Edit

Share via

Manage related identities and accounts in Microsoft Defender for Identity

In enterprise environments, identities are often fragmented. A single user might have multiple accounts across systems, including personal, privileged, legacy, cloud-based, or orphaned accounts. These accounts can cover on-premises Active Directory, Microsoft Entra ID, or non-Microsoft identity providers such as Okta and Ping.

Fragmentation makes it difficult to maintain a unified view of identity across the organization. Manually linking or unlinking related accounts in Microsoft Defender for Identity helps you:

  • Correlate identity components across different systems.
  • Improve protection by creating a complete identity context.
  • Support investigations and response actions with unified identity views.

For example:

  • Personal and privileged accounts: A user might have two accounts, one for everyday work and another with elevated permissions for administrative tasks. For example:
    • rick.hofer@contoso.onmicrosoft.com (regular account)
    • rhofer@contoso.onmicrosoft.com (privileged account)
  • Multiple domains: Large organizations often manage several domains. Linking accounts across these domains provides full visibility into a user's activity. For example:
    • chris@fabrikam.com
    • chris@contoso.com
  • Personal and service accounts: A user might have both a personal account and a service account they own or manage. Linking those accounts helps connect ownership and responsibility to the same identity. For example:
    • valeria.barrios@contoso.com
    • backup.service@contoso.com
  • Legacy accounts: A user might still have an active account in a legacy system. Linking accounts ensures the legacy account is monitored and tied back to the correct identity. For example:
    • gabriela.laureano@contoso.com
    • glaureano@contosolegacy.local
  • Accounts in multiple services: A user might have a Microsoft Entra ID account, an Okta account, and a Ping account. Manually linking these accounts to the user's identity creates a consolidated view that supports identity-centric protection and investigation.

Use the procedures in this article to manually link accounts to identities, and to manually unlink unused, legacy, or orphaned accounts from identities in Defender for Identity.

Prerequisites

  1. In the Microsoft Defender portal at https://security.microsoft.com, go to Assets > Identities. Or, to go directly to the Identity Inventory page, use https://security.microsoft.com/identity-inventory.

    Screenshot of the identity inventory page in the Microsoft Defender portal.

  2. On the Identities tab of the Identity Inventory page, select an identity from the list by clicking on the Display name value.

  3. On the identity details page that opens, select the Observed in organization tab, and verify the Accounts tab is selected.

    Screenshot that shows the accounts observed in an organization.

  4. On the Accounts tab, select Link.

  5. The Link accounts wizard opens. On the Select accounts page, use the search box to find an account. You can search by:

    • Display name
    • User principal name (UPN)
    • Security identifier (SID)
    • Source provider account

    Select one account by selecting the check box next to the Display name column, and then select Next.

    Screenshot that shows a list of accounts that you can link.

  6. On the Enter justification page, enter a short explanation why you're linking these accounts. A valid explanation includes:

    • Up to 50 characters.
    • Letters, numbers, spaces, @, or _.

    Select Next.

    Screenshot that shows where to enter the justification for why you're linking the accounts.

  7. On the Review and finish page, review the information, and select Back to make changes. When you're finished, select Submit.

    Screenshot that shows the review of the selected accounts and the justification.

    After the account is successfully linked, select Done

  1. On the Identities tab of the Identity Inventory page at https://security.microsoft.com/identity-inventory, select an Identity from the list by clicking on the Display name value.
  2. On the identity details page that opens, select the Observed in organization tab, and verify the Accounts tab is selected.
  3. On the Accounts tab, select the account you want to unlink from the identity by selecting the check box next to the Display name column, and then select Unlink.
  4. In the Unlink accounts from ... confirmation dialog that opens, read the information, and then select Unlink accounts.

What to expect after linking or unlinking an account in Defender for Identity

  • The selected accounts are linked or unlinked immediately.
  • The system updates the identity context and refreshes the account list.

See also

  • Last updated on