Skip to content

Commit a367777

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #300361 from batamig/irm-multi-x
fixing irm for multi x - sentinel
2 parents 4dfc239 + 27e5b73 commit a367777

File tree

1 file changed

+9
-3
lines changed

1 file changed

+9
-3
lines changed

articles/sentinel/workspaces-defender-portal.md

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
11
---
22
title: Multiple workspaces - Microsoft Sentinel in Defender portal
33
description: Learn about the support of multiple workspaces for Microsoft Sentinel in the Defender portal including primary and secondary workspaces.
4-
author: cwatson-cat
5-
ms.author: cwatson
4+
author: batamig
5+
ms.author: bagol
66
ms.topic: concept-article
7-
ms.date: 02/27/2025
7+
ms.date: 05/26/2025
88
appliesto:
99
- Microsoft Sentinel with Defender XDR in the Defender portal
1010

@@ -89,6 +89,12 @@ How incident changes sync between the Azure portal and the Defender portal depen
8989
|Primary | For Microsoft Sentinel in the Azure portal, Defender XDR incidents appear in **Threat management** > **Incidents** with the incident provider name **Microsoft XDR**. Any changes you make to the status, closing reason, or assignment of a Defender XDR incident in either the Azure or Defender portal, update in the other's incidents queue. For more information, see [Working with Microsoft Defender XDR incidents in Microsoft Sentinel and bi-directional sync](microsoft-365-defender-sentinel-integration.md#working-with-microsoft-defender-xdr-incidents-in-microsoft-sentinel-and-bi-directional-sync).|
9090
|Secondary | All alerts and incidents that you create for a secondary workspace are synced between that workspace in the Azure and Defender portals. Data in a workspace is only synced to the workspace in the other portal. |
9191

92+
## Insider risk management (IRM) support
93+
94+
[Microsoft Purview Insider Risk Management (IRM)](/defender-xdr/irm-investigate-alerts-defender) alerts are correlated to the primary workspace only. If you have IRM alerts with [Microsoft Defender XDR](microsoft-365-defender-sentinel-integration.md), you must connect IRM to the Microsoft Defender XDR connector in your primary workspace before onboarding the workspace to the Defender portal. This is required to ensure that IRM alerts and incidents are available in the primary workspace. If you don't want to see IRM alerts in the primary workspace, you can instead opt out of the integration with Microsoft Defender XDR.
95+
96+
Also, if the direct [Microsoft 365 Insider Risk Management connector for Microsoft Sentinel](data-connectors/microsoft-365-insider-risk-management.md) data connector is connected to any of the secondary workspaces, you must disconnect it before onboarding the workspace to the Defender portal.
97+
9298
## Related content
9399

94100
- [Microsoft Defender multitenant management](/unified-secops-platform/mto-overview)

0 commit comments

Comments
 (0)