Microsoft Entra’s New Logging: A Game-Changer for Multi-Tenant Incident Response

Listen to this Post

Featured Image

Introduction:

Microsoft has unveiled a significant expansion of Entra ID’s logging capabilities, directly addressing critical visibility gaps in multi-tenant cloud environments. These new attributes provide unprecedented context for Service Principal sign-ins and administrative changes, fundamentally enhancing an organization’s ability to detect and respond to sophisticated identity-based attacks. This update marks a pivotal shift towards greater transparency in cloud identity and access management.

Learning Objectives:

  • Understand the six new critical logging attributes and the security blind spots they address.
  • Learn how to query and leverage these new attributes in Microsoft Sentinel for proactive threat hunting.
  • Develop incident response playbooks that incorporate the enriched context for Service Principal and cross-tenant activities.

You Should Know:

1. The AppOwnerTenantId and ResourceOwnerTenantId Attributes

The `AppOwnerTenantId` and `ResourceOwnerTenantId` attributes are crucial for understanding the tenant context of an application’s sign-in activity. Previously, a sign-in by a Service Principal (SPN) from a third-party application would only show the tenant where the resource resided, obscuring the origin. These new fields explicitly identify the tenant that owns the application and the tenant that owns the resource being accessed.

Step-by-step guide:

To see these attributes in action, you can query the `SigninLogs` table in Log Analytics, which now includes these columns.

SigninLogs
| where ServicePrincipalName contains "your-app-name"
| project TimeGenerated, AppDisplayName, ServicePrincipalName, AppOwnerTenantId, ResourceOwnerTenantId, ResultType
| sort by TimeGenerated desc

This KQL query will return sign-in attempts for a specific application, clearly showing the Tenant IDs for both the application owner and the resource owner. This is vital for detecting suspicious cross-tenant access, such as an SPN from an unknown tenant attempting to access your resources.

2. Hunting for Anomalous Cross-Tenant SPN Logins

With the new AppOwnerTenantId, security teams can now proactively hunt for Service Principal sign-ins from unexpected or unauthorized tenant contexts. This is a common technique in supply chain attacks where a malicious application, granted permissions in your tenant, attempts to access data.

Step-by-step guide:

Create a hunting query in Microsoft Sentinel to baseline and alert on new tenant contexts.

let KnownTenants = dynamic(["your-tenant-guid", "trusted-partner-tenant-guid"]);
SigninLogs
| where ResultType == "0"
| where ServicePrincipalName != ""
| where AppOwnerTenantId !in (KnownTenants)
| project TimeGenerated, AppDisplayName, ServicePrincipalName, AppOwnerTenantId, IPAddress, UserAgent, CorrelationId

This query first defines a list of known, trusted tenant IDs. It then looks for successful sign-ins (ResultType == "0") by Service Principals where the `AppOwnerTenantId` is not in the trusted list. Any results should be investigated immediately.

3. Leveraging SessionID for Attack Correlation

The new `SessionID` attribute provides a unique identifier that links disparate log entries related to the same authentication session. This is invaluable for forensic investigations, allowing analysts to trace the complete chain of activity from initial sign-in to token usage across different services and logs.

Step-by-step guide:

When investigating a potentially compromised account, use the `SessionID` to gather a complete timeline of events.

let SuspiciousSession = "session-guid-from-alert";
union SigninLogs, AADNonInteractiveUserSignInLogs, AADServicePrincipalSignInLogs
| where SessionId == SuspiciousSession
| project TimeGenerated, LogType=Type, OperationName, ResultType, UserPrincipalName, ServicePrincipalName, IPAddress, AppDisplayName
| sort by TimeGenerated asc

This query correlates activity across three different Entra ID log types using the shared SessionID, providing a unified view of all authentication and token usage events for that session, dramatically speeding up incident analysis.

4. Analyzing SourceAppClientID for Token Exchange Attacks

The `SourceAppClientID` field identifies the client application that initiated a token exchange flow, such as the OAuth2 “on-behalf-of” (OBO) flow. This exposes previously hidden details about token brokerage, which is a key technique in attacks like “Actor Token” where a token from one application is used to gain access to another.

Step-by-step guide:

To monitor for potentially malicious token exchanges, search for OBO flows initiated by unfamiliar or high-risk applications.

AADServicePrincipalSignInLogs
| where Status error_code == "0"
| where LogType == "oboServicePrincipal"
| extend SourceApp = tostring(parse_json(ProcessingDetails).sourceAppClientId)
| where SourceApp !in (dynamic(["allowed-app-client-id-1", "allowed-app-client-id-2"]))
| project TimeGenerated, TargetServicePrincipalName, SourceApp, IPAddress, ResourceDisplayName

This query filters for successful OBO sign-in logs and parses the `SourceAppClientId` from the `ProcessingDetails` field. It then alerts on flows originating from applications not on an approved list.

  1. Enriching Alerts with Entra TenantID in Log Analytics
    The systemic inclusion of the `Entra TenantID` in all relevant Log Analytics tables ensures that multi-tenant organizations can easily filter and segment log data. This simplifies management and querying for organizations with complex tenant structures, such as those with dedicated tenants for development, production, and partners.

Step-by-step guide:

Create a centralized dashboard widget that shows sign-in activity across all your managed tenants.

SigninLogs
| summarize SignInCount = count() by TenantId, ResultType
| join kind=inner (AADTenantDetails) on TenantId
| project TenantName, ResultType, SignInCount
| render columnchart

This query aggregates sign-in counts by tenant and result (success/failure), then joins with a hypothetical `AADTenantDetails` table (containing friendly tenant names) to create a clear visualization of authentication activity across your tenant ecosystem.

6. UserAgent Parsing for Service Principal Sign-Ins

The addition of `UserAgent` information to Service Principal sign-in logs is a monumental step forward. While commonly used for user sign-ins, this field for SPNs can reveal the type of client (e.g., PowerShell, a specific SDK, an unknown script) that initiated the authentication, helping to identify misuse of credentials or automated attacks.

Step-by-step guide:

Hunt for Service Principal sign-ins using anomalous or known malicious User-Agent strings.

AADServicePrincipalSignInLogs
| where ResultType == "0"
| extend UserAgent = tostring(DeviceDetail.userAgent)
| where UserAgent contains "Python" or UserAgent contains "curl" or UserAgent contains "unknown"
| project TimeGenerated, ServicePrincipalName, UserAgent, IPAddress, AppDisplayName
| order by TimeGenerated desc

This query looks for successful SPN logins where the User-Agent string indicates a command-line tool or script. While not inherently malicious, this activity should be baselined; a sudden appearance of `curl` or `Python` for a normally quiet SPN could indicate credential theft and misuse.

7. Building a Proactive Multi-Tenant Monitoring Workbook

Combine all new attributes into a single Microsoft Sentinel Workbook for a comprehensive multi-tenant security monitoring view. This provides a centralized pane of glass for your security operations center (SOC).

Step-by-step guide:

Create a new Workbook in Sentinel and add the following query as a data source.

SigninLogs
| extend AppOwnerTenantId = tostring(AppOwnerTenantId)
| extend RiskLevel = case(
AppOwnerTenantId != TenantId and AppOwnerTenantId != "trusted-tenant-id", "High",
UserAgent has "PowerShell" and ClientAppUsed == "Browser", "Medium",
"Low")
| project TimeGenerated, UserDisplayName, AppDisplayName, IPAddress, RiskLevel, AppOwnerTenantId, ResourceOwnerTenantId, SessionId, UserAgent
| order by TimeGenerated desc

This query creates a custom risk score based on cross-tenant activity and anomalous User-Agent information. The resulting table can be visualized and filtered within the Workbook, enabling SOC analysts to quickly triage the highest-risk events.

What Undercode Say:

  • Context is King: The true value of this update is not in the individual data points, but in the rich contextual narrative they create when combined. For the first time, security teams can answer the critical “who, what, when, and where” of Service Principal activity with high fidelity.
  • Foundation for Automation: These attributes provide the necessary granularity to build sophisticated, automated detection rules and response playbooks, moving beyond simple alerting to automated containment actions based on tenant trust levels and behavioral patterns.

This logging enhancement is a direct response to the evolving threat landscape, particularly techniques like the “Actor Token” vulnerability that exploit trust relationships in multi-tenant environments. By shedding light on the previously opaque mechanisms of cross-tenant authentication, Microsoft is forcing a recalibration in favor of defenders. While it does not automatically secure an environment, it provides the essential raw data for organizations to build robust, evidence-based detection capabilities. The effectiveness now hinges on the security community’s ability to operationalize this data through advanced queries, automation, and skilled analysis.

Prediction:

The introduction of these logging capabilities will significantly reduce dwell time for identity-focused attacks in Azure environments over the next 12-18 months. We predict a surge in the development of open-source KQL queries and Sentinel analytics rules tailored to these new fields, creating a community-driven defense ecosystem. Furthermore, this move will pressure other cloud providers (AWS, GCP) to follow suit, leading to an industry-wide elevation of identity transparency standards. In the longer term, this data will become the foundation for AI-driven identity threat detection and response systems, enabling predictive security measures that can halt attacks before full compromise occurs.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Parisel Driving – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky