Merge pull request #301249 from batamig/auto-onboard-ii

sentinel docs auto-onboard auto-redirect

Author: v-ccolin

articles/sentinel/automation/automation.md

@@ -51,7 +51,7 @@ For more information, see [Automate threat response with playbooks in Microsoft
 
 ## Automation in the Microsoft Defender portal
 
-After onboarding your Microsoft Sentinel workspace to the Defender portal, note the following differences in the way automation functions in your workspace:
+Note the following details about how automation works for Microsoft Sentinel in the Defender portal. If you're an existing customer who's transitioning from the Azure portal to the Defender portal, you may note differences in the way automation functions in your workspace after onboarding to the Defender portal.
 
 [!INCLUDE [automation-in-defender](../includes/automation-in-defender.md)]
 

articles/sentinel/best-practices.md

@@ -39,7 +39,7 @@ More than ingesting alerts and logs from other sources, Microsoft Sentinel also:
 
 For more information about integrating data from other services or providers, see [Microsoft Sentinel data connectors](connect-data-sources.md).
 
-Consider onboarding Microsoft Sentinel to the Microsoft Defender portal to unify capabilities with Microsoft Defender XDR like incident management and advanced hunting. For more information, see the following articles:
+If you're using Microsoft Sentinel in the Azure portal, consider onboarding Microsoft Sentinel to the Microsoft Defender portal to unify capabilities with Microsoft Defender XDR like incident management and advanced hunting. For more information, see the following articles:
 
 - [Connect Microsoft Sentinel to Microsoft Defender XDR](/defender-xdr/microsoft-sentinel-onboard)
 - [Microsoft Sentinel in the Microsoft Defender portal](microsoft-sentinel-defender-portal.md)

articles/sentinel/business-continuity-disaster-recovery.md

@@ -49,7 +49,7 @@ To support BCDR in a regional outage, Microsoft Sentinel uses a customer-enabled
 
 Customer-enabled BCDR involves:
 
-- Creating two identical Log Analytics workspaces that are enabled for Microsoft Sentinel in the appropriate regions. For more information, see [Quickstart: Onboard Microsoft Sentinel](quickstart-onboard.md).
+- Creating two identical Log Analytics workspaces that are enabled for Microsoft Sentinel in the appropriate regions. For more information, see [Onboard Microsoft Sentinel](quickstart-onboard.md).
 
     In the backup workspace, focus on the data sources, analytic rules, and other configurations that are critical for your business continuity.
 

articles/sentinel/includes/unified-soc-preview-without-alert.md

@@ -4,9 +4,9 @@ description: Provides an include file for the general Microsoft Sentinel Azure p
 services: microsoft-sentinel
 author: batamig
 ms.topic: "include"
-ms.date:  10/16/2024
+ms.date: 07/01/2025
 ms.author: bagol
 ms.custom: "include file"
 ---
 
-[Microsoft Sentinel is generally available in the Microsoft Defender portal](../microsoft-sentinel-defender-portal.md), including for customers without Microsoft Defender XDR or an E5 license. Starting in **July 2026**, Microsoft Sentinel will be supported in the Defender portal only, and any remaining customers using the Azure portal will be automatically redirected. We recommend that any customers using Microsoft Sentinel in Azure start planning the [transition to the Defender portal](../move-to-defender.md) for the full [unified security operations experience offered by Microsoft Defender](/unified-secops-platform/overview-unified-security). For more information, see [Planning your move to Microsoft Defender portal for all Microsoft Sentinel customers](https://techcommunity.microsoft.com/blog/microsoft-security-blog/planning-your-move-to-microsoft-defender-portal-for-all-microsoft-sentinel-custo/4428613) (blog).
+Starting in **July 2026**, all customers using Microsoft Sentinel in the Azure portal will be [redirected to the Defender portal and will use Microsoft Sentinel in the Defender portal only](../overview.md#microsoft-sentinel-in-the-azure-portal-retirement-timeline). Starting in **July 2025**, many new users are also automatically [onboarded and redirected from the Azure portal to the Defender portal](../overview.md#changes-for-new-customers-starting-july-2025). If you're still using Microsoft Sentinel in the Azure portal, we recommend that you start planning your [transition to the Defender portal](../move-to-defender.md) to ensure a smooth transition and take full advantage of the [unified security operations experience offered by Microsoft Defender](/unified-secops-platform/overview-unified-security). For more information, see [It’s Time to Move: Retiring Microsoft Sentinel’s Azure portal for greater security](https://techcommunity.microsoft.com/blog/microsoft-security-blog/planning-your-move-to-microsoft-defender-portal-for-all-microsoft-sentinel-custo/4428613).

articles/sentinel/includes/unified-soc-preview.md

@@ -12,7 +12,7 @@ ms.custom: "include file"
 > [!IMPORTANT]
 > [Microsoft Sentinel is generally available in the Microsoft Defender portal](../microsoft-sentinel-defender-portal.md), including for customers without Microsoft Defender XDR or an E5 license. 
 >
-> Starting in **July 2026**, Microsoft Sentinel will be supported in the Defender portal only, and any remaining customers using the Azure portal will be automatically redirected. 
+> Starting in **July 2026**, all customers using Microsoft Sentinel in the Azure portal will be [redirected to the Defender portal and will use Microsoft Sentinel in the Defender portal only](../overview.md#microsoft-sentinel-in-the-azure-portal-retirement-timeline). Starting in **July 2025**, many new customers are [automatically onboarded and redirected to the Defender portal](../overview.md#changes-for-new-customers-starting-july-2025).
 >
-> We recommend that any customers using Microsoft Sentinel in Azure start planning the [transition to the Defender portal](../move-to-defender.md) for the full [unified security operations experience offered by Microsoft Defender](/unified-secops-platform/overview-unified-security). For more information, see [Planning your move to Microsoft Defender portal for all Microsoft Sentinel customers](https://techcommunity.microsoft.com/blog/microsoft-security-blog/planning-your-move-to-microsoft-defender-portal-for-all-microsoft-sentinel-custo/4428613).
+> If you're still using Microsoft Sentinel in the Azure portal, we recommend that you start planning your [transition to the Defender portal](../move-to-defender.md) to ensure a smooth transition and take full advantage of the [unified security operations experience offered by Microsoft Defender](/unified-secops-platform/overview-unified-security). For more information, see [It’s Time to Move: Retiring Microsoft Sentinel’s Azure portal for greater security](https://techcommunity.microsoft.com/blog/microsoft-security-blog/planning-your-move-to-microsoft-defender-portal-for-all-microsoft-sentinel-custo/4428613).
 

articles/sentinel/media/extend-sentinel-across-workspaces-tenants/cross-workspace-architecture.png

@@ -1,10 +1,10 @@
 ---
 title: Microsoft Defender XDR integration with Microsoft Sentinel
 description: Learn how using Microsoft Defender XDR together with Microsoft Sentinel lets you use Microsoft Sentinel as your universal incidents queue.
-author: yelevin
-ms.author: yelevin
+author: batamig
+ms.author: bagol
 ms.topic: conceptual
-ms.date: 03/17/2025
+ms.date: 06/12/2025
 appliesto:
     - Microsoft Sentinel with Defender XDR in the Microsoft Defender portal
     - Microsoft Sentinel in the Azure portal
@@ -17,12 +17,13 @@ ms.collection: usx-security
 
 # Microsoft Defender XDR integration with Microsoft Sentinel
 
-Integrate Microsoft Defender XDR with Microsoft Sentinel to stream all Defender XDR incidents and advanced hunting events into Microsoft Sentinel and keep the incidents and events synchronized between the Azure and Microsoft Defender portals. Incidents from Defender XDR include all associated alerts, entities, and relevant information, providing you with enough context to perform triage and preliminary investigation in Microsoft Sentinel. Once in Microsoft Sentinel, incidents remain bi-directionally synced with Defender XDR, allowing you to take advantage of the benefits of both portals in your incident investigation.
+This article describes how Microsoft Defender XDR services integrate with Microsoft Sentinel, whether in the Microsoft Defender portal or in the Azure portal.
 
-Alternatively, onboard Microsoft Sentinel to the Defender portal to use it together with Defender XDR for unified security operations. For more information, see the following resources:
+- If you first onboarded to Microsoft Sentinel after July 1, 2025 with permissions of a subscription [Owner](/azure/role-based-access-control/built-in-roles#owner) or a [User access administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator), your workspace is [automatically onboarded to the Defender portal](quickstart-onboard.md). In such cases, you [use Microsoft Sentinel in the Defender portal only](microsoft-sentinel-defender-portal.md), where your data can integrate directly with Defender XDR service data for [unified security operations](/unified-secops-platform/overview-unified-security).
 
-- [What are unified security operations?](/unified-secops-platform/overview-unified-security)
-- [Microsoft Sentinel in the Microsoft Defender portal](microsoft-sentinel-defender-portal.md)
+- If you're otherwise using the Azure portal in addition to or instead of the Defender portal, integrate Microsoft Defender XDR with Microsoft Sentinel. Integrating the services streams all Defender XDR incidents and advanced hunting events into Microsoft Sentinel, and keeps the incidents and events synchronized between the Azure and Microsoft Defender portals.
+
+Incidents from Defender XDR include all associated alerts, entities, and relevant information, providing you with enough context to perform triage and preliminary investigation in Microsoft Sentinel. Once in Microsoft Sentinel, incidents remain bi-directionally synced with Defender XDR, allowing you to take advantage of the benefits of both portals in your incident investigation.
 
 ## Microsoft Sentinel and Defender XDR
 
@@ -193,7 +194,7 @@ The Defender XDR connector also lets you stream **advanced hunting** events&mdas
 
 - Use the raw event logs to provide further insights for your alerts, hunting, and investigation, and correlate these events with events from other data sources in Microsoft Sentinel.
 
-- Store the logs with increased retention, beyond Defender XDR’s or its components' default retention of 30 days. You can do so by configuring the retention of your workspace or by configuring per-table retention in Log Analytics.
+- Store the logs with increased retention, beyond the Defender XDR default retention of 30 days. You can do so by configuring the retention of your workspace or by configuring per-table retention in Log Analytics.
 
 ## Related content
 

articles/sentinel/media/overview/redirect-no-defender.png

@@ -4,7 +4,7 @@ description: Learn about the Microsoft Sentinel experience when you onboard Micr
 author: batamig
 ms.author: bagol
 ms.topic: conceptual
-ms.date: 06/22/2025
+ms.date: 06/23/2025
 appliesto: 
     - Microsoft Sentinel in the Microsoft Defender portal
 ms.collection: usx-security
@@ -20,14 +20,14 @@ Microsoft Defender provides a unified cybersecurity solution that integrates end
 
 Microsoft Sentinel is generally available in the Microsoft Defender portal, either with [Microsoft Defender XDR](/microsoft-365/security/defender), or on its own, delivering a unified experience across SIEM and XDR for faster and more accurate threat detection and response, simplified workflows, and enhanced operational efficiency.
 
-This article describes the Microsoft Sentinel experience in the Defender portal. We recommend that customers using Microsoft Sentinel in the Azure portal move into Microsoft Defender to take advantage of the unified security operations available and the latest capabilities. For more information, see [Transition your Microsoft Sentinel environment to the Defender portal](move-to-defender.md).
+This article describes the Microsoft Sentinel experience in the Defender portal.
 
+[!INCLUDE [unified-soc-preview](includes/unified-soc-preview.md)]
 
 ## New and improved capabilities
 
 The following table describes the new or improved capabilities available in the Defender portal with the integration of Microsoft Sentinel. Microsoft continues to innovate in this new experience with features that might be exclusive to the Defender portal.
 
-
 | Capabilities      | Description              | Learn more |
 | ----------------- | ------------------------ | ---------- |
 | **Streamlined operations** | Manage all security incidents, alerts, and investigations from a single, unified interface.<br><br>- **Unified entity pages** for devices, users, IP addresses, and Azure resources in the Defender portal display information from Microsoft Sentinel and Defender data sources. These entity pages give you an expanded context for your investigations of incidents and alerts in the Defender portal.<br><br>- **Unified incidents** let you manage and investigate security incidents in a single location and from a single queue in the Defender portal. Use Security Copilot to summarize, respond, and report. Unified incidents include data from the breadth of sources, AI analytics tools of security information and event management (SIEM), and context and mitigation tools offered by extended detection and response (XDR).<br><br>- Use **Advanced hunting** to query from a single portal across different data sets to make hunting more efficient and remove the need for context-switching. Use Security Copilot to help generate your KQL, view and query all data including data from Microsoft security services and Microsoft Sentinel, and then use all your existing Microsoft Sentinel workspace content, including queries and functions, to investigate. | - [Investigate entities with entity pages in Microsoft Sentinel](/azure/sentinel/entity-pages)<br><br>-  [Incident response in the Microsoft Defender portal](/microsoft-365/security/defender/incidents-overview)<br><br>- [Investigate Microsoft Sentinel incidents in Security Copilot](sentinel-security-copilot.md)<br><br>- [Advanced hunting in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2264410)<br>[Security Copilot in advanced hunting](/defender-xdr/advanced-hunting-security-copilot) |