Identifier Makes it Easier to Track User Activities in a Single Session

An interesting July 21 Technical Community announcement describes the introduction of linkable token identifiers for audit events. Essentially, when a user authenticates a session with Entra ID, the session is stamped with a unique GUID (the linkable token identifier). The linkable token identifier is persistent for the session and is inherited by workloads that support the token and inserted into the audit events generated by those workloads accessed during the session.

The idea is that by tracing the linkable token identifier, you can find out what the user did during a session. Linking audit events through the new identifier makes it easier for investigators to query audit data to discover the set of actions taken during a session and their sequencing. This might be necessary to check if an attacker has compromised an account and is exfiltrating data or taking other actions that you don’t want to happen. Of course, account compromise is less likely to happen when user accounts are protected with strong multifactor authentication like the Microsoft Authenticator app, but that’s another story.

The linkable token identifiers are now available in Entra sign-in logs, Exchange Online audit events, SharePoint Online audit events, Teams audit events, and Graph activity logs. Figure 1 shows the identifiers listed in the Entra sign-in log.

Using Audit Searches to Track Activities

Audit events end up in the unified audit log and the article includes a screen shot showing the results of a search using a linked token identifier. Unhappily, the article doesn’t explain that you must use a keyword search to find events linked to a certain identifier (Figure 2).

The reason why a keyword (free text) search is necessary is that workload developers are inconsistent in how they include linkable token identifiers in the AuditData payload of their events. As you’d expect, Entra ID includes a simple SessionId property in the payload, but other workloads like Exchange Online and SharePoint Online refer to the token as AADSessionId.

Finding and Reporting Activities Based on Identifiers

Which brings me to subject of how to search the audit log with PowerShell for all events with a linkable token identifier. The process is reasonably simple. For example, using the Search-UnifiedAuditLog cmdlet, the code is something like this:

[array]$Records = Search-UnifiedAuditLog -Formatted -StartDate $StartDate -EndDate (Get-Date) -UserIds $UserId -FreeText $Session -SessionCommand ReturnLargeSet -ResultSize 5000
  If ($Records.Count -eq 0) {
    Write-Host "No audit records found for session $Session"
    Continue
  } Else {
    $Records = $Records | Sort-Object Identity -Unique
    $Records = $Records | Sort-Object {$_.CreationDate -as [datetime]} 
    Write-Host ("Found {0} audit records for session {1}" -f $Records.Count, $Session)
}

Reporting Audit Events for All Sessions

The code uses a free text search to find all audit events that include the specified linkable token identifier between two dates, removes any duplicates events from the returned set, and sorts the set by the created date.

But how about extending this to generate a report for all events for all sessions within the 30-day period that Entra ID retains sign-in logs. After all, multiple sessions might be created around the same time, and only one of the sessions might be suspicious. To do this, we need to find the full set of sign-in events captured for a user and find the linkable token identifiers in that set. Here’s how to find that information using the Get-MgBetaAuditLogSignIn cmdlet from the Microsoft Graph PowerShell SDK (the beta cmdlet is needed to return the identifiers):

[array]$Logs = Get-MgBetaAuditLogSignIn -Filter "userPrincipalName eq 'lotte.vetler@office365itpros.com'" -All
[array]$Sessions = $Logs | Group-Object SessionId -NoElement | Select-Object -ExpandProperty Name

The $Sessions array now contains the linkable token identifiers, and to generate the report, it’s a matter of looping through the set of identifiers to use each with Search-UnifiedAuditLog to generate the set of audit events for the session. Figure 3 shows the kind of report that can be created from the generated data.

The code I used to create the report is available for download from the Office 365 for IT Pros GitHub repository. In addition to the HTML report, the script also generates a CSV or XLSX file (an Excel worksheet is created if the ImportExcel module is available).

Good for Investigators

I’m sure that investigators will appreciate being able to easily connect the dots to discover what happened during a session. Adding linkable token identifiers to audit events is an example of a low-touch, high-value enhancement for Microsoft 365 tenants. It would be nice if all updates had the same impact.

Need some assistance to write and manage PowerShell scripts for Microsoft 365? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.