Connect Microsoft Sentinel to the Microsoft Defender portal

Article
2025-04-03
Applies to: Microsoft Defender XDR, Microsoft Sentinel in the Microsoft Defender portal

Microsoft Sentinel is generally available within Microsoft's unified security operations (SecOps) platform in the Microsoft Defender portal, with or without Microsoft Defender XDR or an E5 license. When you onboard Microsoft Sentinel to the Defender portal together Microsoft Defender XDR, you unify capabilities like incident management and advanced hunting. Reduce tool switching and build a more context-focused investigation that expedites incident response and stops breaches faster. For more information, see:

Prerequisites

Before you begin, review the feature documentation to understand the product changes and limitations.

The Microsoft Defender portal supports a single Microsoft Entra tenant and the connection to a primary workspace and multiple secondary workspaces (preview). If you have only one workspace when you onboard Microsoft Sentinel, that workspace is designated as the primary workspace. For more information, see Multiple Microsoft Sentinel workspaces in the Defender portal. In the context of this article, a workspace is a Log Analytics workspace with Microsoft Sentinel enabled.

Microsoft Sentinel prerequisites

To onboard and use Microsoft Sentinel in the Defender portal, you must have the following resources and access:

A Log Analytics workspace that has Microsoft Sentinel enabled

An Azure account with the appropriate roles to onboard, use, and create support requests for Microsoft Sentinel in the Defender portal. You won't see workspaces in the Defender portal to onboard where you don't have the required permissions. The following table highlights some of the key roles needed.

Task	Microsoft Entra or Azure built-in role required	Scope
Onboard Microsoft Sentinel to the Defender portal	Global administrator or security administrator in Microsoft Entra ID	Tenant
Connect or disconnect a workspace with Microsoft Sentinel enabled	Owner or User Access Administrator and Microsoft Sentinel Contributor	- Subscription for Owner or User Access Administrator roles - Subscription, resource group, or workspace resource for Microsoft Sentinel Contributor
Change the primary workspace	Global administrator or security administrator in Microsoft Entra ID	Tenant
View Microsoft Sentinel in the Defender portal	Microsoft Sentinel Reader	Subscription, resource group, or workspace resource
Query Microsoft Sentinel data tables or view incidents	Microsoft Sentinel Reader or a role with the following actions: - Microsoft.OperationalInsights/workspaces/read - Microsoft.OperationalInsights/workspaces/query/read - Microsoft.SecurityInsights/Incidents/read - Microsoft.SecurityInsights/incidents/comments/read - Microsoft.SecurityInsights/incidents/relations/read - Microsoft.SecurityInsights/incidents/tasks/read	Subscription, resource group, or workspace resource
Take investigative actions on incidents	Microsoft Sentinel Contributor or a role with the following actions: - Microsoft.OperationalInsights/workspaces/read - Microsoft.OperationalInsights/workspaces/query/read - Microsoft.SecurityInsights/incidents/read - Microsoft.SecurityInsights/incidents/write - Microsoft.SecurityInsights/incidents/comments/read - Microsoft.SecurityInsights/incidents/comments/write - Microsoft.SecurityInsights/incidents/relations/read - Microsoft.SecurityInsights/incidents/relations/write - Microsoft.SecurityInsights/incidents/tasks/read - Microsoft.SecurityInsights/incidents/tasks/write	Subscription, resource group, or workspace resource
Create a support request	Owner or Contributor or Support request contributor or a custom role with Microsoft.Support/*	Subscription

After you connect Microsoft Sentinel to the Defender portal, your existing Azure role-based access control (RBAC) permissions allow you to work with the Microsoft Sentinel features that you have access to. Continue to manage roles and permissions for your Microsoft Sentinel users from the Azure portal. Any Azure RBAC changes are reflected in the Defender portal. For more information about Microsoft Sentinel permissions, see Roles and permissions in Microsoft Sentinel | Microsoft Learn and Manage access to Microsoft Sentinel data by resource | Microsoft Learn.

Microsoft's unified SecOps platform prerequisites

To unify capabilities with Defender XDR in Microsoft's unified SecOps platform, you must have the following resources and access:

Licensing for Defender XDR, as described in Microsoft Defender XDR prerequisites
Account for Defender XDR is a member of the same Microsoft Entra tenant with which Microsoft Sentinel is associated
Access to Microsoft Defender XDR in the Defender portal, as described in Microsoft Defender XDR prerequisites

If applicable, complete these prerequisites:

If your organization uses Microsoft Purview Insider Risk Management, integrate that data by enabling the data connector Microsoft 365 Insider Risk Management on your primary workspace for Microsoft Sentinel. Disable that connector on any secondary workspaces for Microsoft Sentinel that you plan to onboard to the Defender portal.
- Install the Microsoft Purview Insider Risk Management solution from the Content hub on the primary workspace.
- Configure the data connector.
- For more information, see Discover and manage Microsoft Sentinel out-of-the-box content.
To stream Defender for Cloud incidents that are correlated across all subscriptions of the tenant to the primary workspace for Microsoft Sentinel:
- Connect the Tenant-based Microsoft Defender for Cloud (Preview) data connector in the primary workspace.
- Disconnect the Subscription-based Microsoft Defender for Cloud (Legacy) alerts connector from all workspaces in the tenant.
If you don't want to stream correlated tenant data for Defender for Cloud to the primary workspace, continue to use the Subscription-based Microsoft Defender for Cloud (Legacy) connector on your workspaces.

For more information, see Ingest Microsoft Defender for Cloud incidents with Microsoft Defender XDR integration.

Onboard Microsoft Sentinel

To connect a Microsoft Sentinel workspace to the Defender portal, complete the following steps. If you're onboarding Microsoft Sentinel without Defender XDR (preview), there's an extra step to trigger the connection with Microsoft Sentinel and Defender portal.

Go to the Microsoft Defender portal and sign in.
To onboard Microsoft Sentinel without Defender XDR in the Defender portal:
1. To trigger the connection with Microsoft Sentinel, select Investigation & response > Incidents.
2. Wait a few minutes for the connection to complete.
In the Defender portal, select Overview.
Select Connect a workspace.
Choose the workspaces you want to connect and select Next.
Select the Primary workspace.
Read and understand the product changes associated with connecting your workspace.
Select Connect.

After your workspace is connected, the banner on the Overview page shows that your environment is ready. The Overview page is updated with new sections that include metrics from Microsoft Sentinel like the number of data connectors and automation rules.

Explore Microsoft Sentinel features in the Defender portal

After you connect your workspace to the Defender portal, Microsoft Sentinel is on the left-hand side navigation pane. If you have Defender XDR enabled, pages like Overview, Incidents, and Advanced Hunting have unified data from the primary workspace for Microsoft Sentinel and Defender XDR. If you don't have Defender XDR enabled, these pages just include data from Microsoft Sentinel. For more information about the unified capabilities and differences between portals, see Microsoft Sentinel in the Microsoft Defender portal.

Many of the existing Microsoft Sentinel features are integrated into the Defender portal. For these features, notice that the experience between Microsoft Sentinel in the Azure portal and Defender portal are similar. Use the following articles to help you start working with Microsoft Sentinel in the Defender portal. When using these articles, keep in mind that your starting point in this context is the Defender portal instead of the Azure portal.

Find Microsoft Sentinel settings in the Defender portal under System > Settings > Microsoft Sentinel.

Change the primary workspace

You can only have one primary workspace connected to the Defender portal at a time. But you can change the primary workspace.

In the Defender portal, go to System > Settings > Microsoft Sentinel > Workspaces.
Select the name of the workspace that you want to make primary.
Select Set as primary.
Read and understand the product changes associated with changing the primary workspace.
Select Confirm and proceed.

When you switch the primary workspace for Microsoft Sentinel, the Defender XDR connector is connected to the new primary and disconnected from the former one automatically. For more information, see Multiple Microsoft Sentinel workspaces in the Defender portal.

Offboard Microsoft Sentinel

If you decide to offboard a workspace from the Defender portal, disconnect the workspace from the settings for Microsoft Sentinel.

Go to the Microsoft Defender portal and sign in.
In the Defender portal, under System, select Settings > Microsoft Sentinel.
On the Workspaces page, select the connected workspace and Disconnect workspace.
Provide a reason why you're disconnecting the workspace.
Confirm your selection.

When your workspace is disconnected, the Microsoft Sentinel section is removed from the left-hand side navigation of the Defender portal. Data from Microsoft Sentinel is no longer included on the Overview page.

If you want to connect to a different workspace, from the Workspaces page, select the workspace and Connect a workspace.

Share via