Microsoft Entra ID Boosts Identity Security with Linkable Token Identifiers

Microsoft has announced the general availability of linkable token identifiers for Entra ID customers. This new capability enables organizations to trace a user’s session across Microsoft 365 and Microsoft Graph workloads using a single authentication event, streamlining investigation and response.

Cybersecurity teams often face challenges in tracking and responding to identity-based attacks, especially when attackers use stolen tokens to impersonate users across Microsoft services. However, traditional logs lack a consistent session identifier that makes it harder to trace malicious activity across platforms like Microsoft 365, Microsoft Teams, and SharePoint.

“Microsoft embeds specific identifiers in all access tokens that enable the correlation of activities back to a single root authentication event. These linkable identifiers are surfaced in customer-facing logs to support threat hunters and security analysts in investigating and mitigating identity-based attacks,” Microsoft explained.

What are the types of linkable identifiers in Microsoft Entra ID?

Microsoft mentioned that these identifiers help security teams more effectively detect, analyze, and respond to malicious activity across sessions and tokens. There are two types of linkable identifiers used to support threat-hunting scenarios, called session ID-based identifiers and unique token identifiers.

A session ID (SID)-based identifier allows all authentication elements (like access tokens, refresh tokens, and session cookies) issued during a single login event to be linked together. On the other hand, the Unique Token Identifier (UTI) is a globally unique ID included in every Microsoft Entra access or ID token. It works to uniquely identify each token or request, which allows for detailed tracking and analysis of individual authentication events.

Log availability for linkable identifiers

Currently, linkable token identifiers are available in Microsoft Entra sign-in logs, Microsoft Exchange Online audit logs, Microsoft Graph activity logs, Microsoft SharePoint Online audit logs, and Microsoft Teams audit logs. These logs let security analysts correlate authentication events and token usage across different services to support comprehensive investigations into identity-related threats.

Microsoft has mentioned a case study that showed how an attacker used Adversary-in-the-Middle (AiTM) phishing to steal credentials and move laterally across services. Linkable token identifiers helped distinguish malicious sessions from legitimate ones.

Overall, Microsoft’s new linkable token identifiers enable faster investigation and mitigation. It also helps isolate and analyze compromised sessions more effectively. We invite you to check out Microsoft’s workbook that demonstrates how to leverage linkable identifiers for investigation and correlation on this support page.