Fix/Update Microsoft Sentinel Account Entity Naming to avoid inconsistent account identification in incidents and alerts

Updated November 19, 2025: We have updated the timing of this change below. Thank you for your patience.

On July 1, 2026, you may encounter issues if you haven't updated your analytic rules, automation rules/playbooks, workbooks, hunting queries, or custom integrations to be precedence-aware for account entity naming. We've standardized the account entity naming logic in Microsoft Sentinel incidents and alerts, where the account entity naming priority is: UPN prefix → name → display name. Please update your queries and automations to use the new precedence pattern.

You are receiving this message because our reporting indicates your organization may be using Microsoft Sentinel incidents, alerts (AlertV3), or related automation.

When this will happen:

July 1, 2026 (previously February 13, 2026)

How this will affect your organization:

If you don't fix this problem, these queries, automations, dashboards, and reports that reference account names may be affected:

• Analytics (KQL) that filter by, join on, or normalize account names
• Automation rules & playbooks (e.g., Logic Apps) that map Account.Name or compare it to other identity fields
• Workbooks & dashboards that show account name or aggregate by that value
• Hunting queries that coalesce or parse account identity fields
• Any users or systems relying on display name as the account identifier

What you need to do to prepare:

To fix this problem you need to update your KQL queries and automation logic to use the new precedence-aware pattern for account entity naming. Specifically, use a coalesce pattern (e.g., coalesce(Name, DisplayName)) wherever you reference the account name, and validate your workbooks, dashboards, and playbooks against the new logic. Test changes in a nonproduction workspace before rollout.