Identity entity page in Microsoft Defender

In Microsoft Defender, an identity represents a person or entity in your organization. Users often have multiple accounts across providers such as on-premises Active Directory, Microsoft Entra ID, SaaS applications, and other IDPs. Defender correlates these accounts into a single identity.

Each identity has a primary account. When multiple accounts are associated with an identity, Microsoft Defender designates one account as primary and uses it for identity-level profile details.

The Identity page consolidates identity details, observed activity, alerts, and exposure across linked accounts so security teams can quickly assess risk, determine possible compromise, understand the identity’s access across the environment, and respond to it with remediation actions. You can open the Identity page by selecting an identity from several areas in the Microsoft Defender portal, including:

• Identities inventory
• Alerts queue
• Individual alert pages
• Incidents or devices
• Advanced hunting results
• Activity log
• Action center

The Identity page is organized into a top section and a set of tabs. The top section shows identity context such as the org information and tags, and includes the Actions menu. Use the tabs to review summary details, related alerts, and deeper investigation views.

• Org information: The identity’s job title, department, and more.
• Account tags: Active Directory tags associated with the identity

The Identity page includes these tabs:

• Overview
• Incidents and alerts
• Observed in organization
• Timeline
• Security recommendations
• Attack paths
• Policies
• Microsoft Sentinel events (for Microsoft Sentinel customers)

Identity actions

From the Overview page, use the Actions menu to trigger remediation actions. Available actions include:

• Enable, disable, or suspend the user in Microsoft Entra ID
• Require the user to sign in again or force a password reset
• View Microsoft Entra account settings, related governance, the user's owned files, or shared files

Overview tab

The Overview tab provides a high‑level snapshot that helps analysts quickly assess risk and decide whether deeper investigation is required.

The overview tab includes sections for:

• Entity details
• Incidents and alerts
• Associated interactive logon devices

Entity details

The Entity details panel summarizes key identity information and investigation signals, including:

• Microsoft Entra ID attributes and contact information
• Protection and User threat indications
• First seen and last seen timestamps
• Number of devices the identity has signed into
• Linked user accounts, devices, and group memberships
• Related alerts and incidents, grouped by severity

Other details appear depending on enabled services and features. For example:

• Environments with Microsoft Defender for Identity can see:
  • Active Directory account control flags, such as password‑never‑expires or account lock status
  • An organization tree that shows the identity’s position in the reporting hierarchy.
• (Preview) Environments with Microsoft Purview Insider Risk Management can see a user's insider risk severity and gain insights on a user's suspicious activities in the user page. Select the insider risk severity to see the risk insights about the user.
• (Preview) Environments with Microsoft Sentinel User and Entity Behavior Analytics (UEBA), can see:
  • The user's top three UEBA anomalies from the last 30 days.
  • Links to launch pre-built advanced hunting queries and view all anomalous behaviors related to the user on the Microsoft Sentinel events tab.

Incidents and alerts tab

The Incidents and alerts tab lists all alerts and incidents involving the identity within the supported retention window. See the incidents page or the alerts page for a detailed description of the specific item.

Observed in organization tab

The Observed in organization tab shows where and how the identity appears across the environment, helping analysts understand blast radius and potential lateral movement.

This tab can include:

Primary accounts

Each identity can include multiple related accounts from different identity providers. Microsoft Defender identifies one account as the primary account and uses that account’s profile values for identity-level fields, such as display name and job title.

Microsoft Defender uses internal correlation logic to determine the primary account.

Timeline tab

The Timeline tab provides a chronological view of identity related activity and alerts aggregated from integrated Microsoft security products, such as Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Cloud Apps, and Microsoft Sentinel.

The timeline helps reconstruct sequences of activity and correlate events during investigations.

Types of activities that appear in the timeline

The following data types are available in the timeline:

• A user's impacted alerts
• Active Directory and Microsoft Entra activities
• Cloud apps events
• Device logon events
• Directory services changes

Information shown for each activity in the timeline

The following information is displayed in the timeline:

• Date and time of the activity
• Activity/alert description
• Application that performed the activity
• Source device/IP address
• MITRE ATT&CK techniques
• Alert severity and status
• Country/region where the client IP address is geolocated
• Protocol used during the communication
• Target device (optional, viewable by customizing columns)
• Number of times the activity happened (optional, viewable by customizing columns)

Working with the timeline

• Custom time range picker: Choose a timeframe to focus your investigation on the last 24 hours, the last 3 days, and so on. Or choose a specific timeframe by selecting Custom range. Filtered data older than 30 days is displayed in seven-day intervals.

• Timeline filters: Use the timeline filters to narrow results by Type (alerts and/or user's related activities), Alert severity, Activity type, App, Location, or Protocol. Each filter depends on the others, and the options in each filter only contain data that's relevant for the specific user.

• Customized columns: Select the Customize columns button to choose which columns to expose in the timeline.

• Export: Export the timeline to a CSV file. Export is limited to the first 5,000 records and contains the data as displayed in the UI (same filters and columns).

Security recommendations tab

The Security recommendations tab displays identity related posture assessments identified through Identity Security Posture Management (ISPM). These recommendations highlight misconfigurations or risky settings across the identity’s accounts, and selecting a recommendation opens the details in Microsoft Secure Score for remediation guidance.

Attack paths tab

The Attack paths tab visualizes potential lateral movement paths that involve the identity or lead to it. These insights help security teams understand exploitable relationships and reduce identity‑based attack surface.

Policies tab

The Policies tab displays identity‑related security policies that are relevant to the identity based on its attributes, roles, and observed activity.

This view provides investigation context by showing which policies apply to the identity and how they influence access or risk evaluation. Policies are managed elsewhere; this tab helps analysts correlate policy enforcement with sign‑ins, alerts, and investigation findings.

Microsoft Sentinel events tab

When Microsoft Sentinel is connected to the Defender portal, this tab shows a Sentinel timeline for the identity. The timeline includes alerts associated with the identity, including alerts also shown on the Incidents and alerts tab and alerts created by Microsoft Sentinel. It also shows bookmarked hunts that reference the identity, activity events from external data sources, and unusual behaviors identified by Microsoft Sentinel anomaly rules.

Insights

The Insights section shows entity insights, which are investigation queries defined by Microsoft security researchers to help analysts investigate identities more efficiently. These insights automatically highlight key security signals such as sign-in activity, group changes, and anomalous behavior, and present results as tables and charts. Insights are powered by Microsoft Sentinel and the data sources connected to it, including Microsoft Entra ID logs and Microsoft Sentinel UEBA when enabled.

Types of insights

The following are some of the insights shown:

• User peers based on security groups membership
• Actions by account
• Actions on account
• Event logs cleared by user
• Group additions
• Anomalously high office operation count
• Resource access
• Anomalously high Azure sign-in result count
• UEBA insights
• User access permissions to Azure subscriptions
• Threat indicators related to user
• Watchlist insights (Preview)
• Windows sign-in activity

Data sources for insights

Insights are based on the following data sources:

• Syslog (Linux)
• SecurityEvent (Windows)
• AuditLogs (Microsoft Entra ID)
• SigninLogs (Microsoft Entra ID)
• OfficeActivity (Office 365)
• BehaviorAnalytics (Microsoft Sentinel UEBA)
• Heartbeat (Azure Monitor Agent)
• CommonSecurityLog (Microsoft Sentinel)

Explore insights in Advanced hunting

To further explore any insight, select the link accompanying the insight. The link opens the Advanced hunting page with the query underlying the insight and its raw results. You can modify the query or drill down into the results to expand your investigation.

Next steps

• Investigate incidents in Microsoft Defender
• Investigate alerts in Microsoft Defender