Microsoft Sentinel to Defender Portal Migration Guide (July 2026)

The Unified Portal Arrives: What's Happening and When

Microsoft announced in late 2025 that the standalone Azure Portal experience for Microsoft Sentinel — accessed via portal.azure.com → Microsoft Sentinel — will be retired in July 2026. All Sentinel capabilities will migrate to the unified Microsoft Defender portal at security.microsoft.com, sitting alongside Microsoft Defender XDR.

This isn't just a URL change. The unified portal represents a fundamental rearchitecting of how Microsoft's SIEM and XDR products interact, with new investigation capabilities, a merged incident queue, and a combined analytics engine spanning both Sentinel and Defender XDR signals.

Timeline:

• Q1 2026: Unified portal GA, both portals available in parallel
• April–June 2026: Microsoft encourages migration, documentation updated
• July 2026: Azure Portal Sentinel experience retired; all access via security.microsoft.com

What Changes in the Unified Portal

The Incident Queue Is Merged

Previously you had two queues: Sentinel incidents (from Log Analytics analytics rules) and Defender XDR incidents (from Defender for Endpoint, Defender for Identity, etc.). In the unified portal, all incidents appear in a single queue at Incidents & alerts → Incidents.

Microsoft's correlation engine can now link a Defender for Endpoint alert (suspicious process on a workstation) with a Sentinel analytics rule hit (anomalous Azure AD sign-in) and surface them as a single correlated incident — because both signals flow through the same pipeline.

Investigation Experience

The investigation graph is unified. You can pivot from an Azure AD identity alert to endpoint artifacts (process trees, file events) to cloud resource activity (Azure Resource Manager logs) without switching views.

• Entity pages: User, device, IP, and cloud resource pages pull from both Sentinel and Defender XDR telemetry
• Attack timeline: Combined timeline across identity, endpoint, cloud, and email
• Evidence tab: All alert evidence consolidated regardless of source product

Advanced Hunting

In the Azure Portal, Advanced Hunting queried Log Analytics tables only. In the unified portal, it queries across a superset:

Your existing KQL queries against Log Analytics tables still work. You can now extend them to join with Defender XDR tables (DeviceEvents, EmailEvents, IdentityInfo) in the same query.

Analytics Rules

Good news: existing analytics rules continue to work without modification. They run against the same Log Analytics workspace, same KQL, same schedule. The management UI moves from the Azure Portal to Microsoft Sentinel → Analytics within the Defender portal — nearly identical interface, re-homed.

New rule types in the unified portal:

• NRT (Near Real-Time) rules — now the recommended default for high-priority detections
• Fusion rules — now incorporate Defender XDR alert signals as inputs
• Threat Intelligence rules — improved matching against the merged Microsoft TI feed

Workbooks

Workbooks are the most complex migration area. Workbooks stored in the Log Analytics workspace automatically appear in the unified portal under Threat management → Workbooks. However:

1. Deprecated controls: Older workbook controls (legacy table visualizations, certain metric queries) may not render correctly. Update to current ARM template spec.
2. Scope issues: Workbooks saved at subscription scope may not appear automatically. Verify resource scope before migration.
3. Azure Portal deeplinks: Any workbook links pointing to portal.azure.com/#blade/... will break after retirement. Update to Defender portal equivalents.

Step-by-Step Migration Checklist

Step 1: Connect Sentinel to the Defender Portal

1. Open security.microsoft.com, sign in as Global Security Administrator
2. Navigate to Settings → Microsoft Sentinel
3. Select your Log Analytics workspace and click Connect
4. Wait 10–30 minutes for initial data sync

Verify: Sentinel navigation items (Analytics, Incidents, Hunting) should appear in the left sidebar.

Step 2: Audit Your Analytics Rules

$WorkspaceName = "your-sentinel-workspace"
$ResourceGroup = "your-resource-group"

$rules = Get-AzSentinelAlertRule `
  -ResourceGroupName $ResourceGroup `
  -WorkspaceName $WorkspaceName

$rules | Select-Object DisplayName, Kind, Enabled, Severity, Tactics |
  Export-Csv -Path "analytics-rules-audit.csv" -NoTypeInformation

Review each rule: Is it still relevant? Is the KQL valid in the unified portal query editor? Is severity/tactic mapping correct? This is a good opportunity to prune unused template-based rules — the unified portal can degrade with thousands of active rules.

Step 3: Inventory and Test Workbooks

$WorkspaceId = (Get-AzOperationalInsightsWorkspace `
  -ResourceGroupName $ResourceGroup `
  -Name $WorkspaceName).CustomerId

Get-AzApplicationInsightsWorkbook -Category 'sentinel' |
  Where-Object { $_.SourceId -like "*$WorkspaceId*" } |
  Select-Object DisplayName, Location, TimeModified |
  Export-Csv -Path "workbooks-audit.csv" -NoTypeInformation

For each workbook: open in the unified portal, verify visualizations render, check queries return expected results, update any Azure Portal deeplinks.

Step 4: Update RBAC Assignments

Key change: Analysts who previously only needed Sentinel roles now also need Security Reader or Security Operator to use the unified investigation experience and Defender XDR features.

$GroupId = (Get-AzADGroup -DisplayName "SOC-Analysts").Id
$SubscriptionId = (Get-AzContext).Subscription.Id

New-AzRoleAssignment `
  -ObjectId $GroupId `
  -RoleDefinitionName "Security Reader" `
  -Scope "/subscriptions/$SubscriptionId"

Step 5: Update Automation Rules and Playbooks

Logic App playbooks using the Azure Sentinel connector continue to work. Microsoft is maintaining backward compatibility through 2026, but plan to update playbooks to the new Microsoft Sentinel (unified) connector by year-end.

Step 6: Migrate Custom Parsers and Data Connectors

• Codeless Connector Platform (CCP): Auto-migrated
• Log Ingestion API: Works without changes
• Legacy agent-based connectors: Work but Microsoft recommends migrating to AMA (Azure Monitor Agent)

Step 7: Update SOC Runbooks and Training

The biggest migration challenge is people, not technology. SOC analysts have muscle memory for the Azure Portal. Plan a 2-week parallel-portal period where analysts work in both portals before the switchover.

Changes analysts need to learn:

• Incident queue location and filtering
• Entity pivot paths (now cross-product)
• Advanced hunting table catalog (expanded)
• Alert tuning location (now includes Defender XDR suppression rules)

Common Migration Gotchas

1. Multiple Sentinel workspaces: Each workspace must be connected to the Defender portal separately.

2. Geographic data residency: The Defender portal routes some telemetry through Microsoft's US data centers for correlation. If you have GDPR or data sovereignty requirements, verify the data flow with your compliance team before migrating.

3. Fusion rule conflicts: Custom Fusion rules may conflict with the new unified Fusion engine's built-in patterns, creating duplicate detections.

4. Conditional Access blocking security.microsoft.com: Check that your CA policies allow the new portal URL before migration day.

5. Legacy API integrations: SOAR platforms connecting via the Azure Sentinel REST API continue to work, but verify API versions — some older endpoints are being deprecated.

What You Get From the Migration

Faster investigation: Correlated incidents that previously required 20 minutes of cross-portal pivoting now surface pre-correlated with full entity context.

Better detection: Fusion detections combining Sentinel (cloud + identity) with Defender XDR (endpoint + email) surface attack chains that neither product detects independently.

Copilot for Security integration: The embedded Security Copilot experience provides AI-assisted investigation summarization, KQL generation, and recommended actions — context-aware across the full incident.

Single RBAC model: One role assignment to manage instead of two.

The July 2026 deadline is firm. The technical steps are straightforward, but RBAC changes, analyst training, and runbook updates take time that organizations consistently underestimate. Start now.