|
| 1 | +--- |
| 2 | +title: IdentityAccountInfo table in the advanced hunting schema |
| 3 | +description: Learn about the IdentityAccountInfo table in the advanced hunting schema, which provides account information from various sources, including Microsoft Entra ID. |
| 4 | +search.appverid: met150 |
| 5 | +ms.service: defender-xdr |
| 6 | +ms.subservice: adv-hunting |
| 7 | +f1.keywords: |
| 8 | + - NOCSH |
| 9 | +ms.author: pauloliveria |
| 10 | +author: poliveria |
| 11 | +ms.localizationpriority: medium |
| 12 | +manager: orspodek |
| 13 | +audience: ITPro |
| 14 | +ms.collection: |
| 15 | +- m365-security |
| 16 | +- tier3 |
| 17 | +ms.custom: |
| 18 | +- cx-ti |
| 19 | +- cx-ah |
| 20 | +ms.topic: reference |
| 21 | +ms.date: 11/17/2025 |
| 22 | +--- |
| 23 | + |
| 24 | +# IdentityAccountInfo (Preview) |
| 25 | + |
| 26 | +[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] |
| 27 | + |
| 28 | +> [!IMPORTANT] |
| 29 | +> Some information relates to prereleased product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. |
| 30 | +
|
| 31 | +The `IdentityAccountInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about account information from various sources, including Microsoft Entra ID. This table also includes information and link to the identity that owns the account. Use this reference to construct queries that return information from this table. |
| 32 | + |
| 33 | +For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md). |
| 34 | + |
| 35 | + |
| 36 | +| Column name | Data type | Description | |
| 37 | +|-------------|-----------|-------------| |
| 38 | +| `Timestamp` | `datetime` | The date and time that the line was written to the database.<br><br>This is used when there are multiple lines for each identity, such as when a change is detected, or if 24 hours have passed since the last database line was added. | |
| 39 | +| `ReportId` | `string` | Unique identifier for the event | |
| 40 | +| `SourceProviderAccountId` | `string` | Identifier for the account in the source provider (for example, object ID for a Microsoft Entra ID account) | |
| 41 | +| `AccountId` | `string` | Internal identifier for the account | |
| 42 | +| `IdentityId` | `string` | Identifier for the identity that the account is linked to | |
| 43 | +| `IsPrimary ` | `bool` | Indicates if this account is considered as primary account for the linked identity | |
| 44 | +| `IdentityLinkType` | `string` | Type of linkage between the account and identity; possible values: Manual, Strong identifiers | |
| 45 | +| `IdentityLinkReason` | `string` | Reason for linking the account and identity. If the linkage type is manual, the value will be the justification comment added by the user. | |
| 46 | +| `IdentityLinkTime` | `datetime` | Date and time the account was linked to the identity | |
| 47 | +| `IdentityLinkBy` | `string` | The entity that linked the account to the identity. If the linkage type is based on strong identifiers, the value will be System | |
| 48 | +| `DisplayName` | `string` | Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initial, and a last name or surname. | |
| 49 | +| `AccountUpn` | `string` | User principal name (UPN) of the account | |
| 50 | +| `EmailAddress` | `string` | SMTP address of the account | |
| 51 | +| `CriticalityLevel` | `int` | The criticality score of the account | |
| 52 | +| `DefenderRiskLevel` | `int` | The risk level of the account as calculated by Microsoft Defender | |
| 53 | +| `DefenderRiskUpdateTime` | `datetime` | Date and time Microsoft Defender last updated the risk level of the account | |
| 54 | +| `Type` | `string` | Type of identity; possible values: User, ServiceAccount | |
| 55 | +| `GivenName` | `string` | Given name or first name of the account user | |
| 56 | +| `Surname` | `string` | Surname, family name, or last name of the account user | |
| 57 | +| `EmployeeId` | `string` | Employee identifier assigned to the user by the organization | |
| 58 | +| `Department` | `string` | Name of the department that the account user belongs to | |
| 59 | +| `JobTitle` | `string` | Job title of the account user | |
| 60 | +| `Address` | `string` | Address of the account user | |
| 61 | +| `City` | `string` | City where the account user is located | |
| 62 | +| `Country` | `string` | Country/Region where the account user is located | |
| 63 | +| `Phone` | `string` | The listed phone number of the account user | |
| 64 | +| `Manager` | `string` | The listed manager of the account user | |
| 65 | +| `Sid` | `string` | Security identifier (SID) of the account | |
| 66 | +| `AccountStatus` | `string` | The status of the account; possible values: Disabled, Enabled, Deleted | |
| 67 | +| `SourceProvider` | `string` | Source application or service of the account (for example, Microsoft Entra ID) | |
| 68 | +| `SourceProviderInstanceId` | `string` | The identifier of the source application or service of the account. For example, in Microsoft Entra ID, this is the organization Globally Unique Identifier (GUID). | |
| 69 | +| `SourceProviderInstanceDisplayName` | `string` | The display name of the source application or service of the account | |
| 70 | +| `AuthenticationMethod` | `string` | Authentication method used to allow the account user to sign into the account; possible values: Credentials, Federated, Hybrid | |
| 71 | +| `AuthenticationSourceAcccountId` | `string` | The identifier of the federating account, if the authentication method is Federated | |
| 72 | +| `EnrolledMfas` | `dynamic` | Types of multifactor authentication methods configured for the account user and their status | |
| 73 | +| `LastPasswordChangeTime` | `datetime` | Date and time the account password was last changed | |
| 74 | +| `GroupMembership` | `dynamic` | Group identifiers assigned to the account | |
| 75 | +| `AssignedRoles` | `dynamic` | Role identifiers assigned to the account | |
| 76 | +| `EligibleRoles` | `dynamic` | Identifiers for roles the account are eligible to use (for example, Microsoft Entra Privileged Identity Management roles) | |
| 77 | +| `TenantMembershipType` | `string` | User type; possible values: Guest, Member | |
| 78 | +| `CreatedDateTime ` | `datetime` | Date and time when the user account was created | |
| 79 | +| `DeletedDateTime` | `datetime` | Date and time when the user account was deleted | |
| 80 | +| `Tags` | `dynamic` | Tags assigned to the account by Defender for Identity | |
| 81 | +| `SourceProvderRiskLevel` | `dynamic` | Risk level of the account as it appears in the source provider; possible values: Low, Medium, High | |
| 82 | +| `AdditionalFields` | `dynamic` | Additional information about the entity or event | |
| 83 | +| `TenantId` | `string` | Universally unique identifier (UUID) for the tenant | |
| 84 | + |
| 85 | + |
| 86 | +## Related articles |
| 87 | + |
| 88 | +- [Advanced hunting overview](advanced-hunting-overview.md) |
| 89 | +- [Learn the query language](advanced-hunting-query-language.md) |
| 90 | +- [Use shared queries](advanced-hunting-shared-queries.md) |
| 91 | +- [Understand the schema](advanced-hunting-schema-tables.md) |
| 92 | +- [Apply query best practices](advanced-hunting-best-practices.md) |
| 93 | + |
| 94 | +[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)] |
0 commit comments