|
1 | 1 | --- |
2 | 2 | title: Multiple workspaces - Microsoft Sentinel in Defender portal |
3 | 3 | description: Learn about the support of multiple workspaces for Microsoft Sentinel in the Defender portal including primary and secondary workspaces. |
4 | | -author: cwatson-cat |
5 | | -ms.author: cwatson |
| 4 | +author: batamig |
| 5 | +ms.author: bagol |
6 | 6 | ms.topic: concept-article |
7 | | -ms.date: 02/27/2025 |
| 7 | +ms.date: 05/26/2025 |
8 | 8 | appliesto: |
9 | 9 | - Microsoft Sentinel with Defender XDR in the Defender portal |
10 | 10 |
|
@@ -35,6 +35,9 @@ For example, you might be working on a global SOC team in a company that has mul |
35 | 35 |
|
36 | 36 | Where you have multiple Microsoft Sentinel workspaces within a Microsoft Entra ID tenant, consider using the primary workspace for your global security operations center. |
37 | 37 |
|
| 38 | +## |
| 39 | +Important: Prior to onboarding, customers who have IRM services enabled will be required to connect IRM to the XDR-Sentinel connector in their primary workspace. If the customer does not want to see IRM alerts and incidents in the primary workspace, IRM can be opted out of the integration with XDR. If the direct Sentinel-IRM connector is connected to any of Sentinel's secondary workspaces, the customer must disconnect it prior to onboarding. |
| 40 | + |
38 | 41 | ## Permissions to manage workspaces and view workspace data |
39 | 42 |
|
40 | 43 | Use one of the following roles or role combinations to manage primary and secondary workspaces: |
@@ -89,6 +92,12 @@ How incident changes sync between the Azure portal and the Defender portal depen |
89 | 92 | |Primary | For Microsoft Sentinel in the Azure portal, Defender XDR incidents appear in **Threat management** > **Incidents** with the incident provider name **Microsoft XDR**. Any changes you make to the status, closing reason, or assignment of a Defender XDR incident in either the Azure or Defender portal, update in the other's incidents queue. For more information, see [Working with Microsoft Defender XDR incidents in Microsoft Sentinel and bi-directional sync](microsoft-365-defender-sentinel-integration.md#working-with-microsoft-defender-xdr-incidents-in-microsoft-sentinel-and-bi-directional-sync).| |
90 | 93 | |Secondary | All alerts and incidents that you create for a secondary workspace are synced between that workspace in the Azure and Defender portals. Data in a workspace is only synced to the workspace in the other portal. | |
91 | 94 |
|
| 95 | +## Insider risk management (IRM) support |
| 96 | + |
| 97 | +[Microsoft Purview Insider Risk Management (IRM)](/defender-xdr/irm-investigate-alerts-defender) alerts are correlated to the primary workspace only. If you have IRM alerts with [Microsoft Defender XDR](microsoft-365-defender-sentinel-integration.md), you must connect IRM to the Microsoft Defender XDR connector in your primary workspace before onboarding the workspace to the Defender portal. This is required to ensure that IRM alerts and incidents are available in the primary workspace. If you don't want to see IRM alerts in the primary workspace, you can instead opt out of the integration with Microsoft Defender XDR. |
| 98 | + |
| 99 | +Also, if the direct [Microsoft 365 Insider Risk Management connector for Microsoft Sentinel](data-connectors/microsoft-365-insider-risk-management.md) data connector is connected to any of the secondary workspaces, you must disconnect it before onboarding the workspace to the Defender portal. |
| 100 | + |
92 | 101 | ## Related content |
93 | 102 |
|
94 | 103 | - [Microsoft Defender multitenant management](/unified-secops-platform/mto-overview) |
|
0 commit comments