Investigating suspicious activity in Microsoft 365 has always been a challenging task. Analysts often face scattered audit logs across services like Exchange, SharePoint, and Teams, making it hard to connect events or trace an attacker’s path. Linkable identifiers in Microsoft Entra solve this by assigning a consistent session-based ID across all logs, allowing analysts to correlate activities end-to-end. This unified approach makes it easier to trace attacker movement, detect anomalies, and respond to identity threats effectively. Let’s dive deeper into how they work and why they’re essential to track and investigate identity activities in Microsoft 365.

What Are Linkable Identifiers in Microsoft Entra ID?

Imagine an attacker successfully signs in to a compromised user account. They move between Outlook, SharePoint, and Teams, downloading files, sending emails, and creating new sharing links. Traditionally, SOC analysts had to manually correlate Microsoft 365 audit logs with user accounts and IP addresses to track malicious sessions. This approach was time-consuming and error-prone, especially when attackers moved laterally across services.

This is where linkable identifiers come in! Linkable identifiers in Entra ID are unique values that help security analysts trace user activity across Microsoft 365 services.

Microsoft Entra provides two types of linkable identifiers to strengthen identity threat detection and response:

  1. Session ID-based Identifiers (SID)
  2. Unique Token Identifiers (UTI)

Session ID-based Identifier (SID)

When a user signs in to Microsoft Entra, a unique session ID (SID) is created. This SID works like a name tag for that sign in session. Every access token (AT), refresh token (RT), and session cookie from that session carries the same SID. This lets you trace all actions like opening emails, downloading files, or using Teams back to one session.

Unique Token Identifier (UTI)

Each token also has a Unique Token Identifier (UTI). This works like a serial number for that specific token.

  • The SID connects all actions within a session.
  • The UTI lets you track an individual token if needed.

Both the SID and UTI are recorded in Microsoft Entra sign in logs and Microsoft 365 service audit logs like Exchange, SharePoint, and Teams. This gives analysts a simple way to see all activity and investigate suspicious behavior.

This end‑to‑end visibility strengthens identity threat detection and response with linkable identifiers.

Where Can You Find Linkable Identifiers in Microsoft 365?

To support advanced investigations, Microsoft provides log availability for linkable identifiers across multiple logging sources, including:

  • Microsoft Entra sign-in logs
  • Microsoft Exchange Online audit logs
  • Microsoft Graph activity logs
  • Microsoft SharePoint Online audit logs
  • Microsoft Teams audit logs

This table shows the mapping between linkable identifier claims and various Microsoft 365 audit log attributes.

Claim Format Description Entra Sign‑in Logs Exchange Online Audit Logs Microsoft Graph Activity Logs SharePoint Online Audit Logs Teams Audit Logs
Oid String (GUID) Unique ID of the user or service principal. User ID TokenObjectId UserId UserObjectId UserKey
tid String (GUID) ID of the tenant the user signed into. Resource Tenant ID TokenTenantId TenantId OrganizationId OrganizationId
sid String (GUID) ID for the entire sign‑in session. Session ID SessionID / AADSessionId SessionId AADSessionId AADSessionId
deviceid String (GUID) Device ID (only for registered/domain‑joined). Device ID DeviceId DeviceId DeviceId DeviceId
uti String Unique per‑token identifier (case‑sensitive) Unique Token Identifier UniqueTokenId (within App Access Context) SignInActivityId UniqueTokenId (within App Access Context) UniqueTokenId (within App Access Context)
iat Integer (Unix timestamp) Time when the token was issued. Date IssuedAtTime (within App Access Context) TokenIssuedAt IssuedAtTime (within App Access Context) IssuedAtTime (within App Access Context)

Once you know where to locate these identifiers, analyzing each workload becomes much easier.

How to Investigate Identity Activities Using Linkable Token Identifiers?

Follow these steps to trace suspicious sessions and uncover hidden risks using specific Session ID (SID) or Unique Token Identifier (UTI) in Microsoft 365.

Example Scenario:

A security alert flagged that a user’s mailbox experienced a hard delete action, potentially indicating data exfiltration or malicious cleanup. You want to trace the activity end-to-end using Session ID (SID) and Unique Token Identifier (UTI).

1. Identify the Suspicious Sign-in Event

Start with Microsoft Entra sign-in logs to pinpoint where the suspicious session originated.

Every sign-in log in Entra includes linkable identifiers like SID and UTI, which are essential for tracing user activity across Microsoft 365. If you’re wondering how to locate Session ID in Entra logs, it is available in the log entry details and can be used to correlate all related activities.

How to Trace Session ID in Entra ID Sign-in Logs?

  1. Sign in to the Microsoft Entra admin center with at least a Reports Reader role.
  2. Go to Microsoft Entra ID –> Monitoring & health –> Sign-in logs.
  3. Filter by time range or a specific user to locate relevant log entries.
  4. Upon selecting a log entry:
    • The Basic Info tab provides the User ID, Resource Tenant ID, Session ID, Unique Token Identifier, and Date.
    • For registered or domain-joined devices, the Device ID can be found in the Devices tab.

Linkable Identifiers in Microsoft Entra

These identifiers are key to correlating activities across Microsoft 365 services. Not all applications send Session IDs with their audit events, which can limit activity correlation across Microsoft 365.

Tip: Besides reviewing Entra ID sign‑in logs directly, you can create a custom Workbook in Microsoft Entra to visualize all activities tied to a specific Session ID (SID).

  • Use the Workbook to map the entire session flow, from the suspicious sign‑in to related mailbox deletions, file activity, or Teams actions.
  • Visualizations like timelines, charts, and filters make it easier to quickly spot anomalies or confirm malicious patterns.

This approach provides a clear, end‑to‑end view of the compromised session and speeds up the investigation process.

2. Trace Activities Across Microsoft 365 Audit Logs

Once you have the Session ID and Unique Token Identifier from the Entra sign-in logs, you can use them to connect the dots across Microsoft 365 audit logs. The goal is to see exactly what the user or the compromised token did after the suspicious sign-in. This step transforms raw sign-in data into actionable insights, revealing whether the mailbox hard delete was part of malicious activity or just routine usage.

  • Go to Microsoft PurviewAudit.
  • Set the timeframe covering the activity.
  • Filter the audit logs for Workloads – Exchange/SharePoint/Teams (e.g., Exchange for mailbox hard delete) and compromised user.
  • Give Search.
  • This will list all activities done during that period for the specified user.

3. Filter Session ID and Token Identifier in Audit Logs

After collecting audit log entries, the next step is to narrow them down to only the actions tied to the suspicious session or token. This is where linkable identifiers SID and UTI become critical. They allow you to follow a single sign‑in or token across the entire Microsoft 365 environment and confirm whether the alert is part of malicious activity.

  • Filter by Session ID (SID):
    View all actions performed within the same sign‑in session, such as mailbox deletions, file access, or Teams activities. This shows the complete end‑to‑end path of that session.
  • Filter by Unique Token Identifier (UTI):
    Focus on actions taken with a single token, even if the user had multiple active sessions. This is useful for investigating token theft or misuse.

Note: You need to correlate linkable identifiers manually. Microsoft Purview’s audit search does not directly filter by SID or UTI. To investigate:

  • Export audit data covering the timeframe and the compromised user.
  • Use Excel or a SIEM tool like Microsoft Sentinel or Splunk to match the Session ID from Entra logs with the audit events.
  • In Sentinel or Log Analytics, you can query the raw data to filter by SID or UTI for precise correlation.

This approach helps you manually link sign‑in sessions to activities across Microsoft 365.

4. Confirm to Identity Threat and Respond

If the timeline confirms malicious mailbox access or data exfiltration:

  • Revoke the active session in Microsoft Entra to invalidate all tokens.
  • Reset the user’s credentials and enable MFA to secure the account.
  • Continue monitoring for any suspicious follow‑up activity.

By analyzing and exporting logs in the context of the compromised mailbox use case, you create a clear, end‑to‑end investigation trail that supports both threat detection and incident response.

Linkable Identifiers in Microsoft Graph Activity Logs

Microsoft Graph activity logs record every HTTP request processed by the Microsoft Graph service for a tenant, providing a comprehensive audit trail. When these logs are sent to a Log Analytics workspace, they support advanced analysis and investigation.

Using Kusto Query Language (KQL), security analysts can:

  • Correlate Microsoft Graph activity logs with Microsoft Entra sign-in logs through linkable identifiers such as SID and UTI.
  • Trace and analyze all user actions performed in Microsoft Graph, including mailbox access and other resource interactions.

This integration enables end-to-end visibility into token usage and user activity, enhancing the accuracy and speed of threat investigations.

Example Scenario: Tracing User Activity Across Microsoft 365

  • A user signs in to Microsoft 365, generating a root token that includes SID and UTI.
  • The user makes API calls to Microsoft Graph. Each call is logged with the same identifiers.
  • The user performs actions in Exchange Online such as reading, moving, or deleting emails, which are also logged with the same SID and UTI.
  • SID helps trace all actions across services, while UTI pinpoints activity for a specific token.

Query Microsoft Graph Activity Logs in Log Analytics

Once you identify the Session ID from the Entra sign‑in logs, you can query Log Analytics to correlate Microsoft Graph activity with sign‑in events. Before that ensure Microsoft Graph activity logs are sent to a Log Analytics workspace.

This sample KQL query:

  • Filters activity logs for a specific user and timeframe.
  • Joins Graph activity logs with Entra sign‑in logs using the Unique Token Identifier.
  • Returns all activity linked to the session, so you can investigate mailbox actions and Graph API calls.

By integrating Microsoft Graph activity logs with Entra sign‑in data, you gain a complete, token‑level view of user activity. This visibility transforms token identifiers into a powerful tool for detecting and investigating threats, before they escalate into breaches.

Linkable Identifiers in Exchange Online Audit Logs

Exchange Online audit logs now carry linkable identifiers that tie mailbox activities directly to the original sign‑in session or token. This makes it possible to pinpoint who performed an action, when it occurred, and which session or token was used.

Mailbox Activities You Can Track:

Friendly Name Operation
Accessed mailbox items MailItemsAccessed
Added delegate mailbox permissions Add-MailboxPermission
Added or removed calendar delegates UpdateCalendarDelegation
Added permissions to folder AddFolderPermissions
Copied messages to another folder Copy
Created mailbox item Create
Created new inbox rule in OWA New-InboxRule
Deleted messages from Deleted Items folder SoftDelete
Moved messages to another folder Move
Moved messages to Deleted Items folder MoveToDeletedItems
Modified folder permission ModifyFolderPermissions
Purged messages from the mailbox HardDelete
Removed delegate mailbox permissions Remove-MailboxPermission
Removed permissions from folder RemoveFolderPermissions
Sent message Send
Sent message using Send As permissions SendAs
Sent message using Send On Behalf permissions SendOnBehalf
Updated message Update

Find Session Identifiers in Exchange Online Logs Using PowerShell

Follow these steps to view Exchange Online audit logs and mailbox activities via PowerShell:

1. Open PowerShell and connect to Exchange Online Management Module.

2. Run the below script to search the audit log with PowerShell for all events with a linkable token identifier.


Replace <SessionID> with the session you want to investigate.

Replace <StartDate> and <EndDate> with your desired date range.

Set <OutputFilePath> to the location where you want the results to be saved.

Important: This script is limited to 5,000 records. If your organization generates more than that, the report may miss additional entries. For an extended version of the script, feel free to comment below.

By adopting Linkable Identifiers in Microsoft Entra ID, organizations can achieve end‑to‑end visibility and make investigations faster and more reliable. I hope this blog helped you understand how to use SIDs and UTIs for better identity threat detection.

If anything is unclear or you need help, feel free to ask in the comments.