![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 19%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 10%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
The behavior described usually occurs when the Defender portal does not have a valid primary Microsoft Sentinel workspace context, or when the signed‑in account does not meet the Sentinel permissions required in the Defender portal.
Use the following checks and fixes in the Defender portal (https://security.microsoft.com):
- Confirm the primary workspace
- Go to System > Settings > Microsoft Sentinel > Workspaces.
- Verify that the intended workspace is listed as Connected and marked Primary.
- If it is not primary, select the workspace and choose Set as primary, then confirm the change.
- Wait a few minutes and then try opening Microsoft Sentinel > Threat management (for example Workbooks, Hunting, or MITRE ATT&CK).
- Verify required roles and scope
Ensure the account has at least the following on the Sentinel workspace (or its resource group/subscription):
- Microsoft Sentinel Reader to view Sentinel in the Defender portal and query data tables or view incidents.
- Microsoft Sentinel Contributor to take investigative actions on incidents or manage content. Also make sure the account has the necessary Azure RBAC scope (subscription, resource group, or workspace) where Sentinel is enabled. If there is more than one Sentinel workspace in the tenant, the account must also be at least Security administrator in Microsoft Entra ID.
- Reconnect or switch workspaces if needed
- If the workspace was disconnected and reconnected multiple times, from System > Settings > Microsoft Sentinel > Workspaces, select the workspace and choose Disconnect workspace, confirm, then connect it again.
- If there is another Sentinel workspace, try temporarily setting that one as primary, confirm that Sentinel opens, and then switch back to the desired workspace as primary. When switching the primary workspace, the Defender XDR connector is automatically moved to the new primary and disconnected from the former one.
- Validate data connector behavior
- In the Azure portal, confirm the Microsoft Defender XDR connector is connected and that incidents and alerts are enabled for the Sentinel workspace.
- Be aware that after onboarding to Defender, the Defender product connectors (Defender for Endpoint, Identity, Cloud Apps, Office 365) no longer appear in the Defender portal Data connectors page; this is expected and does not indicate a connection issue.
If, after confirming the primary workspace and permissions, the Defender portal still loops back to the connectors page for all Sentinel blades, collect a portal session recording and open a support request from the affected subscription so that Microsoft can review the tenant’s Sentinel–Defender integration state.
References: