http://sentinelchangelog.net/tags/microsoft-entra-id/Recent content in Microsoft Entra ID on sentinelchangelog.netHugo -- 0.157.0enWed, 03 Jun 2026 06:01:01 +0000http://sentinelchangelog.net/posts/2026-06-03-pr-14326/Wed, 03 Jun 2026 06:01:01 +0000http://sentinelchangelog.net/posts/2026-06-03-pr-14326/Agent 365 solution adds new Microsoft Agent Identities connector for tracking agent blueprints and non-human identity assets across four data tables.http://sentinelchangelog.net/posts/2026-05-29-pr-14299/Fri, 29 May 2026 10:56:48 +0000http://sentinelchangelog.net/posts/2026-05-29-pr-14299/Three new hunting queries target Midnight Blizzard-style persistence patterns — service principal credential staging, privileged role assignments to new accounts, and Temporary Access Pass abuse.http://sentinelchangelog.net/posts/2026-05-28-pr-14307/Thu, 28 May 2026 11:14:14 +0000http://sentinelchangelog.net/posts/2026-05-28-pr-14307/Added three hunting queries targeting identity boundary expansion techniques in Entra ID that escalate privileges without creating new accounts.http://sentinelchangelog.net/posts/2026-05-27-pr-14339/Wed, 27 May 2026 13:42:33 +0000http://sentinelchangelog.net/posts/2026-05-27-pr-14339/Adds three-query pack detecting legacy auth bypass, guest account abuse, and post-reset privileged operations.http://sentinelchangelog.net/posts/2026-05-27-pr-14335/Wed, 27 May 2026 13:41:06 +0000http://sentinelchangelog.net/posts/2026-05-27-pr-14335/Adds hunting pack targeting device code phishing, service principal persistence, and bulk password resets by privileged actors.http://sentinelchangelog.net/posts/2026-05-27-pr-14334/Wed, 27 May 2026 13:38:30 +0000http://sentinelchangelog.net/posts/2026-05-27-pr-14334/Corrects broken hunting query that returned no results due to incorrect property name filter.http://sentinelchangelog.net/posts/2026-05-26-pr-14311/Tue, 26 May 2026 08:14:04 +0000http://sentinelchangelog.net/posts/2026-05-26-pr-14311/Three hunting queries detect multi-event attack chains in Entra ID—privileged role grants followed by SP credential additions and MFA disabling followed by sign-ins from unknown IPs.http://sentinelchangelog.net/posts/2026-05-26-pr-14240/Tue, 26 May 2026 06:12:52 +0000http://sentinelchangelog.net/posts/2026-05-26-pr-14240/Three hunting queries targeting silent defense weakening techniques and off-hours privilege escalation in Entra ID environments.http://sentinelchangelog.net/posts/2026-05-21-pr-14281/Thu, 21 May 2026 12:50:47 +0000http://sentinelchangelog.net/posts/2026-05-21-pr-14281/New hunting pack targeting workload identity abuse and privileged role assignment anomalies with coverage gaps for service principal credential theft and PIM bypass techniques.http://sentinelchangelog.net/posts/2026-05-19-pr-14262/Tue, 19 May 2026 10:09:11 +0000http://sentinelchangelog.net/posts/2026-05-19-pr-14262/Three new hunting queries correlate AuditLogs and SigninLogs to surface post-compromise identity patterns using baseline-driven anomaly detection.http://sentinelchangelog.net/posts/2026-05-18-pr-14186/Mon, 18 May 2026 05:36:36 +0000http://sentinelchangelog.net/posts/2026-05-18-pr-14186/12 hunting queries updated to use EntraIdSignInEvents and EntraIdSpnSignInEvents tables, replacing deprecated AADSignInEventsBeta and AADSpnSignInEventsBeta references.http://sentinelchangelog.net/posts/2026-05-13-pr-14239/Wed, 13 May 2026 10:29:56 +0000http://sentinelchangelog.net/posts/2026-05-13-pr-14239/Five hunting queries expose OAuth consent abuse, privileged escalation, and Conditional Access evasion used in Midnight Blizzard and Storm-0558 campaigns.http://sentinelchangelog.net/posts/2026-05-12-pr-14108/Tue, 12 May 2026 08:58:14 +0000http://sentinelchangelog.net/posts/2026-05-12-pr-14108/Updated CorrelateIPC_Unfamiliar-Atypical rule adds filtering to exclude admin-triggered atypical travel alerts, improving detection precision.http://sentinelchangelog.net/posts/2026-05-07-pr-14213/Thu, 07 May 2026 10:51:04 +0000http://sentinelchangelog.net/posts/2026-05-07-pr-14213/Identifies service principal credential additions by actors not observed performing these operations in the previous 90 days, targeting persistence techniques.http://sentinelchangelog.net/posts/2026-05-07-pr-14208/Thu, 07 May 2026 10:50:43 +0000http://sentinelchangelog.net/posts/2026-05-07-pr-14208/Correlates failed sign-ins across multiple identities followed by successful authentication from the same IP within 15 minutes, targeting password spraying patterns.http://sentinelchangelog.net/posts/2026-05-07-pr-14207/Thu, 07 May 2026 10:50:16 +0000http://sentinelchangelog.net/posts/2026-05-07-pr-14207/Surfaces rapid ASN changes between interactive and non-interactive sign-ins within 10 minutes, indicating potential post-compromise token misuse.http://sentinelchangelog.net/posts/2026-04-30-pr-14162/Thu, 30 Apr 2026 11:04:41 +0000http://sentinelchangelog.net/posts/2026-04-30-pr-14162/Analytic rule renamed from Cloud PC-specific to cover all Entra-authenticated Windows devices, clarifying detection scope without logic changes.http://sentinelchangelog.net/posts/2026-04-14-pr-14016/Tue, 14 Apr 2026 10:34:59 +0000http://sentinelchangelog.net/posts/2026-04-14-pr-14016/New watchlist filters out 7 known-benign status codes from Conditional Access bypass detection to reduce false positives from legitimate MFA prompts and session expiration events.http://sentinelchangelog.net/posts/2026-04-13-pr-14049/Mon, 13 Apr 2026 10:07:13 +0000http://sentinelchangelog.net/posts/2026-04-13-pr-14049/Critical improvements to AccountCreatedandDeletedinShortTimeframe rule extend detection window to 7 days and use immutable UserID correlation to prevent timing-based evasion techniques.http://sentinelchangelog.net/posts/2026-03-11-pr-13766/Wed, 11 Mar 2026 05:07:17 +0000http://sentinelchangelog.net/posts/2026-03-11-pr-13766/Two new asset tables (EntraDevices, EntraOrgContacts) added to Microsoft Entra ID connector for BloodHound graph building and complete asset enumeration.http://sentinelchangelog.net/posts/2026-02-06-pr-13510/Fri, 06 Feb 2026 09:21:39 +0000http://sentinelchangelog.net/posts/2026-02-06-pr-13510/Customer-reported broken links fixed in analytic rule descriptions with corrected MITRE technique references and restored documentation.http://sentinelchangelog.net/posts/2025-12-19-pr-13313/Fri, 19 Dec 2025 20:29:56 +0000http://sentinelchangelog.net/posts/2025-12-19-pr-13313/New Conditional Access SISM workbook added to provide comprehensive CA policy monitoring and Zero Trust analytics.http://sentinelchangelog.net/posts/2025-12-17-pr-13298/Wed, 17 Dec 2025 05:28:36 +0000http://sentinelchangelog.net/posts/2025-12-17-pr-13298/New compliance monitoring solution provides IT systems change tracking and segregation of duties controls for Sarbanes-Oxley compliance programs.http://sentinelchangelog.net/posts/2025-12-15-pr-13236/Mon, 15 Dec 2025 12:07:03 +0000http://sentinelchangelog.net/posts/2025-12-15-pr-13236/Updates Revoke-AADSignInSessions playbook documentation to use correct User.RevokeSessions.All permissions instead of broader User.ReadWrite.All.http://sentinelchangelog.net/posts/2025-10-29-pr-12955/Wed, 29 Oct 2025 08:22:42 +0000http://sentinelchangelog.net/posts/2025-10-29-pr-12955/Fixed typo in Microsoft Entra ID Assets connector title and updated description to use correct Microsoft Sentinel branding.http://sentinelchangelog.net/posts/2025-10-09-pr-12933/Thu, 09 Oct 2025 12:04:16 +0000http://sentinelchangelog.net/posts/2025-10-09-pr-12933/New GDPR Compliance solution adds workbook consolidating privacy risk signals from Defender XDR, Microsoft Purview, Azure SQL, and Entra ID.http://sentinelchangelog.net/posts/2025-09-25-pr-12810/Thu, 25 Sep 2025 05:53:40 +0000http://sentinelchangelog.net/posts/2025-09-25-pr-12810/New Microsoft Entra ID Assets connector provides supplemental asset data for enhanced activity insights and data risk graph capabilities in Microsoft Purview.http://sentinelchangelog.net/posts/2025-09-23-pr-12770/Tue, 23 Sep 2025 10:02:25 +0000http://sentinelchangelog.net/posts/2025-09-23-pr-12770/Entra ID connector updated to remove preview designations from data types that have reached general availability.http://sentinelchangelog.net/posts/2025-08-29-pr-12717/Fri, 29 Aug 2025 08:18:56 +0000http://sentinelchangelog.net/posts/2025-08-29-pr-12717/Microsoft Entra ID Conditional Access detection rules updated to fix lookbackDuration format preventing rule deployment in Microsoft Sentinel workspaces.