Blog Post

Microsoft Entra Blog
3 MIN READ

Strengthen identity threat detection and response with linkable token identifiers

IdentityHelper's avatar
Jul 21, 2025

Linkable token identifiers now GA to trace user sessions across multiple Microsoft 365 and Microsoft Graph workloads to improve security investigations

We’re announcing the general availability of linkable token identifiers, which let you trace a user’s session across workloads from a specific authentication event. This feature improves incident response and anomaly detection, helping mitigate threats like remote phishing and malware attacks. Linkable token identifiers are now available for:

  • Microsoft Entra sign-in logs
  • Microsoft Exchange Online audit logs
  • Microsoft Graph activity logs
  • Microsoft Teams audit logs
  • Microsoft SharePoint Online audit logs

In a case studied by Microsoft Security Research (see Figure A), an attacker used an Adversary in the Middle (AiTM) technique to steal credentials from a user lacking phishing-resistant authentication. After gaining access, the attacker started a new session, moved laterally to Microsoft Graph, and created applications for persistence and data exfiltration.

Figure A: AiTM attack graph.

Previously, SOC Identity Threat Hunters relied on complex table joins to track attacks, often with limited accuracy. Now, a unique linkable token identifier marks each malicious session started with compromised credentials, distinguishing it from valid sessions. This enables precise tracing of attacker actions across services like Microsoft Graph, streamlining and reducing time for investigation and mitigation for analysts.

Malicious activity from an unfamiliar device usually signals a remote phishing attack, while similar actions from a trusted device often suggest local malware infection.

Most application logs identify only the user account, omitting device or session context. The linkable token identifiers feature enriches logs with device session information, eliminating the need to rely on noisy signals like IP addresses to infer device activity. Once a compromised device or session is identified, security operations teams can isolate and analyze the activity for that session to determine the attacker’s actions with greater precision.

 

Flow diagram

The diagram below illustrates how linkable token identifiers are implemented using a Session ID in logs, which is the property that contains the linkable token identifier. It depicts a user authenticating and then performing actions across Microsoft 365 services—collaborating in Teams, accessing a SharePoint Online site, and retrieving mailbox data from Exchange Online.

A Session ID is generated during the initial authentication and is embedded in all subsequent authentication tokens used by workloads accessed from that device. These workloads then log both the User ID and the Session ID, enabling precise correlation of activity to a specific session.

How linkable token identifiers are implemented using a Session ID across the logs. 

Here is an example of Entra sign-in logs featuring Session IDs for the user. Let’s select one session by Session ID and track all the workload activities by the specific session ID.

An example of Entra ID sign-in logs featuring Session IDs for the user.

Here’s a filtered view of workload audit logs from user’s activities on Teams, SharePoint Online, and Exchange Online for the Session ID from the Entra sign-in log above.

A filtered view of workload audit logs from user’s activities.

Attacks are often complex and target multiple surface areas, making it crucial to share identity insights with security teams. In Microsoft Defender XDR (shown here), authentication requests can now be linked with Microsoft Graph actions, allowing SOCs to trace malicious activity through session IDs. This helps identify attack patterns and aids in creating custom detections for future threats. Authentication requests can now be linked with Microsoft Graph actions, allowing SOCs to trace malicious activity through session IDs. This helps identify attack patterns and aids in creating custom detections for future threats.

Microsoft Defender XDR linking authentication requests with Microsoft Graph actions.

To explore a variety of usage scenarios and access a workbook that demonstrates how to leverage linkable identifiers for investigation and correlation, please refer to the public documentation at Linkable identifiers.

-- Eric Sachs

 

Contributor: Alex Kolmann, Senior Security Researcher, Microsoft

 

Additional resources

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

 

 

 

 

Updated Jul 21, 2025
Version 1.0

3 Comments

  • PSCCH's avatar
    PSCCH
    Copper Contributor

    SessionIDs and unique token identifiers were already used by incident responders in the past. I am really happy to read that Microsoft now wants to actively support this usecase. Though, can you elaborate what exactly is new and GA now? Since sessionIDs and unique token identifiers already existed before I assume Microsoft now works on ensuring that these identifiers are part of every log? Previously these identifiers were missing in e.g. many Teams Audit Log events.

    • With this release we have made sure every Entra token has session id for every root authentication by default and also is logged in Entra sign in logs. Also workloads now log UTI and session id in their logs so admins can start with Entra and join across workload logs to track all the activities performed in a session. 

  • Tuan_Trieu's avatar
    Tuan_Trieu
    Copper Contributor

    Thank you, this feature is really helpful for investigating and incident response.