Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Defender provides a unified cybersecurity solution that integrates endpoint protection, cloud security, identity protection, email security, threat intelligence, exposure management, and SIEM into a centralized platform powered by a modern data lake. It uses AI-driven defense to help organizations anticipate and stop attacks, ensuring efficient and effective security operations.
Microsoft Sentinel is generally available in the Microsoft Defender portal, either with Microsoft Defender or on its own, delivering a unified SIEM and XDR experience for faster and more accurate threat detection and response, simplified workflows, and enhanced operational efficiency.
This article describes the Microsoft Sentinel experience in the Defender portal.
Microsoft Sentinel is generally available in the Microsoft Defender portal, including for customers without Microsoft Defender XDR or an E5 license. This means that you can use Microsoft Sentinel in the Defender portal even if you aren't using other Microsoft Defender services.
After March 31, 2027, Microsoft Sentinel will no longer be supported in the Azure portal and will be available only in the Microsoft Defender portal.
If you're currently using Microsoft Sentinel in the Azure portal, we recommend that you start planning your transition to the Defender portal now to ensure a smooth transition and take full advantage of the unified security operations experience offered by Microsoft Defender.
For more information, see:
- Transition your Microsoft Sentinel environment to the Defender portal
- Planning your move to Microsoft Defender portal for all Microsoft Sentinel customers (blog)
Important
After March 31, 2027, Microsoft Sentinel will no longer be supported in the Azure portal and will be available only in the Microsoft Defender portal. All customers using Microsoft Sentinel in the Azure portal will be redirected to the Defender portal and will use Microsoft Sentinel in the Defender portal only.
If you're still using Microsoft Sentinel in the Azure portal, we recommend that you start planning your transition to the Defender portal to ensure a smooth transition and take full advantage of the unified security operations experience offered by Microsoft Defender.
Feature comparison: Sentinel in Azure vs. Sentinel in the Defender portal
The following tables compare Microsoft Sentinel capabilities in the Azure portal with capabilities in the Defender portal.
Incidents and investigation
| Capability area | Sentinel in Azure portal | Sentinel in Defender portal | Benefits |
|---|---|---|---|
| Core SIEM capabilities | Full SIEM functionality (ingestion, analytics rules, incidents, workbooks, hunting) | Full SIEM functionality integrated into unified SIEM and Defender experience. | Same SIEM power, better operating model |
| Incident management | Sentinel incident queue separate from Defender | Unified incident queue for SIEM and XDR, with Security Copilot for incident investigation to summarize and respond. Incidents are automatically enriched with Defender signals. | Single pane of glass, deeper analyst insights |
| Alert correlation and threat detection | Separate correlation for Sentinel and Defender incidents | Automatic cross-domain correlation with AI/ML for faster threat detection. | Reduced alert fatigue, full attack story in one incident |
| Investigation experience | Log-centric workflows | Attack story and entity graph (Sentinel Graph) with unified entity pages for devices, users, IPs, and Azure resources. Entity pages combine Sentinel and Defender data to provide expanded investigation context. | Visual investigation, faster root-cause analysis |
| Threat intelligence (TI) | TI managed within Sentinel | Rich TI embedded in incidents, hunting, and investigations including premium Microsoft Threat Intelligence feed. | Better intelligence, operationalized out of the box |
Hunting and AI
| Capability area | Sentinel in Azure portal | Sentinel in Defender portal | Benefits |
|---|---|---|---|
| Advanced hunting | Sentinel-only (Log Analytics) | Unified advanced hunting for SIEM, Defender, and the data lake, with Security Copilot in advanced hunting for KQL generation. Supports hunting in the tenant and workspaces and reuse of existing Sentinel workspace queries and functions. | Broader dataset, richer context, no context-switching |
| AI-assisted SOC (Security Copilot) | Not available | Native Security Copilot: automated incident summary, guided response actions, script analysis, file analysis, and incident reports. | Faster investigation, lower skill barrier |
| Post-incident recommendations | Not available | Tailored recommendations via Exposure Management, including attack path analysis to identify exploitable vulnerabilities. | Proactive posture improvement |
Automation and workflow
| Capability area | Sentinel in Azure portal | Sentinel in Defender portal | Benefits |
|---|---|---|---|
| Automation and SOAR | Manual playbook creation | AI-assisted playbook generator and integrated SOAR, including automatic attack disruption | Faster response, reduced manual effort |
| Case management | Not available | End-to-end case management integrated with incidents and workflows | Track multi-incident investigations |
| SOC workflow / UX | Multiple portals, tool switching | Unified SecOps experience in the Defender portal | Less context-switching, faster response |
| SOC optimization | Limited, fragmented views | Guided SOC optimization recommendations, available programmatically via API; see optimization reference | More actionable guidance, measurable improvements |
Data and cost
| Capability area | Sentinel in Azure portal | Sentinel in Defender portal | Benefits |
|---|---|---|---|
| Data lake and long-term analytics | Log Analytics-centric | Centralized data lake with tiered retention, massive-scale analytics, and simplified onboarding | Enterprise-wide visibility, lower costs at scale |
| Cost and data optimization | Separate billing models | Unified schema for Sentinel and Defemder, with advanced hunting raw logs free for 30 days without ingestion | Simplified billing, reduced ingestion costs |
| Defender data integration | Enable the Defender XDR connector in Sentinel | Automatically integrates Sentinel with Defender | Defender data integrated by default |
| Unified data model | Separate schemas | Normalized schema for Defender and SIEM | Simpler queries, less transform work |
Platform and administration
| Capability area | Sentinel in Azure portal | Sentinel in Defender portal | Benefits |
|---|---|---|---|
| Innovation focus / roadmap | Maintenance and parity only | Primary innovation surface, all new Sentinel experiences land here first | Faster access to new capabilities, optimized workflows |
| Multi-tenant / MSSP operations | Azure Lighthouse | Native multi-tenant operations (MTO) with easy delegation and management | Centralized SOC management |
| Cross-tenant visibility | Manual | Unified cross-tenant incidents and alerts | MSSP efficiency |
| RBAC model | Azure RBAC | Unified Defender RBAC, with row-level RBAC support | Granular permissions, simpler administration |
| Extensibility and APIs | Sentinel APIs | Unified Defender and Sentinel APIs | Broader integration surface |
| Support timeline | Supported until March 31, 2027 | Long-term home for Sentinel | Future-proof investment |
Limited or unavailable capabilities with Microsoft Sentinel only in the Defender portal
When you onboard Microsoft Sentinel to the Defender portal without enabling Defender capabilities or other services, the following capabilities are limited or unavailable:
- Microsoft Security Exposure Management
- Custom detection rules, provided by Microsoft Defender
- The Action center, provided by Microsoft Defender
Quick reference
Some Microsoft Sentinel capabilities, like the unified incident queue, are integrated with other Microsoft Defender capabilities in the Defender portal. Many other Microsoft Sentinel capabilities are available in the Microsoft Sentinel section of the Defender portal.
The following image shows the Microsoft Sentinel menu in the Defender portal:
The following sections describe where to find Microsoft Sentinel features in the Defender portal. They're intended for existing customers who are moving to the Defender portal. The sections are organized as Microsoft Sentinel is in the Azure portal.
For more information, see Transition your Microsoft Sentinel environment to the Defender portal.
General
The following table lists the changes in navigation between the Azure and Defender portals for the General section in the Azure portal.
| Azure portal | Defender portal |
|---|---|
| Overview | Overview |
| Logs | Investigation & response > Hunting > Advanced hunting |
| News & guides | Not available |
| Search | Microsoft Sentinel > Search |
Threat management
The following table lists the changes in navigation between the Azure and Defender portals for the Threat management section in the Azure portal.
| Azure portal | Defender portal |
|---|---|
| Incidents | Investigation & response > Incidents & alerts > Incidents |
| Workbooks | Microsoft Sentinel > Threat management > Workbooks |
| Hunting | Microsoft Sentinel > Threat management > Hunting |
| Notebooks | Microsoft Sentinel > Threat management > Notebooks |
| Entity behavior | User entity page: Assets > Identities > {user} > Sentinel events AND Device entity page: Assets > Devices > {device} > Sentinel events Also, find the entity pages for the user, device, IP, and Azure resource entity types from incidents and alerts as they appear. |
| Threat intelligence | Threat intelligence > Intel management |
| MITRE ATT&CK | Microsoft Sentinel > Threat management > MITRE ATT&CK |
Content management
The following table lists the changes in navigation between the Azure and Defender portals for the Content management section in the Azure portal.
| Azure portal | Defender portal |
|---|---|
| Content hub | Microsoft Sentinel > Content management > Content hub |
| Repositories | Microsoft Sentinel > Content management > Repositories |
| Community | Microsoft Sentinel > Content management > Community |
Configuration
The following table lists the changes in navigation between the Azure and Defender portals for the Configuration section in the Azure portal.
| Azure portal | Defender portal |
|---|---|
| Workspace manager | Not available |
| Data connectors | Microsoft Sentinel > Configuration > Data connectors |
| Analytics | Microsoft Sentinel > Configuration > Analytics AND Investigation and response > Hunting > Custom detection rules |
| Watchlists | Microsoft Sentinel > Configuration > Watchlists |
| Automation | Microsoft Sentinel > Configuration > Automation |
| Settings | System > Settings >Microsoft Sentinel |