Merge pull request #5219 from MicrosoftDocs/poliveria-entraid-10072025

poliveria · web-flow · commit a921c12c0d96 · 2025-11-04T15:17:28.000+05:30
Add EntraIdSignInEvents and EntraIdSpnSignInEvents tables
diff --git a/defender-xdr/advanced-hunting-aadsignineventsbeta-table.md b/defender-xdr/advanced-hunting-aadsignineventsbeta-table.md
@@ -6,10 +6,10 @@ ms.service: defender-xdr
 ms.subservice: adv-hunting
 f1.keywords: 
   - NOCSH
-ms.author: maccruz
-author: schmurky
+ms.author: pauloliveria
+author: poliveria
 ms.localizationpriority: medium
-manager: dansimp
+manager: orspodek
 audience: ITPro
 ms.collection: 
 - m365-security
@@ -21,19 +21,26 @@ appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: reference
-ms.date: 03/28/2025
+ms.date: 11/04/2025
 ---
 
 # AADSignInEventsBeta
 
 
 
 > [!IMPORTANT]
-> The `AADSignInEventsBeta` table is currently in beta and is being offered on a short-term basis to allow you to hunt through Microsoft Entra sign-in events. Customers need to have a Microsoft Entra ID P2 license to collect and view activities for this table. All sign-in schema information will eventually move to the `IdentityLogonEvents` table.
+> On December 9, 2025, the `AADSignInEventsBeta` table will be replaced by [`EntraIdSignInEvents`](advanced-hunting-entraidsigninevents-table.md). This change will be made to remove the former's preview status and to align it with the existing product branding. 
+>
+>The `EntraIdSignInEvents` table is already available. To ensure a smooth transition, make sure that you update your queries that use the `AADSignInEventsBeta` table to use `EntraIdSignInEvents` before the previously mentioned date. 
+
+>[!IMPORTANT]
+> The `AADSignInEventsBeta` table is currently in beta and is being offered on a short-term basis to allow you to hunt through Microsoft Entra sign-in events. Customers need to have a Microsoft Entra ID P2 license to collect and view activities for this table.
 
 The `AADSignInEventsBeta` table in the advanced hunting schema contains information about Microsoft Entra interactive and non-interactive sign-ins. Learn more about sign-ins in [Microsoft Entra sign-in activity reports - preview](/azure/active-directory/reports-monitoring/concept-all-sign-ins).
 
-Use this reference to construct queries that return information from the table. For information on other tables in the advanced hunting schema, see the [advanced hunting reference](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference).
+Use this reference to construct queries that return information from the table. 
+
+For information on other tables in the advanced hunting schema, see the [advanced hunting reference](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference).
 
 <br>
 
diff --git a/defender-xdr/advanced-hunting-aadspnsignineventsbeta-table.md b/defender-xdr/advanced-hunting-aadspnsignineventsbeta-table.md
@@ -6,10 +6,10 @@ ms.service: defender-xdr
 ms.subservice: adv-hunting
 f1.keywords: 
   - NOCSH
-ms.author: maccruz
-author: schmurky
+ms.author: pauloliveria
+author: poliveria
 ms.localizationpriority: medium
-manager: dansimp
+manager: orspodek
 audience: ITPro
 ms.collection: 
 - m365-security
@@ -21,14 +21,18 @@ appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: reference
-ms.date: 03/28/2025
+ms.date: 11/04/2025
 ---
 
 # AADSpnSignInEventsBeta
 
-
 > [!IMPORTANT]
-> The `AADSpnSignInEventsBeta` table is currently in beta and is being offered on a short-term basis to allow you to hunt through Microsoft Entra sign-in events. Customers need to have a Microsoft Entra ID P2 license to collect and view activities for this table. Microsoft will eventually move all sign-in schema information to the `IdentityLogonEvents` table.
+> On December 9, 2025, the `AADSpnSignInEventsBeta` table will be replaced by [`EntraIdSpnSignInEvents`](advanced-hunting-entraidspnsigninevents-table.md). This change will be made to remove the former's preview status and to align it with the existing product branding.
+>
+>The `EntraIdSpnSignInEvents` table is already available. To ensure a smooth transition, make sure that you update your queries that use the `AADSpnSignInEventsBeta` table to use `EntraIdSpnSignInEvents` before the previously mentioned date. 
+
+>[!IMPORTANT]
+>The `AADSpnSignInEventsBeta` table is currently in beta and is being offered on a short-term basis to allow you to hunt through Microsoft Entra sign-in events. Customers need to have a Microsoft Entra ID P2 license to collect and view activities for this table.
 
 The `AADSpnSignInEventsBeta` table in the advanced hunting schema contains information about Microsoft Entra service principal and managed identity sign-ins. You can learn more about the different kinds of sign-ins in [Microsoft Entra sign-in activity reports - preview](/azure/active-directory/reports-monitoring/concept-all-sign-ins).
 
@@ -54,7 +58,7 @@ For information on other tables in the advanced hunting schema, see [the advance
 |`ResourceId`|`string`|Unique identifier of the resource accessed|
 |`ResourceTenantId`|`string`|Unique identifier of the tenant of the resource accessed|
 |`IPAddress`|`string`|IP address assigned to the endpoint and used during related network communications|
-|`Country`|`string`|Two-letter code indicating the country where the client IP address is geolocated|
+|`Country`|`string`|Two-letter code indicating the country/region where the client IP address is geolocated|
 |`State`|`string`|State where the sign-in occurred, if available|
 |`City`|`string`|City where the account user is located|
 |`Latitude`|`string`|The north to south coordinates of the sign-in location|
diff --git a/defender-xdr/advanced-hunting-entraidsigninevents-table.md b/defender-xdr/advanced-hunting-entraidsigninevents-table.md
@@ -0,0 +1,104 @@
+---
+title: EntraIdSignInEvents table in the advanced hunting schema (preview)
+description: Learn about the Microsoft Entra sign-in events table of the advanced hunting schema.
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: pauloliveria
+author: poliveria
+ms.localizationpriority: medium
+manager: orspodek
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom:
+- cx-ti
+- cx-ah
+appliesto:
+    - Microsoft Defender XDR
+    - Microsoft Sentinel in the Microsoft Defender portal
+ms.topic: reference
+ms.date: 11/04/2025
+---
+
+# EntraIdSignInEvents (Preview)
+
+
+
+> [!IMPORTANT]
+> On December 9, 2025, the `EntraIdSignInEvents` table will replace [`AADSignInEventsBeta`](advanced-hunting-aadsignineventsbeta-table.md). This change will be made to remove the latter's preview status and to align it with the existing product branding. Both tables will coexist until `AADSignInEventsBeta` is deprecated after the said date.
+>
+>To ensure a smooth transition, make sure that you update your queries that use the `AADSignInEventsBeta` table to use `EntraIdSignInEvents` before the previously mentioned date. Your custom detections will be updated automatically and won't require any changes.
+
+> [!IMPORTANT]
+> Some information relates to prereleased product that may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+>
+> Customers need to have a Microsoft Entra ID P2 license to collect and view activities for this table.
+
+The `EntraIdSignInEvents` table in the advanced hunting schema contains information about Microsoft Entra interactive and non-interactive sign-ins. Learn more about sign-ins in [Microsoft Entra sign-in activity reports - preview](/azure/active-directory/reports-monitoring/concept-all-sign-ins).
+
+Use this reference to construct queries that return information from the table. 
+
+For information on other tables in the advanced hunting schema, see the [advanced hunting reference](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference).
+
+
+
+
+|Column name|Data type|Description|
+|---|---|---|
+|`Timestamp`|`datetime`|Date and time when the record was generated|
+|`Application`|`string`|Application that performed the recorded action|
+|`ApplicationId`|`string`|Unique identifier for the application|
+|`LogonType`|`string`|Type of logon session, specifically interactive, remote interactive (RDP), network, batch, and service|
+|`ErrorCode`|`int`|Contains the error code if a sign-in error occurs. To find a description of a specific error code, visit <https://aka.ms/AADsigninsErrorCodes>.|
+|`CorrelationId`|`string`|Identifier of the sign-in event|
+|`SessionId`|`string`|Unique number assigned to a user by a website's server for the duration of the visit or session|
+|`AccountDisplayName`|`string`|Name displayed in the address book entry for the account user. This is usually a combination of the given name, middle initial, and surname of the user.|
+|`AccountObjectId`|`string`|Unique identifier for the account in Microsoft Entra ID|
+|`AccountUpn`|`string`|User principal name (UPN) of the account|
+|`IsExternalUser`|`int`|Indicates if the user that signed in is external. Possible values: -1 (not set), 0 (not external), 1 (external).|
+|`IsGuestUser`|`boolean`|Indicates whether the user that signed in is a guest in the tenant|
+|`AlternateSignInName`|`string`|On-premises user principal name (UPN) of the user signing in to Microsoft Entra ID|
+|`LastPasswordChangeTimestamp`|`datetime`|Date and time when the user that signed in last changed their password|
+|`ResourceDisplayName`|`string`|Display name of the resource accessed. The display name can contain any character.|
+|`ResourceId`|`string`|Unique identifier of the resource accessed|
+|`ResourceTenantId`|`string`|Unique identifier of the tenant of the resource accessed|
+|`DeviceName`|`string`|Fully qualified domain name (FQDN) of the device|
+|`EntraIdDeviceId`|`string`|Unique identifier for the device in Microsoft Entra ID|
+|`OSPlatform`|`string`|Platform of the operating system running on the device. Indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10, and Windows 7.|
+|`DeviceTrustType`|`string`|Indicates the trust type of the device that signed in. For managed device scenarios only. Possible values are Workplace, AzureAd, and ServerAd.|
+|`IsManaged`|`int`|Indicates whether the device that initiated the sign-in is a managed device (1) or not a managed device (0)|
+|`IsCompliant`|`int`|Indicates whether the device that initiated the sign-in is compliant (1) or non-compliant (0)|
+|`AuthenticationProcessingDetails`|`string`|Details about the authentication processor|
+|`AuthenticationRequirement`|`string`|Type of authentication required for the sign-in. Possible values: multiFactorAuthentication (MFA was required) and singleFactorAuthentication (no MFA was required).|
+|`TokenIssuerType`|`int`|Indicates if the token issuer is Microsoft Entra ID (0) or Active Directory Federation Services (1)|
+|`RiskLevelAggregated`|`int`|Aggregated risk level during sign-in. Possible values: 0 (aggregated risk level not set), 1 (none), 10 (low), 50 (medium), or 100 (high).|
+|`RiskDetails`|`int`|Details about the risky state of the user that signed in|
+|`RiskState`|`int`|Indicates risky user state. Possible values: 0 (none), 1 (confirmed safe), 2 (remediated), 3 (dismissed), 4 (at risk), or 5 (confirmed compromised).|
+|`UserAgent`|`string`|User agent information from the web browser or other client application|
+|`ClientAppUsed`|`string`|Indicates the client app used|
+|`Browser`|`string`|Details about the version of the browser used to sign in|
+|`ConditionalAccessPolicies`|`string`|Details of the conditional access policies applied to the sign-in event|
+|`ConditionalAccessStatus`|`int`|Status of the conditional access policies applied to the sign-in. Possible values are 0 (policies applied), 1 (attempt to apply policies failed), or 2 (policies not applied).|
+|`IPAddress`|`string`|IP address assigned to the device during communication|
+|`Country`|`string`|Two-letter code indicating the country/region where the client IP address is geolocated|
+|`State`|`string`|State where the sign-in occurred, if available|
+|`City`|`string`|City where the account user is located|
+|`Latitude`|`string`|The north to south coordinates of the sign-in location|
+|`Longitude`|`string`|The east to west coordinates of the sign-in location|
+|`NetworkLocationDetails`|`string`|Network location details of the authentication processor of the sign-in event|
+|`RequestId`|`string`|Unique identifier of the request|
+|`ReportId`|`string`|Unique identifier for the event|
+|`EndpointCall`|`string`|Information about the Microsoft Entra ID endpoint that the request was sent to and the type of request sent during sign in.|
+
+## Related articles
+
+- [EntraIdSpnSignInEvents](./advanced-hunting-aadspnsignineventsbeta-table.md)
+- [Advanced hunting overview](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview)
+- [Learn the query language](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language)
+- [Understand the schema](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
diff --git a/defender-xdr/advanced-hunting-entraidspnsigninevents-table.md b/defender-xdr/advanced-hunting-entraidspnsigninevents-table.md
@@ -0,0 +1,76 @@
+---
+title: EntraIdSpnSignInEvents table in the advanced hunting schema (preview)
+description: Learn about information associated with Microsoft Entra service principal and managed identity sign-in events table.
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: pauloliveria
+author: poliveria
+ms.localizationpriority: medium
+manager: orspodek
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom:
+- cx-ti
+- cx-ah
+appliesto:
+    - Microsoft Defender XDR
+    - Microsoft Sentinel in the Microsoft Defender portal
+ms.topic: reference
+ms.date: 11/04/2025
+---
+
+# EntraIdSpnSignInEvents (Preview)
+
+
+> [!IMPORTANT]
+> On December 9, 2025, the `EntraIdSpnSignInEvents` table will replace [`AADSpnSignInEventsBeta`](advanced-hunting-aadspnsignineventsbeta-table.md). This change will be made to remove the latter's preview status and to align it with the existing product branding. Both tables will coexist until `AADSpnSignInEventsBeta` is deprecated after the said date.
+>
+>To ensure a smooth transition, make sure that you update your queries that use the `AADSpnSignInEventsBeta` table to use `EntraIdSpnSignInEvents` before the previously mentioned date. Your custom detections will be updated automatically and won't require any changes.
+
+> [!IMPORTANT]
+> Some information relates to prereleased product that may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+>
+> Customers need to have a Microsoft Entra ID P2 license to collect and view activities for this table.
+
+The `EntraIdSpnSignInEvents` table in the advanced hunting schema contains information about Microsoft Entra service principal and managed identity sign-ins. You can learn more about the different kinds of sign-ins in [Microsoft Entra sign-in activity reports - preview](/azure/active-directory/reports-monitoring/concept-all-sign-ins).
+
+Use this reference to construct queries that return information from the table. 
+
+For information on other tables in the advanced hunting schema, see [the advanced hunting reference](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference).
+
+
+|Column name|Data type|Description|
+|-----------|---------|-----------|
+|`Timestamp`|`datetime`|Date and time when the record was generated|
+|`Application`|`string`|Application that performed the recorded action|
+|`ApplicationId`|`string`|Unique identifier for the application|
+|`IsManagedIdentity`|`boolean`|Indicates whether the sign-in was initiated by a managed identity|
+|`ErrorCode`|`int`|Contains the error code if a sign-in error occurs. To find a description of a specific error code, visit <https://aka.ms/AADsigninsErrorCodes>.|
+|`CorrelationId`|`string`|Unique identifier of the sign-in event|
+|`ServicePrincipalName`|`string`|Name of the service principal that initiated the sign-in|
+|`ServicePrincipalId`|`string`|Unique identifier of the service principal that initiated the sign-in|
+|`ResourceDisplayName`|`string`|Display name of the resource accessed. The display name can contain any character.|
+|`ResourceId`|`string`|Unique identifier of the resource accessed|
+|`ResourceTenantId`|`string`|Unique identifier of the tenant of the resource accessed|
+|`IPAddress`|`string`|IP address assigned to the endpoint and used during related network communications|
+|`Country`|`string`|Two-letter code indicating the country/region where the client IP address is geolocated|
+|`State`|`string`|State where the sign-in occurred, if available|
+|`City`|`string`|City where the account user is located|
+|`Latitude`|`string`|The north to south coordinates of the sign-in location|
+|`Longitude`|`string`|The east to west coordinates of the sign-in location|
+|`RequestId`|`string`|Unique identifier of the request|
+|`ReportId`|`string`|Unique identifier for the event|
+
+## Related articles
+
+- [EntraIdSignInEvents](./advanced-hunting-aadsignineventsbeta-table.md)
+- [Advanced hunting overview](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview)
+- [Learn the query language](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language)
+- [Understand the schema](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
diff --git a/defender-xdr/advanced-hunting-schema-changes.md b/defender-xdr/advanced-hunting-schema-changes.md
@@ -21,7 +21,7 @@ appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: reference
-ms.date: 05/28/2025
+ms.date: 11/04/2025
 ---
 
 # Advanced hunting schema - Naming changes
@@ -37,6 +37,12 @@ Naming changes are automatically applied to queries that are saved in Microsoft
 - Queries that are run using the API
 - Queries that are saved elsewhere outside Microsoft Defender XDR
 
+## November 2025
+
+The [`AADSignInEventsBeta`](advanced-hunting-aadspnsignineventsbeta-table.md) and  [`AADSignInEventsBeta`](advanced-hunting-aadspnsignineventsbeta-table.md) tables are being replaced by [`EntraIdSignInEvents`](advanced-hunting-entraidsigninevents-table.md) and [`EntraIdSpnSignInEvents`](advanced-hunting-entraidspnsigninevents-table.md), respectively. These changes are being made to remove the former tables' preview status and to align them with the existing product branding.
+
+The `EntraIdSignInEvents` and `EntraIdSpnSignInEvents` tables are now available. The legacy `AADSignInEventsBeta`and `AADSignInEventsBeta` tables will remain in the schema for 30 days to allow time for updating your queries. Your custom detections will be updated automatically and won't require any changes. On December 9, 2025, `AADSignInEventsBeta`and `AADSignInEventsBeta` will be removed from the schema.
+
 ## September 2025
 
 In the [AADSignInEventsBeta](./advanced-hunting-aadspnsignineventsbeta-table.md) table, the `AadDeviceId` column is being replaced with a new column, called `EntraIdDeviceId`, to align with current product branding. The legacy `AadDeviceId` column will remain in the schema for 30 days to allow time for updating in your queries. After this period of 30 days, `AadDeviceId` will be removed from the schema.
diff --git a/defender-xdr/advanced-hunting-schema-tables.md b/defender-xdr/advanced-hunting-schema-tables.md
