MT.1111 - High privileged user should be linked to an identity
Overview
Linking a privileged user account to the primary work account in Microsoft Defender XDR makes it easier to detect, prioritize, and contain attacks that target highly sensitive identities. It also improves incident response because all relevant activity and risk signals are correlated to the real person behind both identities, reducing blind spots and investigation time.
This use case is explicitly described in the Defender XDR documentation: A user might have two accounts, one for everyday work and another with elevated permissions for administrative tasks. Example
[email protected] (regular account) [email protected] (privileged account)
How to fix
Review the accounts in the Identity inventory of Microsoft Defender portal and add a manual link from the identity page of the (primary) user account to the privileged account.
Test Metadata
| Field | Value |
|---|---|
| Test ID | MT.1111 |
| Severity | Low |
| Suite | Maester |
| Category | Privileged |
| PowerShell test | Test-MtXspmPrivilegedUsersLinkedToIdentity |
| Tags | Entra, EntraOps, Graph, LongRunning, MT.1111, Preview, Privileged, XSPM |
Source
- Pester test:
tests/XSPM/Test-XspmPrivilegedIdentities.Tests.ps1 - PowerShell source:
powershell/public/xspm/Test-MtXspmPrivilegedUsersLinkedToIdentity.ps1