Agent Foskett Academy • Lesson 47 • Investigating IdentityInfo

Investigating IdentityInfo: The Account Looked Normal. The Permissions Didn't.

The sign-in looked legitimate.

MFA was successful.

Everything appeared normal.

Until investigators examined the account itself.

The user was not supposed to have elevated permissions.

IdentityInfo told a different story.

Agent Foskett Academy lesson explaining IdentityInfo in Microsoft Defender XDR
Lesson overview

Learn how IdentityInfo helps defenders understand who an account belongs to, what access it has and how much risk it represents.

Investigate user identity information
Review privileged roles and permissions
Understand group memberships
Build identity investigation context

Why IdentityInfo matters

Sign-in telemetry tells you that an account was used. IdentityInfo helps you understand what that account represents.
The user is only part of the storyMost investigations begin with an account. IdentityInfo helps defenders understand who that account belongs to, where it sits and what context surrounds it.
Permissions create riskA standard user account and a privileged account require very different responses. IdentityInfo helps expose role assignments and identity risk context.
Context changes priorityDepartment, manager, job title, group membership and risk level can change how an incident is triaged and how quickly defenders respond.

Investigation scenario

A sign-in looked normal, but the account context did not. Agent Foskett needed to answer one question: what could this account actually access?
The alert looked routineA user account generated several authentication events, but nothing in the sign-in evidence looked obviously hostile.
The permissions did not make senseFurther review suggested that the account had more access than expected, including permissions that did not match its business role.
IdentityInfo became the starting pointBefore chasing endpoints, files or cloud actions, Agent Foskett needed to understand the identity itself.

Step 1 — Review identity records

Start with recent IdentityInfo records and keep the fields that identify the account, its role in the organisation and its current risk context.
identityinfo-review-records.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
IdentityInfo
| where Timestamp > ago(30d)
| project Timestamp, AccountUpn, AccountDisplayName,
          Department, JobTitle, Manager, IsAccountEnabled, RiskLevel
| order by Timestamp desc

Step 2 — Investigate one user

When an account becomes interesting, focus on that user and collect the context that helps explain whether the activity fits the person behind the account.
identityinfo-one-user.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
let User = "user@company.com";
IdentityInfo
| where AccountUpn =~ User
| project Timestamp, AccountUpn, AccountDisplayName,
          Department, JobTitle, Manager, IsAccountEnabled,
          RiskLevel, RiskStatus, CriticalityLevel
| order by Timestamp desc

Step 3 — Review privileged accounts

Privileged accounts change the impact of an investigation. Use AssignedRoles to identify accounts that may have elevated access inside Microsoft Entra ID.
identityinfo-privileged-accounts.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
IdentityInfo
| where Timestamp > ago(30d)
| where isnotempty(AssignedRoles)
| project Timestamp, AccountUpn, AccountDisplayName,
          Department, JobTitle, AssignedRoles, RiskLevel
| order by Timestamp desc

Step 4 — Investigate group memberships

Group memberships often explain hidden access. A user may not have a role directly assigned, but a group membership can still create significant exposure.
identityinfo-group-memberships.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
let User = "user@company.com";
IdentityInfo
| where AccountUpn =~ User
| where isnotempty(GroupMembership)
| mv-expand GroupMembership
| project AccountUpn, AccountDisplayName,
          GroupName = tostring(GroupMembership)
| order by GroupName asc

Step 5 — Find highly privileged users

Search for roles that should always receive extra scrutiny during identity investigations.
identityinfo-high-privilege-users.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
IdentityInfo
| where Timestamp > ago(30d)
| where AssignedRoles has_any
    ("Global Administrator", "Privileged Role Administrator",
     "Security Administrator", "Exchange Administrator")
| project AccountUpn, AccountDisplayName,
          Department, JobTitle, AssignedRoles, RiskLevel
| order by AccountUpn asc

Step 6 — Build identity context

IdentityInfo becomes powerful when it is used to frame the rest of the investigation. Before deciding impact, understand the person, role, access and account status.
identityinfo-build-context.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
let User = "user@company.com";
IdentityInfo
| where AccountUpn =~ User
| project AccountUpn, AccountDisplayName, Type,
          Department, JobTitle, Manager, IsAccountEnabled,
          AssignedRoles, GroupMembership, RiskLevel, RiskStatus,
          CriticalityLevel, BlastRadius, TenantMembershipType
| order by Timestamp desc

Common investigation uses

IdentityInfo is most useful when defenders need to understand the account behind the activity.
Privileged account reviewsFind accounts with elevated roles, unexpected privilege assignments and identity risk indicators.
Identity compromise investigationsDetermine what an attacker could access if the account was compromised or misused.
Access reviews and exposure checksIdentify stale, excessive or surprising access by reviewing roles, group membership and account context.

Common mistakes

Identity investigations can go wrong when defenders focus only on login events and forget to inspect the account itself.
Focusing only on sign-insAuthentication data explains access. IdentityInfo explains potential impact.
Ignoring group membershipsGroups can grant important access even when a role is not obvious from the first record.
Assuming a user is standardMany investigations reveal unexpected roles, stale permissions or accounts that no longer match their business function.
The account was not suspicious. The access was.
IdentityInfo helped Agent Foskett move beyond the login and understand what the account could actually reach.
Back to Academy →

What you learned

IdentityInfo provides identity contextYou can use it to understand who an account belongs to, where it sits and whether the account is enabled or risky.
Permissions matterRole assignments and group memberships often determine investigation priority and potential business impact.
Account context shapes the timelineThe same event can mean something very different depending on whether the account is standard, privileged, guest, risky or highly critical.

Related Agent Foskett Academy lessons

Investigating IdentityLogonEventsReview sign-in and authentication evidence before assessing the account context.
Investigating IdentityDirectoryEventsInvestigate account changes, group changes and directory activity connected to the identity.
Investigating CloudAppEventsUnderstand what the account did after it authenticated inside cloud applications.
Investigating AlertEvidenceConnect alerts to users, devices, files, IP addresses and related entities.
Investigating AlertInfoReview alert severity, category, detection source and investigation priority.
Investigating DeviceLogonEventsCompare identity context with endpoint logon behaviour and account usage.
Building Investigation TimelinesUse identity context to explain who acted and why the event mattered.
Connecting Tables with joinJoin identity context to alerts, sign-ins, cloud actions and endpoint telemetry.

Coming next

Lesson 48 — Investigating SecurityIncident in Microsoft Defender XDRNext, Agent Foskett Academy will move into SecurityIncident, helping defenders understand how multiple alerts can become one investigation story.
Why this mattersIdentity context helps explain impact, but incidents help defenders understand how multiple signals connect across the environment.
What you will learn nextLearn how to review incident IDs, severity, status, owners, alerts and the broader incident timeline.

Final thought

The account was not suspicious. The permissions changed the story.
Agent Foskett mindsetThe important question is not: who logged in? The important question is: what could that account access?
Follow the identityBefore deciding impact, understand the account, its role, its groups, its privileges and the business context around it.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating IdentityInfo in Microsoft Defender XDR

Agent Foskett Academy Lesson 47 teaches defenders how to use IdentityInfo to investigate user account context, privileged roles, group memberships, departments, managers, account risk and identity exposure in Microsoft Defender XDR.

The account looked normal but the permissions did not

This lesson explains why defenders should not stop at sign-in evidence. IdentityInfo helps reveal who the account belongs to, what access it has, whether it is risky and how identity context changes the investigation.