Merge pull request #301106 from batamig/100-workspace

prmerger-automator[bot] · web-flow · commit 0232a9b3c2a8 · 2025-07-08T11:34:17.000Z
adding no limit for onboarding workspaces
diff --git a/articles/sentinel/extend-sentinel-across-workspaces-tenants.md b/articles/sentinel/extend-sentinel-across-workspaces-tenants.md
@@ -1,10 +1,10 @@
 ---
 title: Extend Microsoft Sentinel across workspaces and tenants
 description: How to use Microsoft Sentinel to query and analyze data across workspaces and tenants.
-author: yelevin
+author: batamig
 ms.topic: concept-article
-ms.date: 03/17/2025
-ms.author: yelevin
+ms.date: 06/10/2025
+ms.author: bagol
 appliesto:
     - Microsoft Sentinel in the Microsoft Defender portal
     - Microsoft Sentinel in the Azure portal
@@ -54,6 +54,8 @@ Query [multiple workspaces](/azure/azure-monitor/logs/cross-workspace-query) to
 
    Then, write a query across both workspaces by beginning with `unionSecurityEvent | where ...` .
 
+Cross-workspace queries for  Log Analytics data remain subject to [Log Analytics limitations](/azure/azure-monitor/logs/cross-workspace-query#limitations).
+
 ### Include cross-workspace queries in scheduled analytics rules<a name="scheduled-alerts"></a>
 
 <!-- Bookmark added for backward compatibility with old heading -->
diff --git a/articles/sentinel/whats-new.md b/articles/sentinel/whats-new.md
@@ -4,7 +4,7 @@ description: Learn about the latest new features and announcement in Microsoft S
 author: batamig
 ms.author: bagol
 ms.topic: concept-article
-ms.date: 07/01/2025
+ms.date: 07/08/2025
 #Customer intent: As a security team member, I want to stay updated on the latest features and enhancements in Microsoft Sentinel so that I can effectively manage and optimize my organization's security posture.
 ms.custom:
   - build-2025
@@ -20,27 +20,43 @@ The listed features were released in the last six months. For information about
 
 ## July 2025
 
+- [No limit on the number of workspaces you can onboard to the Defender portal](#no-limit-on-the-number-of-workspaces-you-can-onboard-to-the-defender-portal)
+- [Microsoft Sentinel in the Azure portal to be retired July 2026](#microsoft-sentinel-in-the-azure-portal-to-be-retired-july-2026)
+
+### No limit on the number of workspaces you can onboard to the Defender portal
+
+There is no longer any limit to the number of workspaces you can onboard to the Defender portal.
+
+Limitations still apply to the number of workspaces you can include in a Log Analytics query, and in the number of workspaces you can or should include in a scheduled analytics rule. 
+
+For more information, see:
+
+- [Connect Microsoft Sentinel to the Microsoft Defender portal](/unified-secops-platform/microsoft-sentinel-onboard?toc=%2Fazure%2Fsentinel%2FTOC.json&bc=%2Fazure%2Fsentinel%2Fbreadcrumb%2Ftoc.json)
+- [Multiple Microsoft Sentinel workspaces in the Defender portal](workspaces-defender-portal.md)
+- [Extend Microsoft Sentinel across workspaces and tenants](extend-sentinel-across-workspaces-tenants.md)
+
 ### Microsoft Sentinel in the Azure portal to be retired July 2026
 
 [!INCLUDE [sentinel-azure-deprecation](includes/sentinel-azure-deprecation.md)]
 
 ## June 2025
 
-- [Codeless Connector Platform (CCP) renamed.](#codeless-connector-platform-ccp-renamed-to-codeless-connector-framework-ccf)
-- [Connector Documentation consolidation](#connector-documentation-consolidation)
+- [Microsoft Sentinel Codeless Connector Platform (CCP) renamed to Codeless Connector Framework (CCF)](#codeless-connector-platform-ccp-renamed-to-codeless-connector-framework-ccf)
+- [Consolidated Microsoft Sentinel data connector reference](#consolidated-microsoft-sentinel-data-connector-reference)
 - [Summary rule templates now in public preview](#summary-rule-templates-now-in-public-preview)
 
 ### Codeless Connector Platform (CCP) renamed to Codeless Connector Framework (CCF)
 
-The Microsoft Sentinel Codeless Connector Platform (CCP) has been renamed to **Codeless Connector Framework (CCF)**. The new name reflects the platform's evolution and avoids confusion with other platform-orineted services, while still providing the same ease of use and flexibility that users have come to expect.
+The Microsoft Sentinel Codeless Connector Platform (CCP) has been renamed to **Codeless Connector Framework (CCF)**. The new name reflects the platform's evolution and avoids confusion with other platform-oriented services, while still providing the same ease of use and flexibility that users have come to expect.
 
-For more information, see [Create a codeless connector](create-codeless-connector.md) and [Unlock the potential of Microsoft Sentinel’s Codeless Connector Framework and do more with Microsoft Sentinel faster](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/exciting-announcements-new-data-connectors-released-using-the-codeless-connector/4421104).
+For more information, see [Create a codeless connector for Microsoft Sentinel](create-codeless-connector.md).
 
-### Connector documentation consolidation
+### Consolidated Microsoft Sentinel data connector reference
 
-We have consolidated the connector reference documentation, merging the separate connector articles into a single, comprehensive reference table. You can find the new connector reference at [Microsoft Sentinel data connectors](/azure/sentinel/data-connectors-reference#sentinel-data-connectors). 
+We've consolidated the connector reference documentation, merging the separate connector articles into a single, comprehensive reference table.
 
-Select the connector name to expand the row and see the details.
+You can find the new connector reference at [Microsoft Sentinel data connectors](/azure/sentinel/data-connectors-reference#sentinel-data-connectors).
+For more information, see [Create a codeless connector](create-codeless-connector.md) and [Unlock the potential of Microsoft Sentinel’s Codeless Connector Framework and do more with Microsoft Sentinel faster](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/exciting-announcements-new-data-connectors-released-using-the-codeless-connector/4421104).
 
 ### Summary rule templates now in public preview
 
diff --git a/articles/sentinel/workspaces-defender-portal.md b/articles/sentinel/workspaces-defender-portal.md
@@ -4,7 +4,7 @@ description: Learn about the support of multiple workspaces for Microsoft Sentin
 author: batamig
 ms.author: bagol
 ms.topic: concept-article
-ms.date: 05/26/2025
+ms.date: 06/10/2025
 appliesto: 
     - Microsoft Sentinel with Defender XDR in the Defender portal
 
@@ -77,9 +77,9 @@ If you have the appropriate permissions to view data from primary and secondary
 |**Search**     |   The results from the global search at the top of the browser page in the Defender portal provide an aggregated view of all relevant workspace data that you have permissions to view.    |
 |Investigation & response > Incidents & alerts > **Incidents**   | View incidents from different workspaces in a unified queue or filter the view by workspace.      |
 |Investigation & response > Incidents & alerts > **Alerts**     |   View alerts from different workspaces in a unified queue or filter the view by workspace.<br><br> The Defender portal segments alert correlation by workspace.      |
-|Entities: From an incident or alert > select a device, user, or other entity asset  |  View all relevant entity data from multiple workspaces in a single entity page. Entity pages aggregates alerts, incidents, and timeline events from all workspaces to provide deeper insights into entity behavior.   <br><br>Filter by workspace in **Incidents and alerts**, **Timeline**, and **Insights** tabs. The **Overview** tab displays entity metadata aggregated from all workspaces.    |
-|Investigation & response > Hunting > **Advanced hunting**     | Select a workspace from the top right-hand side of the browser. Or, query across multiple workspaces by using the workspace operator in the query. See [Query multiple workspaces](extend-sentinel-across-workspaces-tenants.md#query-multiple-workspaces). The query results don't show a workspace name or ID.<br><br>Access all log data of the workspace, including queries and functions, as read only.  For more information, see [Advanced hunting with Microsoft Sentinel data in Microsoft Defender portal](/defender-xdr/advanced-hunting-microsoft-defender). <br><br>Some capabilities are limited to the primary workspace:<br>- Creating custom detections<br>- Queries via API  |
-|**Microsoft Sentinel** experiences|View data from one workspace for each page in the Microsoft Sentinel section of the Defender portal. Switch between workspaces by selecting **Select a workspace** from the top-right hand side of the browser for most pages. The **Workbooks** page only shows data associated with the primary workspace.|
+|**Entities**: From an incident or alert > select a device, user, or other entity asset  |  View all relevant entity data from multiple workspaces in a single entity page. Entity pages aggregates alerts, incidents, and timeline events from all workspaces to provide deeper insights into entity behavior.   <br><br>Filter by workspace in **Incidents and alerts**, **Timeline**, and **Insights** tabs. The **Overview** tab displays entity metadata aggregated from all workspaces.    |
+|Investigation & response > Hunting > **Advanced hunting**     | Select a workspace from the top right-hand side of the browser. Or, query across multiple workspaces by using the workspace operator in the query. See [Query multiple workspaces](extend-sentinel-across-workspaces-tenants.md#query-multiple-workspaces). The query results don't show a workspace name or ID.<br><br>Access all log data of the workspace, including queries and functions, as read only.  For more information, see [Advanced hunting with Microsoft Sentinel data in Microsoft Defender portal](/defender-xdr/advanced-hunting-microsoft-defender). <br><br>Some capabilities are limited to the primary workspace:<br>- Creating custom detections<br>- Queries via API  <br><br>Cross-workspace queries for  Log Analytics data remain subject to [Log Analytics limitations](/azure/azure-monitor/logs/cross-workspace-query#limitations). |
+|**Microsoft Sentinel** experiences|View data from one workspace for each page in the Microsoft Sentinel section of the Defender portal. Switch between workspaces by selecting **Select a workspace** from the top-right hand side of the browser for most pages. <br><br>- The **Workbooks** page only shows data associated with the primary workspace. <br><br>Cross-workspace analytics rules remain subject to [cross-workspace analytics rules limitations and recommendations](extend-sentinel-across-workspaces-tenants.md#include-cross-workspace-queries-in-scheduled-analytics-rules). |
 |**SOC optimization**|Data and recommendations are aggregated from multiple workspaces. |
 
 
@@ -101,4 +101,5 @@ Also, if the direct [Microsoft 365 Insider Risk Management connector for Microso
 ## Related content
 
 - [Microsoft Defender multitenant management](/unified-secops-platform/mto-overview)
-- [Connect Microsoft Sentinel to the Microsoft Defender portal](/unified-secops-platform/microsoft-sentinel-onboard)
+- [Connect Microsoft Sentinel to the Microsoft Defender portal](/unified-secops-platform/microsoft-sentinel-onboard)
+- [Extend Microsoft Sentinel across workspaces and tenants](extend-sentinel-across-workspaces-tenants.md)
