New ways to customize how Copilot edits your workbooks
June 17, 2026Announcing Public Preview: Agent Identities Asset Connector for Microsoft Sentinel
June 17, 2026
Co-authored with Lizet Pena, Caroline Mutua, Alvin Kua and Marco Sudahl
Security operations teams today are being asked to do more than ever: respond faster, manage increasing data volumes, reduce operational complexity, stay ahead of evolving threats, and balance cost and efficiency.
That’s why Microsoft is bringing Microsoft Sentinel into Microsoft Defender: to bring together SIEM, XDR, threat intelligence, AI, and automation into a single experience.
By March 31, 2027, all Microsoft Sentinel customers will be automatically transitioned to Defender. But this transition is about far more than a new interface. It’s an opportunity to modernize the SOC, streamline operations, and unlock capabilities designed for the AI-first era of security operations.
This blog kicks off a six-part series to help you confidently navigate the transition ahead of time, understand what changes (and what doesn’t), and maximize value along the way.
Why this post, and why now
This is the first of a six-part helping customers transition their Sentinel experience from the Azure portal to Defender:
- Part 1 – Beyond a portal move (You are here)
○ Part 2 – Anatomy of the change: Incidents, alerts, correlation, and data
○ Part 3 – Detection and automation, reimagined
○ Part 4 – The Governance Shift: RBAC, URBAC, Sentinel data lake, and MSSP
○ Part 5 – Your readiness playbook: Adoption helper, costs, APIs, and checklist
○ Part 6 – The AI-First SOC: Copilot, UEBA, threat intelligence, and SOC optimization
The strategic shift in one paragraph
Defender represents the convergence of Microsoft’s security capabilities into a single operational experience. Instead of switching between disconnected tools and workflows, security teams can work from one integrated environment spanning SIEM, XDR, threat intelligence, AI-powered investigation and response, cross-domain correlation, and SOC automation. Defender helps analysts investigate incidents faster, enables better collaboration across teams, and reduces operational friction across the security lifecycle. Most importantly, it creates a foundation for the future of AI-assisted and agentic security operations.
Why migrate early?
While the transition becomes mandatory in 2027, organizations that start earlier can begin realizing value immediately.
Moving to Defender today helps organizations:
- Streamline analyst workflows with a unified incident queue
- Reduce investigation time through advanced cross-product correlation
- Take advantage of Security Copilot experiences integrated into Defender
- Simplify operations across Sentinel and Defender products
- Modernize governance and access management models
- Prepare their SOC for AI-driven investigation and response
- Take advantage of the latest innovations.
Rather than treating migration as a compliance deadline, many customers are approaching it as a strategic modernization initiative for their SOC.
What changes, and what stays the same
One of the most important things to understand is that this is not a “rip and replace” migration. The foundational elements of Microsoft Sentinel remain intact while the operational experience evolves.
|
Area |
What changes |
What stays |
|
Management plane |
Defender becomes the primary experience |
The Sentinel portal in Azure remains usable until March 31, 2027 |
|
Incident model |
Unified incident queue across Sentinel + Defender, XDR correlation, attack story view |
Log analytics remains the core storage layer |
|
Access control |
Unified RBAC (URBAC) preferred for cross-product, fine-grained access |
Azure RBAC continues to work until role migration to URBAC; service principals are not supported in URBAC |
|
Data |
Data lake for long-term retention and advanced analytics |
No workspace migration required |
|
Cost |
Data lake can materially reduce overall cost by shifting high-volume logs out of the analytics tier, also allowing longer term retention at a lower cost (up to 12 years) |
No change in the business model after moving over to Defender |
The key takeaway: customers are not rebuilding their environments from scratch. Existing investments continue to work while the operational layer becomes more integrated and intelligent.
What Defender unlocks
The transition to Defender is designed to unlock capabilities that are difficult to achieve in siloed environments.
Security Copilot: Defender enables deeper integration with Security Copilot, including:
- AI-assisted incident triage
- Natural-language investigation workflows
- Guided response recommendations
- Natural language to KQL experiences
Copilot capabilities help reduce analyst fatigue and accelerate investigation workflows.
Unified correlation: With a single engine across all your alerts you can create richer, more contextual incidents spanning identities, endpoints, email, cloud apps, and data sources. This means you spend less time stitching alerts together manually and more time focused on high-confidence incidents.
Data lake: Sentinel data lake introduces new flexibility for long-term retention, large-scale analytics, and cross-workspace investigation scenarios. For many customers, this creates opportunities to balance visibility, compliance, and cost more effectively.
Case management: Collaborate across teams to respond to incidents.
Playbook generator: Create custom workflow automations using natural language.
Sentinel graph: Visualize relationships across users, devices, and activities to investigate attack paths, blast radius, and root cause.
Sentinel MCP server: Let AI agents and Copilot query Sentinel in natural language through a unified, identity-secured Model Context Protocol interface
Triage agent: Autonomous Security Copilot agent that triages high-volume alerts (phishing, identity, cloud) with AI reasoning and a transparent rationale.
What this means for you
Different roles feel this transition differently. Use this as a quick orientation as later posts go deep on each.
|
Role |
What to pay attention to |
|
Security analyst |
New incident queue, attack story view, and Copilot-assisted triage – your day-to-day surface changes most. |
|
Detection engineer |
Custom detections become the forward direction; analytics rules continue to work but the model is evolving from SIEM to XDR detection. |
|
SOC manager |
URBAC governance, data lake blast-radius, and incident-centric automation reshape how you run the SOC. |
|
Multi-tenant view (up to 100 tenants), planning to support up to 1k tenants, unified incident queue, dual RBAC model – Lighthouse is still needed for Azure resources. |
Clearing up common misconceptions
- “The transition is optional.”
No. Customers must migrate their experience by March 31, 2027. - “We need to migrate our workspaces.”
You do not need to migrate log analytics workspaces simply to use Microsoft Sentinel in Defender. - “This is only a UI change.”
Defender introduces meaningful operational and architectural improvements across investigation, correlation, governance, automation, and AI-assisted workflows. - “The transition itself increases costs.”
There is no additional licensing charge simply for using Sentinel in Defender. Optional capabilities—such as Security Copilot or Sentinel data lake usage—may introduce additional costs depending on adoption and usage patterns.
How to get started
- Align your stakeholders: Brief your SOC leadership and detection engineering leads on the March 31, 2027 deadline and the platform shift narrative.
- Form a readiness team: Identify a small working group (analyst + engineer + SOC manager + identity owner) to own the readiness effort.
- Explore Defender: Start familiarizing yourself with Defender and workflows.
- Assess your data strategy: Review how leveraging the data lake may fit into your future strategy.
- Follow Tech Community: Get more information in this series
Additional resources
Further reading: The Microsoft Security Community post Migrate Sentinel to Defender – Why it is a security architecture decision, not just a portal change frames the same thesis from an architectural lens. For the official transition guidance, start with the Microsoft Learn article Connect Microsoft Sentinel to the Microsoft Defender portal.
Continue the series
This is the first of six parts. The remaining posts will be published over the coming days. Each one stands alone, so you can read them in order as they go live or jump to the angle that matters most to you once it’s out:
Part 2 – Anatomy of the change: Incidents, alerts, correlation, and data
If you want component-level mechanics: how the XDR correlation engine replaces Fusion, why incidents are no longer alert-centric, and what changes (and doesn’t) in your data architecture.
Part 3 – Detection and automation, reimagined
If you write detections or run automation: the shift from analytics rules to custom detections, the move from alert-driven to incident-driven SOAR, and how hunting evolves.
Part 4 – The governance shift: RBAC, URBAC, Sentinel data lake, and MSSP
If you own identity, access, or multi-tenant operations: the move from Azure RBAC to URBAC, Sentinel data lake, better blast-radius identification, and the MSSP model.
Part 5 – Your readiness playbook: Adoption helper, costs, APIs, and the checklist
If you need a practical plan: a walk-through of the Defender adoption helper, cost reality, API strategy, and the migration checklist.
Part 6 – The AI-first SOC: Copilot, UEBA, Threat intelligence, and SOC optimization
If you want to see the destination: how Security Copilot, UEBA, threat intelligence, and SOC optimization combine into a fundamentally different operating model.