simaya's comments, combining what's new

Author: batamig

unified-secops-platform/mto-advanced-hunting.md

@@ -44,13 +44,21 @@ You can run any query that you already have access to in the multi-tenant manage
 
    :::image type="content" source="media/mto-advanced-hunting/mto-cross-tenants-query-tenant-id.png" alt-text="Screenshot of the Microsoft Defender XDR ross tenants advanced hunting query scope column" lightbox="media/mto-advanced-hunting/mto-cross-tenants-query-tenant-id.png":::
 
-   The query results contain a column named **TenantId**. The values in this column show the workspace ID. We recommend that you use your query to rename the column in your results from **TenantId** to **WorkspaceId** to make it simpler to read. For example: <!--does this happen even if you don't have mult workspaces? also - is this actually true? also - what's w the query for the tenant name up at the top?-->
+   The query results contain a column named **TenantId**. If you're using multiple workspaces, the values in this column show the workspace ID instead of the tenant ID. In such cases, we recommend that you use your query to rename the column in your results from **TenantId** to **WorkspaceId** to make it simpler to read. For example: 
 
    ```kusto
    DeviceEvents
    | take 10
    | project TenantId = WorkspaceID
 
+   Or, to query multiple workspaces in the same tenant, use a query similar to the following:
+
+   ```kusto
+   Usage
+   | union workspace("WorkpaceA").Usage
+   | take 10
+   ```
+
 To learn more about advanced hunting in Microsoft Defender XDR, read [Proactively hunt for threats with advanced hunting in Microsoft Defender XDR](/defender-xdr/advanced-hunting-overview).
 
 ## Run cross-workspace queries (Preview)

unified-secops-platform/mto-incidents-alerts.md

@@ -85,7 +85,6 @@ To manage alerts across multiple tenants and workspaces:
 
    :::image type="content" source="media/mto-incidents-alerts/mto-manage-alerts.png" alt-text="Screenshot that highlights the manage alerts option for selected alerts in Microsoft Defender multitenant management." lightbox="media/mto-incidents-alerts/mto-manage-alerts.png":::
 
-<!--there's also move alerts here? what does that do? need perms-->
 Select any specific alert to view the alert fly-out, where you can assign alerts, set the alert status, and classify the alerts for multiple tenants and workspaces.
 
 For more information, see [Manage alerts](/defender-endpoint/manage-alerts).

unified-secops-platform/mto-requirements.md

@@ -39,9 +39,12 @@ The following table lists the basic requirements you need to use multitenant man
 |:---|:---|
 | Microsoft Defender XDR prerequisites | Verify you meet the [Microsoft Defender XDR prerequisites](/defender-xdr/prerequisites)|
 | Microsoft Defender XDR for US Government customers | Check if you have the following applicable [licensing requirements](/defender-xdr/usgov#licensing-requirements)|
-| Multitenant access | To view and manage the data you have access to in multitenant management, you need to ensure you have the necessary access. For each tenant you want to view and manage, you need to have either: <br/> <br/> - [Granular delegated admin privileges (GDAP)](/partner-center/gdap-introduction) <br/> - [Microsoft Entra B2B authentication](/azure/active-directory/external-identities/what-is-b2b) <br/> <br/> To learn more about how to synchronize multiple B2B users across tenants, see [Configure cross-tenant synchronization](/azure/active-directory/multi-tenant-organizations/cross-tenant-synchronization-configure).|
+| Multitenant access | To view and manage the data you have access to in multitenant management, you need to ensure you have the necessary access. You must have Azure Lighthouse to gain access to Microsoft Sentinel in other tenant's workspaces. <br><br>Then, for each tenant you want to view and manage, you need to have either: <br/> <br/> - [Granular delegated admin privileges (GDAP)](/partner-center/gdap-introduction), supported only for Defender data<br/> - [Microsoft Entra B2B authentication](/azure/active-directory/external-identities/what-is-b2b), supported for both Defender and Microsoft Sentinel data<br/> <br/> To learn more about how to synchronize multiple B2B users across tenants, see [Configure cross-tenant synchronization](/azure/active-directory/multi-tenant-organizations/cross-tenant-synchronization-configure).|
 | Permissions | Users must be assigned the correct roles and permissions at the individual tenant level, in order to view and manage the associated data in multitenant management. To learn more, see: <br/><br/> - [Manage access to Microsoft Defender XDR with Microsoft Entra global roles](/defender-xdr/m365d-permissions) <br/> - [Custom roles in role-based access control for Microsoft Defender XDR](/defender-xdr/custom-roles)<br/><br/> To learn how to grant permissions for multiple users at scale, see [What is entitlement management](/azure/active-directory/governance/entitlement-management-overview).|
 | Security information and event management (SIEM) data (Optional) |To include SIEM data with the extended detection and response (XDR) data, one or more tenants must include a Microsoft Sentinel workspace onboarded to the Microsoft unified security operations platform. For more information, see [Connect Microsoft Sentinel to Microsoft Defender XDR](microsoft-sentinel-onboard.md).<br/><br/>The Defender portal allows you to connect to one primary workspace and multiple secondary workspaces for Microsoft Sentinel. For more information, see [Multiple Microsoft Sentinel workspaces in the Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2310579).<br/><br/> Access to Microsoft Sentinel data is available through [Microsoft Entra B2B authentication](/azure/active-directory/external-identities/what-is-b2b). Microsoft Sentinel doesn't support [granular delegated admin privileges (GDAP)](/partner-center/gdap-introduction) at this time. |
+|Multi-workspace access (Optional) | To view data from 
+
+Azure Lighthouse is required to gain access to Microsoft Sentinel in other tenants’ workspaces.
 
 We recommend that you set up [multifactor authentication trust](/azure/active-directory/external-identities/authentication-conditional-access) for each tenant to avoid missing data in Microsoft Defender multitenant management.
 
@@ -65,7 +68,7 @@ In order to view and manage the data you have access to in Microsoft Defender mu
 
 ### Verify your tenant access with GDAP
 
-This procedure is not supported for unified SecOps platform customers. <!--where else should this go then?-->
+GDAP is not supported for Microsoft Sentinel data, and provides access to Defender data only.
 
 1. Go to the [Microsoft Partner Center](https://partner.microsoft.com/commerce/granularadminaccess/list).
 2. Under **Customers** you can find the list of organizations you have guest access to.

unified-secops-platform/whats-new.md

@@ -22,15 +22,20 @@ This article lists recent features added into Microsoft's unified SecOps platfor
 
 ## March 2025
 
-- [Multi workspace support in multi-tenant management (preview)](#multi-workspace-support-in-multi-tenant-management-preview)
 - [Multi workspace support for Microsoft Sentinel (preview)](#multi-workspace-support-for-microsoft-sentinel-preview)
 
-### Multi workspace support in multi-tenant management (preview) 
+### Multi workspace support for Microsoft Sentinel (preview)
+
+Microsoft Sentinel now supports multiple workspaces in the Defender portal, using one primary workspace per tenant and multiple secondary workspaces.
+
+A primary workspace's alerts are correlated with Defender XDR data, which results in incidents that include alerts from Microsoft Sentinel's primary workspace and Defender XDR. All other onboarded workspaces are considered secondary workspaces. Incidents are created based on the workspace’s data and won't include Defender XDR data.
 
-For preview, multiple workspaces are now supported for multi-tenant management in the Defender portal. This feature allows you to view incidents and alerts, and to hunt for data in Advanced hunting, across multiple workspaces and multiple tenants.
+If you're working with multiple tenants and multiple workspaces per tenant, you can also use Microsoft Defender multitenant management to view incidents and alerts, and to hunt for data in Advanced hunting, across both multiple workspaces and tenants.
 
 For more information, see:
 
+- [Multiple Microsoft Sentinel workspaces in the Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2310579)
+- [Connect Microsoft Sentinel to the Microsoft Defender portal](microsoft-sentinel-onboard.md)
 - [Microsoft Defender multitenant management](mto-overview.md)
 - [View and manage incidents and alerts in Microsoft Defender multitenant management](mto-incidents-alerts.md)
 - [Advanced hunting in Microsoft Defender multitenant management](mto-advanced-hunting.md)