Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Sentinel is available in the Microsoft Defender portal. You don't need Microsoft Defender XDR or an E5 license. When you use Microsoft Sentinel with Defender XDR in the Defender portal, you get shared incident management and advanced hunting. You can reduce tool switching and run faster, more focused investigations.
This article walks you through connecting a Microsoft Sentinel workspace to the Defender portal, including prerequisites, onboarding steps, and available features. Follow these steps if your workspaces aren't yet connected to the Defender portal. In many cases, customers onboarding to Microsoft Sentinel after July 1, 2025 are automatically onboarded to the Defender portal.
For more information, see:
- What are unified security operations?
- Microsoft Sentinel in the Microsoft Defender portal
- Microsoft Defender XDR integration with Microsoft Sentinel
Prerequisites
Before you begin, review the feature documentation to understand the product changes and limitations.
- Microsoft Sentinel in the Microsoft Defender portal
- Advanced hunting in the Microsoft Defender portal
- Alerts, incidents, and correlation in Microsoft Defender XDR
- Microsoft Sentinel automation in the Defender portal
The Microsoft Defender portal supports a single Microsoft Entra tenant and the connection to a primary workspace and multiple secondary workspaces. If you have only one workspace when you onboard Microsoft Sentinel, that workspace is designated as the primary workspace. For more information, see Multiple Microsoft Sentinel workspaces in the Defender portal. In the context of this article, a workspace is a Log Analytics workspace with Microsoft Sentinel enabled.
Microsoft Sentinel prerequisites
To onboard and use Microsoft Sentinel in the Defender portal for a single workspace, you need the following resources and access:
A Log Analytics workspace that has Microsoft Sentinel enabled
An Azure account with the appropriate roles to onboard, use, and create support requests for Microsoft Sentinel in the Defender portal. You won't see workspaces in the Defender portal to onboard where you don't have the required permissions.
The following table shows some of the key roles needed for a single workspace setup. For permissions related to multiple workspaces, see Permissions to manage workspaces and view workspace data.
For onboarding, the Owner role assignment must be unconditional at the subscription scope.
| Task | Microsoft Entra or Azure built-in role required | Scope |
|---|---|---|
| Onboard Microsoft Sentinel to the Defender portal1 | At least a Security Administrator in Microsoft Entra ID Owner (unconditional role assignment) OR User Access Administrator and Microsoft Sentinel Contributor |
Tenant - Subscription for Owner role |
| View Microsoft Sentinel in the Defender portal | Microsoft Sentinel Reader | Subscription, resource group, or workspace resource |
| Query Microsoft Sentinel data tables or view incidents | Microsoft Sentinel Reader or a role with the following actions: - Microsoft.OperationalInsights/workspaces/read - Microsoft.OperationalInsights/workspaces/query/read - Microsoft.SecurityInsights/Incidents/read - Microsoft.SecurityInsights/incidents/comments/read - Microsoft.SecurityInsights/incidents/relations/read - Microsoft.SecurityInsights/incidents/tasks/read |
Subscription, resource group, or workspace resource |
| Take investigative actions on incidents | Microsoft Sentinel Contributor or a role with the following actions: - Microsoft.OperationalInsights/workspaces/read - Microsoft.OperationalInsights/workspaces/query/read - Microsoft.SecurityInsights/incidents/read - Microsoft.SecurityInsights/incidents/write - Microsoft.SecurityInsights/incidents/comments/read - Microsoft.SecurityInsights/incidents/comments/write - Microsoft.SecurityInsights/incidents/relations/read - Microsoft.SecurityInsights/incidents/relations/write - Microsoft.SecurityInsights/incidents/tasks/read - Microsoft.SecurityInsights/incidents/tasks/write |
Subscription, resource group, or workspace resource |
| Create a support request | Owner or Contributor or Support request contributor or a custom role with Microsoft.Support/* |
Subscription |
1 If your tenant has exactly one workspace with Microsoft Sentinel enabled, use the permissions listed in the table. If your tenant has more than one workspace with Microsoft Sentinel enabled, you must also be at least a Security administrator in Microsoft Entra ID.
If you're working with multiple tenants, note that granular delegated admin privileges (GDAP) with Azure Lighthouse isn't supported for Microsoft Sentinel data in the Defender portal. Instead, use Microsoft Entra B2B authentication. For more information, see Set up Microsoft Defender multitenant management.
After you connect Microsoft Sentinel to the Defender portal, your existing Azure role-based access control (RBAC) permissions allow you to work with the Microsoft Sentinel features that you have access to. Continue to manage roles and permissions for your Microsoft Sentinel users from the Azure portal, as any Azure RBAC changes are reflected in the Defender portal.
For more information, see Roles and permissions in Microsoft Sentinel and Manage access to Microsoft Sentinel data by resource.
Important
Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization.
Unified security operations prerequisites
To unify Microsoft Defender XDR and Microsoft Sentinel security operations in the Defender portal, you must have the following resources and access:
- Licensing for Defender XDR, as described in Microsoft Defender XDR prerequisites
- Account for Defender XDR is a member of the same Microsoft Entra tenant with which Microsoft Sentinel is associated
- Access to Microsoft Defender XDR in the Defender portal, as described in Microsoft Defender XDR prerequisites
If applicable, complete these prerequisites:
| Service | Prerequisite |
|---|---|
| Microsoft Purview Insider Risk Management | If your organization uses Microsoft Purview Insider Risk Management, integrate that data by enabling the data connector Microsoft 365 Insider Risk Management on your primary workspace for Microsoft Sentinel. Disable that connector on any secondary workspaces for Microsoft Sentinel that you plan to onboard to the Defender portal. - Install the Microsoft Purview Insider Risk Management solution from the Content hub on the primary workspace. - Configure the data connector. For more information, see Discover and manage Microsoft Sentinel out-of-the-box content. |
| Microsoft Defender for Cloud | To stream Defender for Cloud incidents that are correlated across all subscriptions of the tenant to the primary workspace for Microsoft Sentinel: - Connect the Tenant-based Microsoft Defender for Cloud (Preview) data connector in the primary workspace. - Disconnect the Subscription-based Microsoft Defender for Cloud (Legacy) alerts connector from all workspaces in the tenant. If you don't want to stream correlated tenant data for Defender for Cloud to the primary workspace, continue to use the Subscription-based Microsoft Defender for Cloud (Legacy) connector on your workspaces. For more information, see Ingest Microsoft Defender for Cloud incidents with Microsoft Defender XDR integration. |
Onboard Microsoft Sentinel
This procedure describes how to onboard a Microsoft Sentinel-enabled workspace to the Defender portal.
- Go to the Microsoft Defender portal and sign in.
- Select System > Settings > Microsoft Sentinel > Connect a workspace.
- Select the workspaces you want to connect and select Next.
- Select the Primary workspace.
- Read and understand the product changes associated with connecting your workspace.
- Select Connect.
After your workspace is connected, the banner on the Home page shows that your environment is ready. The Home page is updated with new sections that include metrics from Microsoft Sentinel, like the number of data connectors and automation rules.
Explore Microsoft Sentinel features in the Defender portal
After you connect your workspace, Microsoft Sentinel appears in the left-side navigation pane. If Defender XDR is enabled, pages like Home, Incidents, and Advanced Hunting show combined data from Microsoft Sentinel and Defender XDR. Without Defender XDR, those pages show only Microsoft Sentinel data. For more information, see Microsoft Sentinel in the Microsoft Defender portal.
Many Microsoft Sentinel features are built into the Defender portal. For the integrated features listed in the following table, the experience is similar to the Azure portal. Use the articles in the following table to get started. When you use the linked articles, start from the Defender portal instead of the Azure portal.
Find Microsoft Sentinel settings in the Defender portal under System > Settings > Microsoft Sentinel.
Change the primary workspace
You can only have one primary workspace connected to the Defender portal at a time. But you can change the primary workspace.
- In the Defender portal, go to System > Settings > Microsoft Sentinel > Workspaces.
- Select the name of the workspace that you want to make primary.
- Select Set as primary.
- Read and understand the product changes associated with changing the primary workspace.
- Select Confirm and proceed.
When you switch the primary workspace for Microsoft Sentinel, the Defender XDR connector is connected to the new primary and disconnected from the former one automatically. For more information, see Multiple Microsoft Sentinel workspaces in the Defender portal.
Offboard Microsoft Sentinel
Warning
If your workspace has the Microsoft Defender XDR connector configured, offboarding the workspace from the Defender portal also disconnects the Microsoft Defender XDR connector.
To offboard a workspace from the Defender portal, disconnect the workspace from the settings for Microsoft Sentinel.
Go to the Microsoft Defender portal and sign in.
In the Defender portal, under System, select Settings > Microsoft Sentinel.
On the Workspaces page, select the connected workspace and Disconnect workspace.
Provide a reason why you're disconnecting the workspace.
Confirm your selection.
When your workspace is disconnected, the Microsoft Sentinel section is removed from the left-hand side navigation of the Defender portal. Data from Microsoft Sentinel is no longer included on the Home page.
If you want to connect a different workspace, on the Workspaces page, select Connect a workspace, and then choose the workspace you want to connect.