Merge pull request #4444 from MicrosoftDocs/main

[AutoPublish] main to live - 07/08 04:29 PDT | 07/08 16:59 IST

Author: m365-skilling-repo-management[bot]

unified-secops-platform/mto-advanced-hunting.md

@@ -3,18 +3,18 @@ title: Advanced hunting in Microsoft Defender multitenant management
 description: Learn about advanced hunting in Microsoft Defender multitenant management
 search.appverid: met150
 ms.service: unified-secops-platform
-ms.author: deniseb
-author: denisebmsft
+ms.author: bagol
+author: batamig
 ms.localizationpriority: medium
-manager: dansimp
+manager: orspodek
 audience: ITPro
 ms.collection: 
 - m365-security
 - highpri
 - tier1
 - usx-security
 ms.topic: article
-ms.date: 05/02/2025
+ms.date: 07/07/2025
 appliesto:
   - Microsoft Defender XDR
   - Microsoft Sentinel in the Microsoft Defender portal
@@ -23,18 +23,15 @@ appliesto:
 # Advanced hunting in Microsoft Defender multitenant management
 
 Advanced hunting in Microsoft Defender multitenant management allows you to proactively hunt for intrusion attempts and breach activity in email, data, devices, and accounts across multiple tenants and workspaces at the same time. If you have multiple tenants with Microsoft Sentinel workspaces onboarded to the Microsoft Defender portal, search for security information and event management (SIEM) data together with extended detection and response (XDR) data across multiple tenants and workspaces.
- 
 
 Multiple workspaces per tenant are supported in multitenant Advanced hunting as preview.
 
-
 ## Quotas
 
 In multitenant environments, advanced hunting queries can return a maximum of 50,000 records in total. The result set from each individual tenant is capped at 50,000 divided by the number of tenants queried. 
 
 For more information about service limits in advanced hunting, read [Understand advanced hunting quotas](/defender-xdr/advanced-hunting-limits#understand-advanced-hunting-quotas-and-usage-parameters).
 
-
 ## Run cross-tenant queries
 
 You can run any query that you already have access to in the multitenant management **Advanced hunting** page.
@@ -70,8 +67,8 @@ You can run any query that you already have access to in the multitenant managem
    | take 10
    ```
 
-> [!NOTE]
-> If you have tables with the same name but different schemas in multiple workspaces and want to use them in the same query, you should use the workspace operator to uniquely identify the table that you need.
+>[!IMPORTANT]
+> Running queries across multiple tenants using the `adx(x)` operator will run separate ADX queries per tenant and aggregate them, which might return duplicate results. Use the `adx(x)` operator with multiple tenants only if you need to join tenant results with ADX data. For more information about ADX in Advanced hunting, see [Use Microsoft Sentinel functions, saved queries, and custom rules](/defender-xdr/advanced-hunting-defender-use-custom-rules#use-adx-operator-for-azure-data-explorer-queries).
 
 To learn more about advanced hunting in Microsoft Defender XDR, read [Proactively hunt for threats with advanced hunting in Microsoft Defender XDR](/defender-xdr/advanced-hunting-overview).
 
@@ -101,16 +98,14 @@ For more information, see [Query multiple workspaces](/azure/sentinel/extend-sen
 
 ## View schema tables
 
-You can view the [advanced hunting schema tables](/defender-xdr/advanced-hunting-schema-tables) in the left pane inside the advanced hunting page under the **Schema** tab. 
+View the [advanced hunting schema tables](/defender-xdr/advanced-hunting-schema-tables) in the left pane inside the advanced hunting page under the **Schema** tab. 
 
 The schema list is a unified view of all tables from all your tenants regardless of the tenant selected in the upper right tenant selector.
 
 This could mean that some tables that appear here might only be available for query in some tenants, like custom Microsoft Sentinel tables.
 
-
 ## View and manage custom detection rules
 
-
 You can also manage custom detection rules from multiple tenants in the custom detection rules page.
 
 ### View custom detection rules by tenant
@@ -139,11 +134,6 @@ To manage detection rules:
 
 1. Select **Open detection rules** to view this rule in a new tab for the specific tenant in the [Microsoft Defender portal](https://security.microsoft.com). To learn more, see [Custom detection rules](/defender-xdr/custom-detection-rules).
 
-
-
-
-
-
 ## Related content
 
 - [Set up Microsoft Defender multitenant management](mto-requirements.md)

unified-secops-platform/whats-new.md

@@ -6,7 +6,7 @@ ms.service: unified-secops-platform
 ms.author: bagol
 author: batamig
 ms.localizationpriority: medium
-ms.date: 07/01/2025
+ms.date: 07/08/2025
 manager: orspodek
 audience: ITPro
 ms.collection:
@@ -22,6 +22,21 @@ This article lists recent features added for unified security operations in the
 
 ## July 2025
 
+- [No limit on the number of workspaces you can onboard to the Defender portal](#no-limit-on-the-number-of-workspaces-you-can-onboard-to-the-defender-portal)
+- [Microsoft Sentinel in the Azure portal to be retired July 2026](#microsoft-sentinel-in-the-azure-portal-to-be-retired-july-2026)
+
+### No limit on the number of workspaces you can onboard to the Defender portal
+
+There is no longer any limit to the number of workspaces you can onboard to the Defender portal.
+
+Limitations still apply to the number of workspaces you can include in a Log Analytics query, and in the number of workspaces you can or should include in a scheduled analytics rule. 
+
+For more information, see:
+
+- [Connect Microsoft Sentinel to the Microsoft Defender portal](microsoft-sentinel-onboard.md)
+- [Multiple Microsoft Sentinel workspaces in the Defender portal](/azure/sentinel/workspaces-defender-portal)
+- [Extend Microsoft Sentinel across workspaces and tenants](/azure/sentinel/extend-sentinel-across-workspaces-tenants)
+
 ### Microsoft Sentinel in the Azure portal to be retired July 2026
 
 Microsoft Sentinel is [generally available in the Microsoft Defender portal](/azure/sentinel/microsoft-sentinel-defender-portal), including for customers without Microsoft Defender XDR or an E5 license. This means that you can use Microsoft Sentinel in the Defender portal even if you aren't using other Microsoft Defender services.
@@ -194,24 +209,6 @@ Microsoft Sentinel workbooks are based on Azure Monitor workbooks, and help you
 
 For more information, see [Visualize and monitor your data by using workbooks in Microsoft Sentinel](/azure/sentinel/monitor-your-data) and [Connect Microsoft Sentinel to Microsoft Defender XDR](microsoft-sentinel-onboard.md).
 
-## November 2024
-
-- [Microsoft Sentinel availability in Microsoft Defender portal](#microsoft-sentinel-availability-in-microsoft-defender-portal)
-- [Feature availability for Government clouds](#feature-availability-for-government-clouds)
-
-### Microsoft Sentinel availability in Microsoft Defender portal
-
-We previously announced Microsoft Sentinel is generally available in the Microsoft Defender portal. For preview, Microsoft Sentinel is now available in the Defender portal without Microsoft Defender XDR or an E5 license. For more information, see:
-
- - [Microsoft Sentinel in the Microsoft Defender portal](/azure/sentinel/microsoft-sentinel-defender-portal)
- - [Connect Microsoft Sentinel to the Microsoft Defender portal](microsoft-sentinel-onboard.md)
-
-### Feature availability for Government clouds
-
-In the Defender portal, all Microsoft Sentinel features that are in general availability are now available in both commercial and GCC High and DoD clouds. Features still in preview are available only in the commercial cloud.
-
-For more information, see [Microsoft Sentinel feature support for Azure commercial/other clouds](/azure/sentinel/feature-availability#experience-in-the-defender-portal) and [Microsoft Defender XDR for US Government customers](/defender-xdr/usgov).
-
 ## Related content
 
 For more information on what's new with other Microsoft Defender security products and Microsoft Sentinel, see: