graph reconnaissance (T1087.004 – Cloud Account Discovery). Specifically:
- EntraOwners enables detection of unexpected ownership additions to high-value objects (e.g., a newly added owner to an application or service principal with broad API permissions is a strong indicator of privilege escalation or persistence – T1098.001)
- EntraSponsors enables monitoring of guest identity sponsorship chains; orphaned or tampered sponsor relationships can indicate guest account abuse (T1078.004 – Cloud Accounts)
Prior to this release, these relationship types were not available through the connector, representing a blind spot in identity graph coverage within Sentinel. Existing detections against EntraServicePrincipals or EntraGroupMemberships could not see ownership chains.
Both tables remain in Preview status – validate field availability and ingestion completeness in your environment before building production detections against them.
Affected Files
Solutions/Microsoft Entra ID Assets/Data Connectors/EntraIDAssets_DataConnectorDefinition.json
(packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_MicrosoftEntraAssets.json, mainTemplate.json)