Linkable token identifiers now GA to trace user sessions across multiple Microsoft 365 and Microsoft Graph workloads to improve security investigations
We’re announcing the general availability of linkable token identifiers, which let you trace a user’s session across workloads from a specific authentication event. This feature improves incident response and anomaly detection, helping mitigate threats like remote phishing and malware attacks. Linkable token identifiers are now available for:
- Microsoft Entra sign-in logs
- Microsoft Exchange Online audit logs
- Microsoft Graph activity logs
- Microsoft Teams audit logs
- Microsoft SharePoint Online audit logs
In a case studied by Microsoft Security Research (see Figure A), an attacker used an Adversary in the Middle (AiTM) technique to steal credentials from a user lacking phishing-resistant authentication. After gaining access, the attacker started a new session, moved laterally to Microsoft Graph, and created applications for persistence and data exfiltration.
Figure A: AiTM attack graph.
Previously, SOC Identity Threat Hunters relied on complex table joins to track attacks, often with limited accuracy. Now, a unique linkable token identifier marks each malicious session started with compromised credentials, distinguishing it from valid sessions. This enables precise tracing of attacker actions across services like Microsoft Graph, streamlining and reducing time for investigation and mitigation for analysts.
Malicious activity from an unfamiliar device usually signals a remote phishing attack, while similar actions from a trusted device often suggest local malware infection.
Most application logs identify only the user account, omitting device or session context. The linkable token identifiers feature enriches logs with device session information, eliminating the need to rely on noisy signals like IP addresses to infer device activity. Once a compromised device or session is identified, security operations teams can isolate and analyze the activity for that session to determine the attacker’s actions with greater precision.
Flow diagram
The diagram below illustrates how linkable token identifiers are implemented using a Session ID in logs, which is the property that contains the linkable token identifier. It depicts a user authenticating and then performing actions across Microsoft 365 services—collaborating in Teams, accessing a SharePoint Online site, and retrieving mailbox data from Exchange Online.
A Session ID is generated during the initial authentication and is embedded in all subsequent authentication tokens used by workloads accessed from that device. These workloads then log both the User ID and the Session ID, enabling precise correlation of activity to a specific session.
How linkable token identifiers are implemented using a Session ID across the logs.
Here is an example of Entra sign-in logs featuring Session IDs for the user. Let’s select one session by Session ID and track all the workload activities by the specific session ID.
An example of Entra ID sign-in logs featuring Session IDs for the user.
Here’s a filtered view of workload audit logs from user’s activities on Teams, SharePoint Online, and Exchange Online for the Session ID from the Entra sign-in log above.
A filtered view of workload audit logs from user’s activities.
Attacks are often complex and target multiple surface areas, making it crucial to share identity insights with security teams. In Microsoft Defender XDR (shown here), authentication requests can now be linked with Microsoft Graph actions, allowing SOCs to trace malicious activity through session IDs. This helps identify attack patterns and aids in creating custom detections for future threats. Authentication requests can now be linked with Microsoft Graph actions, allowing SOCs to trace malicious activity through session IDs. This helps identify attack patterns and aids in creating custom detections for future threats.
Microsoft Defender XDR linking authentication requests with Microsoft Graph actions.
To explore a variety of usage scenarios and access a workbook that demonstrates how to leverage linkable identifiers for investigation and correlation, please refer to the public documentation at Linkable identifiers.
-- Eric Sachs
Contributor: Alex Kolmann, Senior Security Researcher, Microsoft
Additional resources
- Track and investigate identity activities with linkable identifiers in Microsoft Entra | Microsoft Learn
- What are Microsoft Entra sign-in logs? | Microsoft Learn
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
- Microsoft Entra News and Insights | Microsoft Security Blog
- Microsoft Entra blog | Tech Community
- Microsoft Entra documentation | Microsoft Learn
- Microsoft Entra discussions | Microsoft Community