You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/workspaces-defender-portal.md
+13-8Lines changed: 13 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,25 +8,30 @@ ms.date: 02/27/2025
8
8
appliesto:
9
9
- Microsoft Sentinel with Defender XDR in the Defender portal
10
10
11
-
#Customer intent: As a security profession, I want to understand the support for multiple workspaces for Microsoft Sentinel in the Defender portal so that I can make the right choices for my organization when setting up and managing workspaces.
11
+
#Customer intent: As a security professional, I want to understand the support for multiple workspaces for Microsoft Sentinel in the Defender portal so that I can make the right choices for my organization when setting up and managing workspaces.
12
12
13
13
---
14
14
15
15
# Multiple Microsoft Sentinel workspaces in the Defender portal (preview)
16
16
17
17
The Defender portal allows you to connect to one primary workspace and multiple secondary workspaces for Microsoft Sentinel. In the context of this article, a workspace is a Log Analytics workspace with Microsoft Sentinel enabled.
18
18
19
-
This article primarily applies to the scenario where you onboard Microsoft Sentinel with Microsoft Defender XDR to unify your experiences in [Microsoft's unified security operations (SecOps) platform](/unified-secops-platform/overview-unified-security). If you plan to use Microsoft Sentinel in the Defender portal without Defender XDR, you can manage multiple workspaces. But, the primary workspace doesn't include Defender XDR data and you won't have access to Defender XDR capabilities.
19
+
This article primarily applies to the scenario where you onboard Microsoft Sentinel to the Defender portal together with Microsoft Defender XDR for [unified security operations](/unified-secops-platform/overview-unified-security). If you plan to use Microsoft Sentinel in the Defender portal without Microsoft Defender XDR, you can still manage multiple workspaces. However, since you don't have Defender XDR, your primary workspace won't have Defender XDR data, and you won't have access to Defender XDR features.
20
20
21
21
## Primary and secondary workspaces
22
22
23
-
When you onboard Microsoft Sentinel, you select a primary workspace. A primary workspace's alerts are correlated with Defender XDR data. So, incidents include alerts from Microsoft Sentinel's primary workspace and Defender XDR in a unified queue.
23
+
Select your primary workspace when you onboard Microsoft Sentinel to the Defender portal. Any other workspaces that you onboard to the Defender portal are considered as secondary workspaces. The Defender portal supports one primary workspace and up to 99 secondary workspaces per tenant for Microsoft Sentinel.
24
24
25
-
- All Defender XDR alerts and incidents are synced back to the primary workspace.
26
-
- All other onboarded workspaces are considered secondary workspaces. Incidents are created based on the workspace’s data and won't include Defender XDR data.
27
-
- The Defender portal keeps incident creation and alert correlation separate between the Microsoft Sentinel workspaces.
28
-
- The Defender portal supports one primary workspace and up to 99 secondary workspaces per tenant for Microsoft Sentinel.
29
-
- One primary workspace must always be connected to the Defender portal when using Microsoft's unified SecOps platform.
25
+
When you also have Microsoft Defender XDR, alerts from your primary workspace are correlated with Defender XDR data, and incidents include alerts from both your primary workspace and Defender XDR in a unified queue.
26
+
27
+
In such cases:
28
+
29
+
- All Defender XDR alerts and incidents are synced to your primary workspace only.
30
+
- The Defender portal keeps incident creation and alert correlation separate between the Microsoft Sentinel workspaces. Incidents in secondary workspaces don't include data from any other workspace, or from Defender XDR.
31
+
- The Defender XDR data connector is disconnected in secondary workspaces. This means that Defender XDR data is no longer available in a secondary workspace, and analytics rules and automation that you have configured based on Defender XDR data no longer function.
32
+
- One primary workspace must always be connected to the Defender portal.
33
+
34
+
For example, you might be working on a global SOC team in a company that has multiple, autonomous workspaces. In such cases, you might not want to see incidents and alerts from each of these workspaces in your global SOC queue in the Defender portal. Since these workspaces are onboarded to the Defender portal as secondary workspaces, they show in the Defender portal as Microsoft Sentinel only, without any Defender data, and continue to function autonomously. When looking at your global SOC workspace, you won't see data from these secondary workspaces.
30
35
31
36
Where you have multiple Microsoft Sentinel workspaces within a Microsoft Entra ID tenant, consider using the primary workspace for your global security operations center.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments