Share via

Retirement of Sentinel in Azure Portal, transition to Microsoft Defender XDR portal

Patrick Bus 20 Reputation points
2025-10-24T13:36:01.45+00:00

I am investigating the upcoming retirement (july 2026) of Microsoft Sentinel in the Azure Portal and its full migration to the Microsoft Defender XDR portal.As an MSSP, I currently use Azure Sentinel with Azure Lighthouse to manage multiple Sentinel workspaces from a single pane. I also use Workspace Manager to deploy automation components (analytics rules and automation rules) to one or more customer environments directly. I use the Repositories feature (via Azure DevOps) to deploy Playbooks to customer environments.

Can the following points be clarified regarding the Defender XDR experience after July 2026?

  1. Will cross-tenant management for deploying automation components still be possible (as it is today with Azure Lighthouse and Workspace Manager) or will there be a MSSP-solution build for Sentinel?
  2. Will the Repositories feature still be available in Defender XDR?
  3. How will new Sentinel environments be created after July 2026 — through Defender portal, and will Log Analytics Workspaces still be required, or will Sentinel Data Lake replace this?

Have Microsoft already clarified the answers on these questions or they still working on it?

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
0 comments
Answer accepted by question author
  1. Monalisha Jena 3,680 Reputation points Microsoft External Staff Moderator
    2025-10-27T04:23:35.4433333+00:00

    Hello Patrick Bus,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well. 

    I will try to clarify your doubts regarding this issue one by one.

    Will cross-tenant management for deploying automation components still be possible (as it is today with Azure Lighthouse and Workspace Manager) or will there be a MSSP-solution build for Sentinel?

    To answer to your question, yes, but the tooling is changing.

    Cross-Tenant Visibility: Yes, the underlying cross-tenant access, which allows you to see and manage multiple customers' Sentinel environments, remains possible and is still fundamentally based on Azure Lighthouse. Microsoft Defender XDR's Multi-Tenant Organization (MTO) feature focuses on consolidating incident and alert visibility across those tenants. Azure Lighthouse will remain the core Azure feature that grants your MSSP access to your customers' tenants and Sentinel workspaces. This capability is not retiring.

    Workspace Manager: No, the specific tool you use for mass deployment of content (Workspace Manager) will not be available in the Microsoft Defender XDR portal. This means the dedicated tool you use today for bulk deployment of content (Analytics Rules, Automation Rules) will not transition.

    MSSP Deployment Solution (Which is currently evolving): Microsoft has not yet announced a direct, point-and-click replacement for the bulk content deployment capabilities of Workspace Manager within the new Defender XDR portal. For now, MSSPs should continue to rely on Azure Lighthouse permissions paired with DevOps pipelines (ARM templates or Bicep) to deploy automation components, as this method interacts directly with the underlying Azure resources (Log Analytics Workspace) regardless of the portal used.

    please do refer these document for more clarity:

    Microsoft Sentinel in the Microsoft Defender portal

    Transition your Microsoft Sentinel environment to the Defender portal

    Will the Repositories feature still be available in Defender XDR?

    The answer is Yes, the Repositories feature will still be available in the Microsoft Defender XDR portal as part of the unified Microsoft Sentinel experience.

    This is a key confirmation for your DevOps process, as the content source control functionality is being migrated and integrated into the new portal interface.

    User's image Reference: https://learn.microsoft.com/en-us/azure/sentinel/microsoft-sentinel-defender-portal

    How will new Sentinel environments be created after July 2026 — through Defender portal, and will Log Analytics Workspaces still be required, or will Sentinel Data Lake replace this?

    After July 2026, new Sentinel environments will be created in the Defender portal, and Log Analytics workspaces remain mandatory for active analytics. Sentinel Data Lake is an additional option for long-term retention, not a replacement for Log Analytics.

    Microsoft’s current guidance:

    • Creation of new Sentinel environments:
      • After July 2026, all new Sentinel environments will be created and managed through the Microsoft Defender portal, not the Azure portal.
      • The Defender portal will provide a unified experience for SIEM (Sentinel) and XDR (Defender) capabilities.
    • Log Analytics Workspaces:
      • Log Analytics workspaces will still be required as the underlying data store for Sentinel analytics and queries.
      • Sentinel continues to rely on Azure Monitor Logs for ingestion and analytics.
    • Sentinel Data Lake:
      • Microsoft has introduced Sentinel Data Lake for cost-effective long-term retention and advanced analytics.
      • It does not replace Log Analytics for active analytics; instead, it complements it for archival and historical queries.
      • You can tier data between Log Analytics and Sentinel Data Lake for optimized cost and performance.

    Reference Documentation:

    Hope this helps! If it answered your question somehow, please consider clicking Accept Answer and Upvote it 👍 to make it helpful for the community. If you need more info, feel free to ask in the comments. Happy to help!

    Thank you for helping to improve Microsoft Q&A!

    Regards,

    Monalisha

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Patrick Bus 20 Reputation points
    2025-11-03T14:06:14.5666667+00:00

    Monalisha Jena Thanks for your answer.

    This is very helpful, but I still have a few questions about it:

    If we choose not to use Azure Lighthouse and instead prefer MTO (Multi-Tenant Management) — since our goal is to move away from Lighthouse and manage everything from a single portal — would it be possible, using a GDAP connection, to distribute Sentinel analytics rules, automation rules, and playbooks to one or more customer tenants through the tenant group / content distribution feature in MTO as a bulk solution? As an alternative, playbooks could also be deployed via the Repositories feature in Sentinel.

    From what I’ve seen online, it seems possible to do this for Defender custom detection rules and endpoint policies, but I’m wondering if the same functionality will be available for Sentinel automation components (such as analytics rules and automation rules) by July 2026?

    Also, suppose I want to create a new Sentinel environment in September 2026 — will I first need to create a Log Analytics Workspace in Azure, or will it also be possible to create that workspace directly from the Defender Portal before deploying Sentinel?

    Thanks in advance!

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.