What Changed
The Microsoft Entra ID Assets connector definition (EntraIDAssets_DataConnectorDefinition.json) has been updated to add EntraEligibleMembers (tagged Preview) to the connector items array. This surfaces a new checkbox in the Content Hub connector configuration portal, allowing operators to enable ingestion of Entra PIM eligible role membership data.
The items array now includes (in alphabetical order context):
- EntraDevices (Preview)
- EntraEligibleMembers (Preview) – new
- EntraGroupMemberships
Security Impact (Visibility and Fidelity)
EntraEligibleMembers captures principals that hold eligible (not yet activated) Privileged Identity Management role assignments. Without this table:
- Analysts had no direct Sentinel query surface for who is eligible to activate high-privilege roles such as Global Administrator or Security Administrator.
- Hunting for PIM-activation-based privilege escalation (T1078.004, lateral movement via eligible-to-active role transitions) required external tooling or Graph API queries outside Sentinel.
With this table enabled, detection engineers can correlate PIM activation events (AuditLogs) against the set of eligible principals to identify unexpected activation patterns or expansions of the eligible membership pool.
Note: The table is tagged Preview – schema stability and completeness should be validated before building production-grade detection logic against it.
Affected Files
Solutions/Microsoft Entra ID Assets/Data Connectors/EntraIDAssets_DataConnectorDefinition.json
(packaging artefacts: 3.3.0.zip, ReleaseNotes.md, Solution_MicrosoftEntraAssets.json, mainTemplate.json)