transition draft

Author: batamig

unified-secops-platform/TOC.yml

@@ -20,6 +20,8 @@
             href: /azure/sentinel/microsoft-365-defender-sentinel-integration?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json&tabs=defender-portal
           - name: Experience in the Defender portal
             href: /azure/sentinel/microsoft-sentinel-defender-portal?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json
+          - name: Transition to unified SecOps from the Azure portal
+            href: transition.md
         - name: Microsoft Copilot
           href: /defender-xdr/security-copilot-in-microsoft-365-defender?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json
         - name: Microsoft Security Exposure Management
@@ -40,9 +42,11 @@
     - name: Deploy
       items:
       - name: Overview
-        href: overview-deploy.md
+        href: deploy/overview-deploy.md
       - name: Connect Microsoft Sentinel to Microsoft Defender
-        href: microsoft-sentinel-onboard.md
+        href: deploy/microsoft-sentinel-onboard.md
+      - name: Transition to unified SecOps by persona
+        href: deploy/transition.md
     - name: Reduce security risk
       items:
       - name: Improve security posture and reduce risk"

unified-secops-platform/includes/mininum-access-requirements.md

@@ -0,0 +1,10 @@
+---
+title: include file
+description: include file
+ms.topic: include
+ms.date: 04/22/2025
+---
+
+The minimal required permission for an analyst to view Microsoft Sentinel data is to delegate permissions for the Azure RBAC Sentinel Reader role. These permissions are also applied to the unified portal. Without these permissions, the Microsoft Sentinel navigation menu is not available on the unified portal, despite the analyst having access to the Microsoft Defender portal.
+
+A best practice is to have all Microsoft Sentinel related resources in the same Azure resource group, then delegate Microsoft Sentinel role permissions (like the Sentinel Reader role) at the resource group level that contains the Microsoft Sentinel workspace. By doing this, the role assignment applies to all the resources that support Microsoft Sentinel.

unified-secops-platform/overview-deploy.md

@@ -72,9 +72,11 @@ For more information, see [Onboard Microsoft Sentinel](/azure/sentinel/quickstar
 
 Provision your users based on the access plan you'd [prepared earlier](overview-plan.md#plan-roles-and-permissions). To comply with Zero Trust principles, we recommend that you use role-based access control (RBAC) to provide user access only to the resources that are allowed and relevant for each user, instead of providing access to the entire environment.
 
+[!INCLUDE [mininum-access-requirements](/includes/mininum-access-requirements.md)]
+
 For more information, see:
 
-- [Activate Microsoft Defender XDR Unified role-based access control (RBAC)](/defender-xdr/activate-defender-rbac)
+- [Onboarding prerequisites](deploy/microsoft-sentinel-onboard.md#prerequisites)
 - [Assign Microsoft Entra ID roles to users](/entra/identity/role-based-access-control/manage-roles-portal)
 - [Grant a user access to Azure roles](/azure/role-based-access-control/quickstart-assign-role-user-portal)
 

unified-secops-platform/overview-plan.md

@@ -178,12 +178,19 @@ The following table describes portals for other workloads that can impact your s
 
 ## Plan roles and permissions
 
-Use Microsoft Entra role based access control (RBAC) to create and assign roles within your security operations team to grant appropriate access to services included in Microsoft's unified SecOps platform.
+Microsoft's unified security operations (SecOps) platform unifies the following role-based access control (RBAC) models:
 
-The Microsoft Defender XDR Unified role-based access control (RBAC) model provides a single permissions management experience that provides one central location for administrators to control user permissions across several security solutions. For more information, see [Microsoft Defender XDR Unified role-based access control (RBAC)](/defender-xdr/manage-rbac).
+- [Microsoft Entra ID RBAC](/entra/identity/role-based-access-control/custom-overview), used for delegating access to Defender access, like device groups
+- [Azure RBAC](/azure/role-based-access-control/), used by Microsoft Sentinel to delegate permissions
+- [Defender unified RBAC](/defender-xdr/manage-rbac), used to delegate permissions across Defender solutions
 
-For the following services, use the different roles available, or create custom roles, to give you fine-grained control over what users can see and do. For more information, see:
+While permissions granted through Azure RBAC for Microsoft Sentinel are federated during runtime with Defender's unified RBAC, Azure RBAC and Defender RBAC are still managed separately.
+
+Defender's unified RBAC isn't required to onboard your workspace to the Defender portal, and Microsoft Sentinel permissions continue to work as expected in the Defender portal even without unified RBAC. However, using unified RBAC does simplify the delegation of permissions across Defender solutions. For more information, see [Activate Microsoft Defender XDR Unified role-based access control (RBAC)](/defender-xdr/activate-defender-rbac).
 
+[!INCLUDE [mininum-access-requirements](includes/mininum-access-requirements.md)]
+
+For the following services, use the different roles available, or create custom roles, to give you fine-grained control over what users can see and do. For more information, see:
 
 | Security service         | Link to role requirements                  |
 | ------------------------ | ------------------------------------------- |
@@ -201,6 +208,13 @@ For the following services, use the different roles available, or create custom
 | Microsoft Defender for Cloud      | [User roles and permissions](/azure/defender-for-cloud/permissions) |
 | Microsoft Purview Insider Risk Management | [Enable permissions for insider risk management](/purview/insider-risk-management-configure?tabs=purview-portal#step-1-required-enable-permissions-for-insider-risk-management) |
 
+For more information, see:
+
+- [Plan roles and permissions for Microsoft Sentinel](/azure/sentinel/roles)
+- [Azure built-in roles](/azure/role-based-access-control/built-in-roles)
+- [Microsoft Sentinel roles](/azure/role-based-access-control/built-in-roles#security)
+- [Onboarding prerequisites](deploy/microsoft-sentinel-onboard.md#prerequisites)
+
 ## Plan Zero Trust activities
 
 Microsoft's unified SecOps platform is part of [Microsoft's Zero Trust security model](zero-trust.md), which includes the following principles:

unified-secops-platform/transition.md

@@ -0,0 +1,114 @@
+---
+title: Transitioning to Microsoft's unified SecOps platform
+description: Learn about the different security roles involved in transitioning to Microsoft's unified SecOps platform from Microsoft Sentinel in the Azure portal.
+ms.service: unified-secops-platform
+ms.author: bagol
+author: batamig
+ms.date: 11/22/2024
+ms.collection:
+- M365-security-compliance
+- tier1
+- usx-security
+ms.topic: conceptual
+# customer intent: As a security professional, I want to understand the benefits and process of transitioning to Microsoft's unified SecOps platform so I can effectively plan my organization's migration from the standalone Microsoft Sentinel portal before its decommissioning.
+---
+
+# Transition to Microsoft's unified SecOps platform
+
+Microsoft's unified security operations (SecOps) platform provides a single platform for end-to-end security operations (SecOps). This platform combines services like [Microsoft Defender XDR](/defender-xdr/microsoft-365-defender), [Microsoft Sentinel](/azure/sentinel/overview), [Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management), and [Microsoft Security Copilot](/copilot/security/microsoft-security-copilot) within the Microsoft Defender portal. The unified SecOps platform provides multi-tenant and multi-workspace capabilities, a single incident queue, alert correlation, and automatic attack disruption to ensure streamlined workflows and enhances security operations efficiency.
+
+Starting in May 2026, customers using the Microsoft Sentinel experience in the Azure portal will be redirected to the unified SecOps platform in the Microsoft Defender portal. Microsoft Sentinel in the Azure portal will be decommissioned on July 1, 2026. To prepare for this change, we recommend that customers that are still using the Microsoft Sentinel experience in the Azure portal proactively transition to Microsoft's unified SecOps platform in the Microsoft Defender portal.
+
+For more information, see the relevant documentation for each feature and [Capability differences between portals](/azure/sentinel/microsoft-sentinel-defender-portal##capability-differences-between-portals).
+
+## Benefits of transitioning to the unified SecOps platform
+
+Transitioning to the unified SecOps platform offers the following benefits, and more:
+
+- **Streamlined Operations**: Manage all security incidents, alerts, and investigations from a single, unified interface.
+- **Enhanced Threat Detection**: Leverage advanced AI and machine learning for faster and more accurate threat detection and response. Benefit from an improved signal-to-noise ratio and enhanced alert correlation, ensuring that critical threats are identified and addressed promptly.
+- **New Features**: Access robust tools like Case Management for organizing and managing security incidents.
+- **Embedded Copilot Experience**: For customers using Copilot, enjoy a seamless experience for incident summaries and reports, guided investigation, auto-generated Microsoft Teams messages, code analysis, and more.
+- **Unified hunting, incidents, and investigation**: For customers using Defender XDR, benefit from a comprehensive view for more efficient threat detection and response.
+- **Enhanced visibility and reduced risk exposure**: Analyze attack paths to see how a cyber attacker could exploit vulnerabilities to move laterally across exposed assets in your environment. Use guided recommendations to reduce exposure and prioritize actions based on each exposure's potential impact.
+- **Tailored post-incident recommendations**: Prevent similar or repeat cyberattacks with tailored post incident recommendations tied to Microsoft Security Exposure Management initiatives.
+
+For more information, see [Microsoft Sentinel in the Microsoft Defender portal](/azure/sentinel/microsoft-sentinel-defender-portal).
+
+## Transition to unified SecOps as a security architect
+
+The following content is relevant for security architects on a SecOps team that's transitioning from Microsoft Sentinel in the Azure portal to unified SecOps in the Defender portal:
+
+- **Access**: 
+
+    [!INCLUDE [mininum-access-requirements](../includes/mininum-access-requirements.md)]
+
+    - [Plan roles and permissions](../overview-plan.md#plan-roles-and-permissions), including role-based access control (RBAC)
+    - [Configure roles and permissions](overview-deploy.md#configure-roles-and-permissions)
+    
+- **Multiple workspaces and tenants**:
+
+    - [Multiple Microsoft Sentinel workspaces in the Defender portal](/azure/sentinel/prepare-multiple-workspaces)
+    - [Extend Microsoft Sentinel across workspaces and tenants](/azure/sentinel/extend-sentinel-across-workspaces-tenants)
+    - [Microsoft Defender multitenant management](../mto-overview.md)
+
+- **Log tiering and retention**: 
+
+    Microsoft Sentinel classifies security data as primary security data and secondary security data. For primary security data, which you want to monitor closely, we recommend the analytic tier. For secondary security data, we recommend auxiliary. Both types of data are accessible for queries in the **Advanced hunting** page in the Defender portal.
+
+    - [When to use auxiliary logs in Microsoft Sentinel](/azure/sentinel/basic-logs-use-cases)
+    - [Log retention plans in Microsoft Sentinel](/azure/sentinel/log-plans)
+    - [Set up a table with the Auxiliary plan for low-cost data ingestion and retention in your Log Analytics workspace](/azure/azure-monitor/logs/create-custom-table-auxiliary) 
+    - [Microsoft Sentinel in the Defender portal: threat management](/azure/sentinel/microsoft-sentinel-defender-portal#threat-management)
+
+## Transition to unified SecOps as a security engineer
+
+The following content is relevant for security engineers on a SecOps team that's transitioning from Microsoft Sentinel in the Azure portal to unified SecOps in the Defender portal:
+
+- **Data collection**:
+
+    - [Microsoft Sentinel data connectors](/azure/sentinel/connect-data-sources?tabs=defender-portal)
+    - Experience in the Defender portal:
+        - [Visibility of connectors used by the unified security operations platform](/azure/sentinel/microsoft-sentinel-defender-portal)
+        - [Defender for Cloud](/azure/sentinel/microsoft-sentinel-defender-portal) <!--add bookmarks for data connector specifics, also add content there re mdc and dlp items. that's on ed>
+        - [DLP data](/azure/sentinel/microsoft-sentinel-defender-portal) <!--add bookmarks for data connector specifics, also add content there re mdc and dlp items. that's on ed>
+
+- **Automation**: [Automation in the Microsoft Defender portal](/azure/sentinel/automation/automation#automation-in-the-microsoft-defender-portal)
+
+- **Ecosystem**: Distribute content across workspaces using one of the following methods:
+
+    - [Deploy content as code from your repository](/azure/sentinel/ci-cd)
+    - [Microsoft Defender multitenant management](../mto-overview.md)
+
+- **SOC optimization**: [Optimize your security operations](/azure/sentinel/soc-optimization/soc-optimization-access?toc=%2Funified-secops-platform%2Ftoc.json&bc=%2Funified-secops-platform%2Fbreadcrumb%2Ftoc.json&tabs=defender-portal)
+
+- **APIs**
+
+    - [Microsoft Sentinel in the Defender portal: Capability differences between portals](/azure/sentinel/microsoft-sentinel-defender-portal) <!--add bookmark for API related information-->
+    - [Microsoft Sentinel REST API reference](/rest/api/securityinsights/)
+
+## Transition to unified SecOps as a security analyst or manager
+
+The following content is relevant for security analysts or security managers on a SecOps team that's transitioning from Microsoft Sentinel in the Azure portal to unified SecOps in the Defender portal:
+
+- **Incident and alert management**
+
+- **Attack disruption**
+
+- **Advanced hunting**
+
+- **Entities and user and entity behavior analytics (UEBA)**
+
+- **Case management**
+
+- **Security Copilot integraton**
+
+- **Threat intelligence**
+
+- **Visualization and reporting with workbooks**
+
+## Related content
+
+- **Webinar**: [Transition to the Unified SOC Platform: Deep Dive and Interactive Q&A for SOC Professionals](https://www.youtube.com/watch?v=WIM6fbJDkK4)
+- **Blog**: [Technical FAQs for the unified SOC platform](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/unified-security-operations-platform---technical-faq/4189136)
+- **Community**: [Microsoft Community Hub](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/frequently-asked-questions-about-the-unified-security-operations-platform/4212048)