Upwind Strengthens Cloud Identity Security with New Microsoft Entra ID Detection Coverage

We are thrilled to announce that Upwind has expanded its Microsoft Entra ID (formerly Azure Active Directory) detection coverage to provide deeper visibility into identity changes, privilege escalation, and credential misuse across Azure environments. These new detections help security teams identify and respond to identity-driven threats faster, before they can compromise the tenant or persist undetected.

Why Microsoft Entra Logs Are Critical to Securing Your Cloud

Identity is at the center of cloud security. In Azure environments, Microsoft Entra ID governs how users, applications, and services authenticate and access resources. The logs it produces capture a detailed record of identity-related activity, including who did what, where, and when, making them essential for detecting early signs of compromise or misuse.

Actions like assigning a new administrative role, resetting a password, or adding credentials to a service principal can be legitimate, or they can signal the start of a serious security incident. Attackers often exploit these same identity operations to escalate privileges, disable protections, or establish persistence after gaining initial access.

Monitoring and analyzing Entra ID logs ensures that these critical identity changes are visible to your security team. When integrated into the Upwind Platform, they become actionable insights, helping teams understand when and how privilege elevation or credential manipulation occurs, and how those actions connect to broader cloud activity.

Detect High-Impact Identity Operations

The new Microsoft Entra detections in the Upwind Platform are designed to surface the highest-impact identity and access operations – those most frequently abused by attackers during privilege escalation or persistence. Each detection delivers actionable context around what changed, who initiated it, and how it could affect tenant security.

These detections are organized around key stages of the attack chain, helping security teams prioritize the most critical identity activity and respond with confidence:

Protect Against Unauthorized Privilege Escalation

One of the most common and damaging attacker goals is privilege escalation. Once an adversary gains limited access to a cloud environment, they often attempt to assign themselves or another entity elevated roles to take full control.

• Global Administrator Assignment
  Detects when an entity receives the most powerful role in Azure, granting full tenant control. Because this role provides unrestricted access, any new assignment should be validated immediately.
• New Administrative Role Assignment
  Alerts when a user, service principal, or managed identity gains new administrative privileges, one of the most common techniques used by attackers to escalate access after initial compromise.

Stop Persistence Before It Starts

Attackers frequently create new credentials, service principals, or applications to maintain long-term access to a compromised environment. Upwind’s Entra detections identify the subtle changes that can establish persistence.

• Credential Additions to Service Principals and Applications
  Upwind identifies when credentials or password keys are added to an Entra ID application or service principal, often used by attackers to create persistent backdoor access.
• New Application Creation
  Upwind detects when new applications are registered in Entra ID, an operation that can introduce unauthorized integrations or hidden privilege pathways if performed by a malicious actor.

Defend Against Account Takeover

Identity takeover is one of the most direct routes to compromising a cloud environment. These detections help ensure that credential and authentication changes are legitimate, not signs of an attack in progress.

• Password Reset and Authentication Method Deletion
  Upwind surfaces when user passwords are reset or authentication methods (including MFA) are deleted, potential indicators of account takeover or attempts to disable security controls.

Maintain Control Over Identity Scope and Delegation

Administrative Units (AUs) allow scoped management within Azure AD, helping enforce least-privilege access. Attackers may target AUs to bypass these boundaries. Upwind’s detections ensure delegated roles and user creation remain within approved limits.

• User Creation in Restricted Administrative Units
  Upwind now detects when new users are created within restricted AUs, ensuring delegated administrators cannot introduce unauthorized identities or accounts with unintended privileges.
• Role Assignment Through Administrative Units
  Upwind monitors scoped role assignments to ensure privileges remain limited and compliant with least-privilege standards, preventing unauthorized access within sensitive or restricted management scopes.

Turning Identity Visibility Into Measurable Security Outcomes

Upwind’s new Entra Log detections give users deeper control and assurance over identity-driven risks in Azure. Customers can now:

• Respond faster to privilege changes by detecting and validating high-impact actions in real time.
• Reduce the blast radius of compromise by identifying and reversing unauthorized role or credential assignments.
• Enforce least-privilege access through continuous monitoring of role boundaries and delegated authority.
• Correlate identity events with runtime behavior to understand the full scope of potential attacks across workloads and services.

Upwind’s correlation engine unifies identity signals with runtime and cloud infrastructure data, delivering an end-to-end view of cloud activity that supports faster triage, better forensics, and more confident remediation.

Comprehensive Cloud Protection Requires Data From Everywhere

While runtime visibility remains foundational to detecting and stopping real-time threats, identity signals are an equally critical part of the picture. Attackers often blend configuration changes, credential misuse, and workload activity to move across cloud layers.

By ingesting data from sources like Microsoft Entra Logs alongside runtime and cloud telemetry, Upwind provides a complete view of the attack surface. This unified approach helps customers detect subtle indicators of compromise, correlate them across environments, and take action with full operational context.

With Entra ID detections now fully integrated into the Upwind Platform, customers gain a deeper, more connected understanding of how identity and runtime activity intersect – and a stronger ability to detect, investigate, and contain threats before they escalate.

Building Continuous Protection Across the Cloud Identity Layer

As attackers increasingly target identity and access systems to gain control of cloud environments, visibility into Microsoft Entra ID activity has become essential.

By combining identity insights with runtime and infrastructure telemetry, Upwind enables customers to detect identity-driven threats in real time, understand their impact across workloads, and respond with full context. These new detections strengthen governance, enforce least-privilege access, and extend Upwind’s protection deeper into the identity layer.

To learn more about how Upwind helps organizations secure Azure and multi-cloud environments through unified visibility and real-time detection, schedule a demo with our team.