Microsoft Sentinel is standardizing how Account Name properties are populated when using UPN-based mappings, introducing new dedicated fields for full UPN and suffix to improve consistency across analytics, incidents, and automation.
Microsoft Sentinel is implementing a significant change to how account name properties are handled in analytics rules, set to take effect on July 1, 2026. This update aims to standardize and improve the consistency of entity data across analytics, incidents, and automation workflows.
The Problem with Current UPN Mapping
Currently, when an analytic rule maps a full User Principal Name (UPN) like '[email protected]' to the Account Name field, the resulting value in automation rules or Logic App playbooks is inconsistent. In some cases, you receive only the UPN prefix ('user'), while in other instances, you get the full UPN ('[email protected]'). This inconsistency can lead to unpredictable behavior in your security automation workflows.
What's Changing
Starting July 1, 2026, Microsoft Sentinel will standardize the Account Name property to consistently contain only the UPN prefix. Additionally, three new fields will be added to provide more granular control:
- AccountName: Contains the UPN prefix (e.g., 'user')
- UPNSuffix: Contains the domain portion (e.g., 'domain.com')
- UserPrincipalName: Contains the full UPN (e.g., '[email protected]')
This change affects the SecurityAlert table, Logic App playbooks, and entity handling across the platform.
Impact on Your Automation Workflows
If your automation logic relies on exact string comparisons against the full UPN stored in Account Name, those conditions may no longer match after the update. This most commonly affects:
- Automation Rules using "Equals" condition on Account Name
- Logic App Playbooks comparing entity field 'accountName' to a full UPN value
Recommended Actions
To ensure your automation continues to function correctly, Microsoft recommends the following changes:
- Avoid strict equality checks against Account Name
- Use flexible operators such as:
- Contains
- Starts with
- Leverage the new UPNSuffix field for clearer intent
Before vs. After Examples
Before the change:
- Account name shows as 'user' or '[email protected]' (inconsistent)
- Automation Rule conditions may fail unpredictably
After the change:
- Account Name will consistently show as 'user'
- UPNSuffix will contain 'domain.com'
- UserPrincipalName will contain '[email protected]'
Recommended update pattern:
- Account Name Contains/Startswith 'user'
- UPNSuffix Equals/Startswith/Contains 'domain.com'
This approach ensures compatibility both before and after the change takes effect.
Where to Update Your Workflows
Review any filters, conditions, or branching logic that depend on Account Name values:
- Automation Rules: Use the 'Account name' field
- Logic App Playbooks: Update conditions referencing the entity: 'accountName'
For example, an Automation Rule that previously relied on exact matching will need to be updated to use the new field structure and more flexible comparison operators.
Why This Matters
The standardization provides several benefits:
- Predictable behavior: No more inconsistent Account Name values
- Enhanced filtering: More granular control over automation logic
- Better structure: Clear separation between prefix, suffix, and full UPN
- Future-proofing: More robust automation that won't break with future changes
This update represents Microsoft's ongoing commitment to improving the consistency and reliability of security automation in Sentinel. By providing dedicated fields for different parts of the UPN, customers gain more precise control over their automation logic while reducing the risk of unexpected behavior.
Timeline and Next Steps
- Effective Date: July 1, 2026
- Action Required: Review and update your automation rules and playbooks
- Scope: Analytics rules with UPN to Account Name mapping
The change will apply automatically - no opt-in is required. However, proactive review of your automation workflows is essential to ensure continued functionality after the update.
For more information about Microsoft Sentinel and its capabilities as a cloud-native SIEM enriched with AI and automation, visit the Microsoft Sentinel documentation.
This update is part of Microsoft's broader strategy to enhance the security operations capabilities of Sentinel, providing customers with more reliable and consistent automation across their digital environments.
Comments
Please log in or register to join the discussion