(Updated) Microsoft Defender XDR services: Changes to the IdentityInfo table in Advanced Hunting

Message Center ID: MC1052160

Service Microsoft Defender XDR

Category Plan for Change

Tags Major Change Feature update Admin impact

Rollout May 2025

Summary

Microsoft Defender XDR will unify the IdentityInfo tables from Microsoft Defender for Identity and Microsoft Sentinel in Advanced Hunting. The update, rolling out in May 2025, includes new identity attributes and support for third-party IDPs, requiring updates to existing queries. New columns and mappings are provided.

Details

Updated May 19, 2025: We have updated the content. Thank you for your patience.

Coming soon: We will unify the Microsoft Defender for Identity (MDI) and Microsoft Sentinel IdentityInfo tables in Advanced Hunting into a single table.

With this unification, we are adding new identity attributes from the Sentinel UEBA service while also adjusting to support third-party Identity Providers (IDPs). Some of these updates include breaking changes, which may require you to update your existing queries.

[When this will happen:]

General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out early May 2025 and expect to complete by late May 2025.

[How this will affect your organization:]

After this rollout, identity-related insights will be enriched with these new columns:

Column name	Type	Description	Comment
`OnPremObjectId`	String	Active Directory object ID of the user	New column
`TenantMembershipType`	String	User type in Microsoft Entra ID. Possible values: `Guest`, `Member`	New column
`RiskStatus`	String	Status of the user's risk. Possible values: `None`, `ConfirmedSafe`, `Remediated`, `Dismissed`, `AtRisk`, `ConfirmedCompromised`, `UnknownFutureValue`	New column
`UserAccountControlSettings`	Dynamic	Security attributes of the user account in Active Directory	New column

To help you adjust existing queries, this table shows how Sentinel UEBA fields map to the new unified IdentityInfo table’s schema:

Sentinel UEBA Column	Unified `IdentityInfo` Column	Comments
`AccountCloudSID`	`CloudSid`
`AccountSID`	`OnPremSid`
`AccountCreationTime`	`CreatedDateTime`
`AccountDisplayName`	`AccountDisplayName`
`AccountDomain`	`AccountDomain`	Values might be different
`AccountName`	`AccountName`	Values might be different
`AccountTenantId`	`TenantId`
`AccountUPN`	`AccountUpn`
`AdditionalMailAddresses`	`OtherMailAddresses`
`MailAddress`	`EmailAddress`
`OnPremisesDistinguishedName`	`DistinguishedName`
`SAMAccountName`	`AccountName`
`StreetAddress`	`Address`
`UserType`	`TenantMembershipType`

Breaking Changes

Changes to support third-party identity providers (IDPs):

To accommodate third-party IDPs, we are modifying these existing columns:

Column Name	Type	Change
`IdentityEnvironment`	String	Replaces the `SourceProvider` column. Specifies now the environment where the identity is used. Possible values: `CloudOnly`, `Hybrid`, `On-premises`
`SourceProviders`	Dynamic	New column listing identity sources. Possible values: `ActiveDirectory`, `EntraID`, `Okta`

[What you need to do to prepare:]

To ensure a smooth transition, we recommend you:

Review the new columns and their impact on your security workflows.
Prepare to update and adjust any queries, custom alert rules, playbooks, workbooks, watchlists or automations that reference the IdentityInfo table and would be impacted by the changes.
You may also want to update any relevant internal documentation you might have.

This rollout will happen automatically by the specified dates with no admin action required before the rollout.

Learn more:

Change History

Published: April 10, 2025

Last Updated: May 19, 2025

No change history available

Never Miss a Microsoft 365 Update

Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.

View Full Details Sign Up Free