Linkable token identifiers is a new Entra ID feature that adds a GUID to all the audit events for a session. The new identifiers make it easier to track all user actions taken during a session, and should be of great advantage to security investigators who need to know if an account is performing suspicious actions, possibly due to an attacker compromise.
Entra ID retains audit log records for service principal signins for 30 days. The audit data can reveal some interesting insights such as the presence of unexpected service principals or access to an application from an external source, or even the use of an app secret by an application instead of a more secure method. It’s time to write some PowerShell to interpret the data.
I’ve spent some time investigating Azure Automation PowerShell recently. In this article, I discuss three learnings that might be of interest to others. Debugging, cost, and tracking the use of Azure Automation PowerShell might not interest everyone, but they’ve certainly helped me to understand how the platform works.