AadTenantId, CurrentLocation, and CurrentIPAddress empty in SecurityAlert for AAD Identity Protection alerts after 13 Jan 2026

[SudBuddy]

Hello Team,
We are observing an issue in Microsoft Sentinel Analytic Rule where certain fields are coming as empty starting from 13 Jan 2026 for alerts generated from Microsoft Entra ID Identity Protection.
Specifically, for the following alert types:
Unfamiliar sign-in properties
Atypical travel
The below fields are now returning empty values:

1. AadTenantId = | extend AadTenantId = tostring(Entity.AadTenantId)
2. CurrentLocation = ExtendedProperties["Current Location"]
3. CurrentIPAddress = ExtendedProperties["Current IP Address"]

Before 13 Jan 2026, the same query was shows the results and these fields were properly populated.

Query Path: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID%20Protection/Analytic%20Rules/CorrelateIPC_Unfamiliar-Atypical.yaml

Observed Behavior:
AadTenantId is empty inside Entities dynamic column.
CurrentLocation and CurrentIPAddress extracted from ExtendedProperties are empty.
Join with IdentityInfo is impacted due to missing AadTenantId and query returns No Results.

Questions:
1.Has there been any backend schema change for SecurityAlert related to:
Entities structure?
AadTenantId field?
2.ExtendedProperties property names, if yes then new property name's for Current Location and Ipaddress?
3.Is there any official documentation or change log that mentions:
Schema changes
Field deprecation
Property renaming

Expected Behavior:
Entity.AadTenantId should be populated for account type entities.
ExtendedProperties should contain:
Current Location
Current IP Address

To Reproduce:
Run the same query mentioned above, comparing the result structure before and after 13 Jan 2026 shows that certain properties are no longer present.

We would appreciate confirmation on whether this is due to a backend change or if query needs to be update.
Thank you.

[v-utpalkumar]

Hello @SudBuddy, thanks for flagging this issue. we will investigate this issue and get back to you with some updates. Thanks!

[v-kasghosh]

Hello @SudBuddy
We analyzed the issue you reported and would like to share our findings. After reviewing the official documentation for the Microsoft Sentinel SecurityAlert table, we did not find any documented schema changes. You can refer to the documentation here: https://learn.microsoft.com/en-us/azure/sentinel/security-alert-schema

It is important to highlight that both Entities and ExtendedProperties are dynamic (JSON) fields. Their internal structure is provider-controlled, meaning the keys within them are not guaranteed to always be present. If a key does not exist in the alert payload, KQL will naturally return a null or empty value. This behavior is expected and does not indicate a schema issue. For example, if AadTenantId is not included inside the Entities JSON object, tostring(Entity.AadTenantId) will return empty. The same applies to ExtendedProperties["Current Location"] and ExtendedProperties["Current IP Address"] — if those keys are not present in the payload, they will return empty values.

To assist with further analysis, could you please provide a SecurityAlerts Logs from before January 13, 2026, as well as one from after that date? You can send them to this email address: v-kasghosh@microsoft.com.

[SudBuddy]

@v-kasghosh, AADTenantId is not included inside the Entities JSON object; therefore, tostring(Entity.AadTenantId) returns an empty value.
Referring to your earlier point, we would like to highlight that the TenantId was included inside the Entities object prior to 13 January. The same behavior was observed for Current Location and Current IP Address fields, which were previously populated as part of the entity payload.
We would like to understand whether there have been any recent changes to the payload structure or schema.
To reproduce the issue, you can execute the query for data up to 13 January — you will observe that the values were present as part of the schema. However, when running the same query for data after 13 January, the fields appear empty at the source level itself.

Could you please validate it if change happen recently in payload? If yes, then the rule needs to be update.