Identity threat detection and response: Linking accounts

ByThomas Verheyden

Intro

This blog post covers a Defender for Identity feature that hasn’t received much attention. Despite flying under the radar, it’s a valuable setting for security teams who want to see all user identities across the organization in one unified view.

Scattered Identities

In corporate settings, user identities tend to be scattered across multiple platforms. One person may hold several different accounts personal, admin-level, outdated, cloud-hosted, or abandoned spread across systems like on-premises Active Directory, Microsoft Entra ID, or third-party identity providers such as Okta.

This scattered landscape makes it hard to get a complete picture of who’s who across the organization. By manually connecting or disconnecting related accounts in Microsoft Defender for Identity, you can:

  • Bring together identity data from different systems.
  • Strengthen security by building a fuller understanding of each user’s identity.
  • Streamline investigations and incident response through a consolidated view of user identities.

For example:

  • Personal and privileged accounts: A user might have two accounts, one for everyday work and another with elevated permissions for administrative tasks.
    • For example:
      thomas@meatsweater.be (regular account)
      admin-thomas@meatsweater.be (privileged account)
  • Multiple domains: Large organizations often manage several domains. Linking accounts across these domains provides full visibility into a user’s activity.
    • For example:
      thomas@meatsweater.be
      thomas@phishsweater.be
  • Personal and service accounts: A user might have both a personal account and a service account they own or manage. Linking those accounts helps connect ownership and responsibility to the same identity.
    • For example:
      thomas@meatsweater.be
      backup.service@meatsweater.be
  • Accounts in multiple services: A user might have a Microsoft Entra ID account, an Okta account, and a Ping account. Manually linking these accounts to the user’s identity creates a consolidated view that supports identity-centric protection and investigation.
  • Legacy accounts: A user might still have an active account in a legacy system. Linking accounts ensures the legacy account is monitored and tied back to the correct identity. For example:
    thomas@meatsweater.be
    thomas@meatsweater.local

Use the procedures in this article to manually link accounts to identities, and to manually unlink unused, legacy, or orphaned accounts from identities in Defender for Identity.

Manually link accounts to an identity in Defender for Identity

In the Microsoft Defender portal at https://security.microsoft.com, go to Assets > Identities. Or, to go directly to the Identity Inventory page, use https://security.microsoft.com/identity-inventory.


    On the Identities tab of the Identity Inventory page, select an identity from the list by clicking on the Display name value.
    On the identity details page that opens, select the Observed in organization tab, and verify the Accounts tab is selected.

    On the Accounts tab, select  Link.

    The Link accounts wizard opens. On the Select accounts page, use the search box to find an account. You can search by Display name, User principal name (UPN), Security identifier (SID), Source provider account

    Select one account by selecting the check box next to the Display name column, and then select Next.

    On the Enter justification page, enter a short explanation why you’re linking these accounts. A valid explanation includes:

    • Up to 50 characters.Letters, numbers, spaces, @, or _.
    Select Next.

    On the Review and finish page, review the information, and select Back to make changes. When you’re finished, select Submit.

    After the account is successfully linked, select Done

    Unlinking Accounts

    If you are not happy with the result or you want to unlink accounts again , you can follow those steps:

    On the Identities tab of the Identity Inventory page at https://security.microsoft.com/identity-inventory, select an Identity from the list by clicking on the Display name value.

    On the identity details page that opens, select the Observed in organization tab, and verify the Accounts tab is selected.

    On the Accounts tab, select the account you want to unlink from the identity by selecting the check box next to the Display name column, and then select  Unlink.

    That’s it, you know now how to link all your entities together and you can create a unified view of your identities in a complete context!

    Similar Posts

    | |

    Defender for Endpoint Migration: Troubleshooting Persistent Third-Party AV Registration

    ByThomas Verheyden

    Intro I recently assisted a costumer with migrating to Defender for Endpoint. They had some windows 10/11 endpoints where the 3rd party Antivirus (AV) kept registered as primary Antivirus which by default put Defender for Endpoint in disable state on Windows 10/11: Together with the Internal system engineers we tested multiple uninstall packages/scripts provided by…

    |

    MDI-configurator v1.0 is out !

    ByThomas Verheyden

    A user-friendly graphical interface for managing Microsoft Defender for Identity (MDI) configurations using PowerShell. This PowerShell script provides a comprehensive WPF-based GUI wrapper around the Microsoft Defender for Identity PowerShell module. It simplifies the configuration, testing, and management of MDI deployments through an intuitive interface, eliminating the need to remember complex PowerShell commands. Download: v3rtho/MDI-configurator:…

    | |

    Using Azure Arc only for Defender for Servers or Azure monitoring Agent? Lock it down!

    ByThomas Verheyden

    Intro While reviewing Defender for Servers and AMA agent implementations across various customers, I noticed that not all of them are following best security practices for Azure Arc deployments. In this blog, I want to highlight several security concerns and provide recommendations on how to mitigate them… Why should we care? The Azure Connected Machine…

    |

    MDE-Troubleshooter v1.6.1 available

    ByThomas Verheyden

    What’s new:– Inspired by Yong Rhee “Resolving High CPU Utilization in MDE” session, added additional options to run the Performance analyzer, Overview is now by default.– Added ASR rules that went GA– Added a check if DeviceControl is enabled– Added Proxy ULR/PAC check– Added check to see if signature update are out of date Download:GitHub…

    Fix: SENSE Service stuck in START_PENDING on WS2012R2 or WS2016? Check OOBE !

    ByThomas Verheyden

    Intro This blog discusses a challenge I encountered with a client. They reached out for assistance in addressing issues during the deployment of Defender for Endpoint on Windows Server 2012 R2 and Windows Server 2016. Yes, despite being end-of-life (EOL), these operating systems are still in use. If you’re only interested in the solution, skip…

    The ultimate Defender XDR RBAC visualization

    ByThomas Verheyden

    Do you also struggle, like I do, to assign the correct permissions in Microsoft Defender XDR RBAC when designing your RBAC model? I recently created a visual overview of the current roles and their functions. It helped me a lot in understanding how to structure RBAC properly and I hope it can help you too!…

    Leave a Reply