Merge pull request #4891 from DeCohen/WI473943-account-view-manual-account-correlation

Unified Identity Inventory - Account View and Manual Account Correlation

Author: padmagit77

defender-for-identity/identity-inventory.md

@@ -60,7 +60,7 @@ The **Identities** list offers a consolidated view of identities across Active D
 
 - __Object ID__ – A unique identifier for the identity in Microsoft Entra ID.
 
-- __Source__ – Indicates whether the identity is on-premises (originate from Active Directory), Cloud only (Entra ID) or Hybrid (synced from Azure Active Directory to Entra ID).
+- __Source__ – Indicates whether the identity is on-premises (originate from Active Directory), Cloud only (Entra ID) or Hybrid (synced from Azure Active Directory to Microsoft Entra ID).
 
 - __Type__ – Specifies if the identity is a user account or service account.
 
@@ -76,7 +76,7 @@ The **Identities** list offers a consolidated view of identities across Active D
 
 - __Last updated__ – The timestamp of the most recent update to the identity's attributes in Active Directory.
 
-Nondefault columns: Email, Microsoft Entra ID risk level and Cloud ID. 
+Nondefault columns: Email, Microsoft Entra ID risk level, and Cloud ID. 
 
 > [!TIP]
 > To see all columns, you likely need to do one or more of the following steps:

defender-for-identity/investigate-assets.md

@@ -8,7 +8,7 @@ ms.reviewer: LiorShapiraa
 
 # Investigate assets
 
-Microsoft Defender for Identity provides Microsoft Defender XDR users with evidence of when users, computers, and devices have performed suspicious activities or show signs of being compromised.
+Microsoft Defender for Identity gives Microsoft Defender XDR users evidence when users, computers, and devices show signs of suspicious activities or compromise.
 
 This article gives recommendations for how to determine risks to your organization, decide how to remediate, and determine the best way to prevent similar attacks in the future.
 
@@ -17,7 +17,7 @@ This article gives recommendations for how to determine risks to your organizati
 > [!NOTE]
 > For information on how to view user profiles in Microsoft Defender XDR, see [Microsoft Defender XDR documentation](/microsoft-365/security/defender/investigate-users).
 
-If an alert or incident indicates that a user may be suspicious or compromised, check and investigate the user profile for the following details and activities:
+If an alert or incident indicates that a user might be suspicious or compromised, check and investigate the user profile for the following details and activities:
 
 - **User identity**
     - Is the user a [sensitive user](entity-tags.md) (such as admin, or on a watchlist, etc.)?
@@ -56,16 +56,17 @@ When you investigate a specific identity, you'll see the following details on an
 
 |Identity details page area  |Description  |
 |---------|---------|
-|[Overview tab](/microsoft-365/security/defender/investigate-users#overview)       | General identity data, such as the Microsoft Entra identity risk level, the number of devices the user is signed in to, when the user was first and last seen, the user's accounts and more important information.  <br><br>Use the **Overview** tab to also view graphs for incidents and alerts, and an organizational tree, entity tags.       |
+|[Overview tab](/microsoft-365/security/defender/investigate-users#overview)       | Use the **Overview** tab to view graphs for incidents and alerts, an organizational tree, and entity tags. <br> General identity data includes: <br> - Microsoft Entra identity risk level <br> - The number of devices the identity is signed in to <br> - When the identity was first and last seen <br> - The identity's accounts and more important information.  <br><br>      |
 |[Incidents and alerts](/microsoft-365/security/defender/investigate-users#incidents-and-alerts)     | Lists active incidents and alerts involving the user from the last 180 days, including details like alert severity and the time the alert was generated. |
-|[Observed in organization](/microsoft-365/security/defender/investigate-users#observed-in-organization)     |   Includes the following sub-areas: <br>- **Devices**: The devices that the identity signed in to, including most and least used in the last 180 days. <br>- **Locations**: The identity's observed locations over the last 30 days. <br>- **Groups**: All observed on-premises groups for the identity. <br> - **Lateral movement paths** - all profiled lateral movement paths from the on-premises environment. |
-|[Identity timeline](/microsoft-365/security/defender/investigate-users#timeline)     |The timeline represents activities and alerts observed from a user's identity from the last 180 days, unifying identity entries across Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Endpoint. <br><br>Use the timeline to focus on activities a user performed or were performed on them in specific timeframes. Select the default **30 days** to change the time range to another built-in value, or to a custom range.       |
+|[Observed in organization](/microsoft-365/security/defender/investigate-users#observed-in-organization)     |   Includes the following sub-areas: <br>- **Devices**: The devices that the identity signed in to, including most and least used in the last 180 days. <br>- **Locations**: The identity's observed locations over the last 30 days. <br>- **Groups**: All observed on-premises groups for the identity. <br> - **Lateral movement paths** - all profiled lateral movement paths from the on-premises environment. <br> - **Accounts** View all accounts linked to a specific identity. |
+|[Identity timeline](/microsoft-365/security/defender/investigate-users#timeline)     | The timeline represents activities and alerts observed from a user's identity within the last 180 days, to help unify identity entries across Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Endpoint. <br><br> You can use the timeline to focus on activities a user performed or were performed on them in specific timeframes. Select the default **30 days** to change the time range to another built-in value, or to a custom range.       |
 |Security recommendations|This tab displays all active security posture assessments (ISPMs) associated with an identity account. It includes Defender for Identity recommendations across available identity providers such as Active Directory, Okta, and others. Selecting an ISPM pivots you to the recommendation page in Microsoft Secure Score for additional details.|
 |Attack paths|This tab provides visibility into potential attack paths leading to a critical identity or involving it within the path, helping assess security risks. For more information, see Overview of attack path within Exposure Management.|
 |[Remediation actions](/microsoft-365/security/defender/investigate-users#remediation-actions)      |Respond to compromised users by disabling their accounts or resetting their password. After taking action on users, you can check on the activity details in the Microsoft Defender XDR **Action center.|
 
+
 > [!NOTE]
-> **Investigation Priority Score** has been deprecated on December 3, 2024. As a result, both the Investigation Priority Score breakdown and the scored activity timeline cards have been removed from the UI. 
+> **Investigation Priority Score** was deprecated on December 3, 2024. As a result, the Investigation Priority Score breakdown and the scored activity timeline cards are no longer available.
 
 
 

defender-for-identity/link-unlink-account-to-identity.md

@@ -0,0 +1,107 @@
+---
+title: Link/Unlink an account to an identity
+description: This article explains how to link or unlink an account to an identity in Microsoft Defender for Identity.
+ms.date: 09/01/2025
+ms.topic: how-to
+ms.service: microsoft-defender-for-identity
+ms.reviewer: Almog Omrad
+#customer intent: As a SOC analyst, I want to view all accounts linked to an identity so that I can gain a complete and accurate understanding of the identity’s footprint across the organization and validate accounts correlated are correct. 
+---
+
+# Link or Unlink an Account to an Identity (Preview)
+
+## Overview
+
+In enterprise environments, identity data is often fragmented. A single user might have multiple accounts across systems, including personal, privileged, legacy, or cloud-based accounts. These accounts can cover on-premises Active Directory, Microsoft Entra ID, or third-party identity providers such as Okta and Ping. Users may also maintain multiple accounts within the same system, such as a standard business account ([email protected]) and a privileged administrative account ([email protected]). This fragmentation makes it difficult to maintain a unified view of identity across the organization. The **Manual link or unlink accounts** feature in Microsoft Defender for Identity helps you correlate accounts with identities to build a complete identity footprint.
+
+Consider a user named John Doe who has an Azure Active Directory account, an Okta account, and a Ping account. By manually linking these accounts to John’s identity in Microsoft Defender for Identity, you can create a consolidated view that supports identity-centric protection and investigation.
+
+## Why use manual linking
+
+Manual linking helps organizations:
+
+- Correlate identity components across different systems
+- Improve protection by creating a complete identity context
+- Support investigations and response actions with unified identity views
+
+### Scenarios and examples 
+
+- **Personal and privileged accounts**: A user might have two accounts, one for everyday work and another with elevated permissions for administrative tasks.  
+  **Example**  
+  - [email protected] (regular account)  
+  - [email protected] (privileged account)  
+
+- **Multiple domains**: Large organizations often manage several domains. Linking accounts across these domains provides full visibility into a user’s activity.  
+  **Example**  
+  - [email protected]  
+  - [email protected]  
+
+- **Personal and service accounts**: A user may have both a personal account and a service account they own or manage. Linking them helps connect ownership and responsibility to the same identity.  
+  **Example**  
+  - [email protected] (personal account)  
+  - [email protected] (service account)  
+
+- **Legacy accounts**: A user might still have an active account in a legacy system. Linking it ensures the account is monitored and tied back to the correct identity.  
+  **Example**  
+  - [email protected] (current account)  
+  - [email protected] (legacy account)  
+
+
+
+## Prerequisites
+
+- You must have [Unified role-based access control (URBAC)](/defender-for-identity/role-groups) roles: Global Administrator or Security Data (Manage)
+
+## How to Manually Link or Unlink Accounts to an Identity
+
+Follow these steps to manually link accounts to a selected identity.
+
+1. Navigate to **Assets** > **Identity Inventory**.
+1. Select an **Identity** from the list.
+
+    :::image type="content" source="media/identity-inventory/inventory11.png" alt-text="Screenshot of the Identity Inventory page in the Defender portal. " lightbox="media/identity-inventory/inventory11.png":::
+
+1. Select the **Observed in organization** tab.
+1. Open the **Accounts** tab.
+
+    :::image type="content" source="media/link-unlink-account-to-identity/accounts-observed-in-organization.png" alt-text="Screenshot that shows the accounts observed in an organization." lightbox="media/link-unlink-account-to-identity/accounts-observed-in-organization.png":::
+
+1. Select one or more accounts from the table. You must select at least one account to continue.
+1. You can search by:
+    - Display name
+    - User principal name (UPN)
+    - Security identifier (SID)
+    - Source provider account
+1. Select **Next**.
+1. Enter a short justification comment explaining why you're linking these accounts.
+1. Your justification must:
+    - Be between 1 and 50 characters
+    - Use only letters, numbers, spaces, @, and _
+    - If your input includes invalid characters or exceeds the limit, an error message will appear.
+1. Select **Next**.
+1. Review the selected accounts and your justification.
+1. Confirm that the accounts listed are correct.
+1. The account list refreshes automatically.
+
+## Unlink accounts from an identity
+
+Follow these steps to manually unlink accounts from a selected identity.
+
+1. Go to **Identity Inventory > Observed in organization**
+1. Open the **Accounts** tab.
+1. Select one or more account groups.
+1. Select **Unlink account**.
+1. A confirmation dialog appears with the identity name.
+1. Review the message and select **Unlink accounts** to confirm.
+
+
+## What to expect after linking or unlinking an account
+
+- The selected accounts are linked or unlinked immediately.
+- The system updates the identity context and refreshes the account list.
+- All actions are recorded in the unified audit system, including the justification and the user who performed the action.
+
+## See also
+
+- [Investigate users](/microsoft-365/security/defender/investigate-users)
+- [Investigate assets](/defender-for-identity/investigate-assets)

defender-for-identity/media/link-unlink-account-to-identity/accounts-observed-in-organization.png

@@ -37,28 +37,28 @@ The following Defender for Identity actions can be performed on Identities:
 
 | Remediation Action  | Description     |          Scope                        | 
 | ------------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ |
-|Disable user                 | This temporarily prevents a user from signing in. This can help prevent compromised users from moving laterally and attempting to exfiltrate data or further compromise the network. | Active Directory, Entra ID and Okta
-|Enable user              | Enable a user to sign in. | Active Directory, Entra ID and Okta
-|Revoke all Users' sessions       | Revoke a user's active sessions. | Entra ID and Okta
-|Confirm user compromised      | The user's risk level is set to High | Entra ID
-| Reset user password| This prompts the user to change their password on the next logon, ensuring that this account can't be used for further impersonation attempts| Active Directory
-|Deactivate user in Okta | This action can be used when a non-legit malicious account was detected, to deactivate the account permanently | Okta
-| Set user risk to High/Medium/Low |Set one user risk scoring to one of the defined levels. This action will only be available if [Risk Scoring](https://help.okta.com/en-us/Content/Topics/Security/Security_Risk_Scoring.htm) feature is enabled | Okta
+|Disable                 | You can choose to disable **all accounts linked to an identity** or **only one of them**. Disabling an identity prevents sign-in and access to network resources until the accounts are re-enabled. This action doesn’t delete the identity profile or associated data such as documents, calendar events, or email messages. | Active Directory, Microsoft Entra ID, and Okta
+|Enable              | Re-enables accounts that were previously disabled for the selected identity. | Active Directory, Microsoft Entra ID, and Okta
+|Revoke session     | Revoke an identity's active session. | Microsoft Entra ID and Okta
+|Confirm accounts compromised      | Marks all accounts linked to the selected identity as compromised in Microsoft Entra ID. | Microsoft Entra ID
+|Reset password| Reset a password for one or more accounts linked to the selected identity.This prompts the identity to change their password on the next logon, ensuring that this account can't be used for further impersonation attempts.| Active Directory
+|Deactivate | This action can be used when a non-legit malicious account was detected, to deactivate the account permanently | Okta
+|Set account risk to High/Medium/Low |Set account risk scoring to one of the defined levels. This action is only available if [Risk Scoring](https://help.okta.com/en-us/Content/Topics/Security/Security_Risk_Scoring.htm) feature is enabled | Okta
 
 
 Depending on your Microsoft Entra ID roles, you might see additional Microsoft Entra ID actions, such as requiring users to sign in again and confirming a user as compromised. For more information, see [Remediate risks and unblock users](/entra/id-protection/howto-identity-protection-remediate-unblock).
 
 ## Roles and Permissions
 
-| Remediation Action | Active Directory  |Entra ID   | Okta  |
+| Remediation Action | Active Directory  |Microsoft Entra ID   | Okta  |
 |--|--|--|--|
-| Disable user | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr) | Global Administrator   | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator |
-| Enable user | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr) | Global Administrator | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator |
-| Revoke all Users' sessions |N\A  | Global Administrator | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator |
-| Confirm user compromised |N\A  |  - Global Administrator <br> -Security Administrator | N/A|
-| Reset user password | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr) | N\A | N\A
-| Deactivate user in Okta  | N\A | N\A | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator
-|  Set User risk to High/Medium/Low  | N\A | N\A | A custom role defined with permissions for Response (manage) or One of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator
+|Disable | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr) | Global Administrator   | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator |
+| Enable | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr) | Global Administrator | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator |
+| Revoke session |N\A  | Global Administrator | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator |
+| Confirm accounts compromised |N\A  |  - Global Administrator <br> -Security Administrator | N/A|
+| Reset password | Refer to [Required permissions Defender for Identity in Microsoft Defender XDR](/defender-for-identity/role-groups#required-permissions-defender-for-identity-in-microsoft-defender-xdr) | N\A | N\A
+| Deactivate | N\A | N\A | A custom role defined with permissions for Response (manage) or one of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator
+| Set identity risk to High/Medium/Low  | N\A | N\A | A custom role defined with permissions for Response (manage) or One of the following Microsoft Entra roles: <br> - Security Operator <br> - Security Administrator <br> - Global Administrator
 
 ## Related videos