Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Custom account correlation rules allow you to correlate accounts that don't share strong identifiers such as account ID, SID, object ID, or UPN. This is especially useful for privileged accounts with unique naming conventions. By defining custom policies, you get full visibility and better protection for all accounts.
Prerequisites
- An active Microsoft Defender for Identity (MDI) license, or another license that includes MDI (such as E5). Without the required license, the policies page is read-only.
- At least one of the following roles to view policies:
- Microsoft Entra ID roles: Security Reader, Security Operator, or Security Administrator
- Defender roles: Security operations, Security data, Alerts (manage)
- One of the following roles to create, edit, or remove policies:
- Microsoft Entra ID roles: At least Security Administrator
- Defender roles: Security operations, Security data, Alerts (manage)
Tip
Use the least-privileged role that meets your needs. If your organization uses Microsoft Entra Privileged Identity Management (PIM), request just-in-time role activation instead of permanent role assignments.
Choose a correlation type
Before you create a rule, decide which correlation type fits your scenario. The following table describes the available options:
| Correlation type | Description | Example |
|---|---|---|
| Root UPN Prefix | Correlates accounts with matching prefixes before the '@' symbol. | user@acme.com and adm_user@acme.com share the prefix user. |
| Root UPN Suffix | Correlates accounts with matching suffixes after the '@' symbol. | user@acme.com and user_svc@acme.com share the suffix @acme.com. |
| Domain UPN | Correlates accounts across different domains with the same username. | user@acme.com and user@contoso.com. |
| Employee ID | Correlates accounts that share the same employee ID. | Two accounts with the same employee ID value are linked to one identity. |
Add a correlation rule
- In the Microsoft Defender portal at https://security.microsoft.com, go to Settings > Identities.
- Select Account Correlation Rules.
- Select Add Rule.
- In the wizard, enter a Rule Name (up to 50 characters). You can use letters, numbers, and the following special characters:
. - _ ! # ^ ~. - Select the Correlation Type (Root UPN Prefix, Root UPN Suffix, Domain UPN, or Employee ID).
- Enter the required values for the selected correlation type, such as prefixes, suffixes, domains, or employee IDs.
- Review the summary, which includes the rule name, correlation type, and selected values.
- Select Submit to create the rule. Correlation rule changes take effect within 12 hours.
Edit a correlation rule
- On the Account Correlation Rules page, select the checkbox next to the rule you want to edit. You can select only one rule at a time.
- Select Edit.
- In the wizard, update the rule configuration as needed.
- Review your changes, and then select Save. Changes take effect within 12 hours.
Remove a correlation rule
- On the Account Correlation Rules page, select the checkbox next to the rule you want to remove.
- Select Delete.
- In the confirmation prompt, select Remove to confirm, or Cancel to abort. Correlation rule changes take effect within 12 hours.