It’s the Friday, before the weekend, just prior to a major Microsoft Sentinel feature update. Did you know that?
Well, you would only know it if you’re watching the “What’s New” section of the Microsoft Sentinel docs – and who does that but me? – so, that’s why I’m posting about here to make sure it gets an extra level of highlight. And the reason for ensuring you know about it is that unexpected results could occur.
The section Microsoft 365 Defender now integrates Azure Active Directory Identity Protection (AADIP) in the docs provides some action items for those customers that have been using the AADIP connector already. If you’ve enabled the AADIP in Microsoft Sentinel, and you’ve enabled incident creation you may experience duplicate Incidents.
And, if you’ve not enabled it before, you need to make sure when you do that you don’t also enable Incident creation.
Check out the page for the full explanation and action items and prepare to make these changes on or after October 24th: Microsoft 365 Defender now integrates Azure Active Directory Identity Protection (AADIP)