Archives
Security Blogs
About me

Microsoft Sentinel Now Fully Integrated into the Microsoft Defender Portal

Microsoft Sentinel—Microsoft’s cloud-native SIEM—is now generally available in the Microsoft Defender portal, even for organizations without Defender XDR or E5 licensing. This signals a strategic shift toward delivering a unified SIEM + XDR experience for faster, more accurate threat detection and streamlined incident response

Why This Integration Matters

  • Unified Incident Management
    The Defender portal brings together alerts and investigations from Sentinel and Defender XDR into a single, unified incident queue
  • Centralized Advanced Hunting & Entity Views
    In the Defender portal, Advanced Hunting delivers cross-product querying using Security Copilot assistance, and entity pages now present consolidated context for devices, users, IPs, and Azure resources.
  • Automatic Onboarding & Transition Timeline
    From July 1, 2025, new Microsoft Sentinel workspaces created by users with Owner or User Access Administrator permissions are automatically onboarded to the Defender portal By July 2026, the Azure‑portal experience for Sentinel will be fully retired, and all users will be redirected to the Defender portal

⚠️ Caveats & Limitations

  • Features limited without Defender XDR
    Some advanced capabilities—such as Security Exposure Management, Defender XDR–specific detection rules, or Action center workflows—are not available if you’re running Sentinel only without Defender XDR
  • Shift in Incident and Automation Behaviors
    After onboarding, incident creation logic is handled by Defender XDR’s correlation engine, with different naming conventions and disabled fusion rules. Automation rules targeting incident titles or certain properties may require updates to work as expected
  • API and Playbook Changes
    You’ll need to adapt automation built on the Sentinel‑only API—particularly if you designed playbooks or tickets for the Azure‑portal—since many incident and alert fields are renamed, and triggering may now incur additional latency (up to several minutes)

📝 Best Practices for Migration

If you’re still using Sentinel in the Azure portal, now’s a smart time to plan your transition:

  1. Review licensing: Ensure you meet prerequisites if you want Defender XDR integration.
  2. Audit automation rules & playbooks: Update rules that reference incident titles or use incident creation logic deprecated by Defender XDR.
  3. Train SOC analysts: Walk through the unified incident queue, entity investigation, and hunting experience in the Defender portal.
  4. Test workflows: Validate alert tuning and automation behavior under the new incident correlation engine.