Sentinel is Moving From Azure Portal To Defender Portal
If you use Microsoft Sentinel in the Azure portal you should know that by July 1, 2026, you’ll need to move to the Microsoft Defender portal. Microsoft is unifying SIEM and XDR capabilities under one roof to improve incident correlation, simplify analyst workflows, and reduce tool sprawl.
In plain terms, Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) platform. It collects logs and security data from across your environment, helps you detect threats, and orchestrates response workflows. Until now, that experience has lived inside the Azure portal. But going forward, Microsoft is consolidating Sentinel operations into the Defender portal to give security teams a single place to manage both SIEM and XDR data.
This guide will walk you through what’s changing and how to prepare, step-by-step, for the migration to the Microsoft Defender portal, well ahead of the 2026 deadline.
Why Microsoft Is Moving Sentinel to the Defender Portal?
The move to the Defender portal is part of a larger strategy to unify SIEM and XDR tools under a single operational layer. Until now, many security teams have had to split their attention between Microsoft Sentinel in the Azure portal and Microsoft 365 Defender alerts in a separate interface. That split created friction, duplicated effort, siloed investigations, and incomplete incident context.
With this migration, Microsoft is streamlining everything into one integrated experience. The Defender portal becomes the new command center for both log-based analytics (Sentinel) and real-time signals from endpoints, identities, cloud apps, and more (Defender XDR). The goal is to reduce context switching and accelerate response by correlating alerts and incidents automatically across both platforms.
This also aligns with Microsoft’s broader investments in AI-driven security operations. Features like Security Copilot, unified advanced hunting, and cross-platform playbooks are being built exclusively into the Defender portal, not the classic Sentinel interface. If you’re still relying on the Azure-based Sentinel view, you’re missing out on both operational efficiency and future features.
Benefits of Using Sentinel in the Defender Portal
The Defender portal isn’t just a new front-end for Sentinel, it’s a significant upgrade. Here’s what that benefits are in practice:
1. One Incident Queue Across All Signals
No more bouncing between Sentinel and Microsoft 365 Defender. The Defender portal merges alerts and incidents into a single, correlated queue. You can view incidents tied to endpoints, identities, email, and your Sentinel analytics rules, all in one place. This simplifies investigations and reduces missed connections between related alerts.
2. Advanced Hunting Across Datasets
With the Defender portal, you can run cross-platform KQL queries that span both Sentinel’s Log Analytics data and Defender XDR telemetry. That means richer threat hunting capabilities with broader visibility, without leaving the portal.
3. Access to AI and Security Copilot
Security Copilot, Microsoft’s AI assistant for incident response and threat analysis, is only available in the Defender portal. Moving Sentinel into that environment gives you direct access to new AI-driven capabilities as they’re released.
4. Streamlined Role-Based Access Control (RBAC)
The Defender portal introduces unified RBAC, allowing you to manage roles across Sentinel and Defender with a single model. While it requires some planning, this reduces complexity long term, especially if you’re already managing multiple Microsoft security tools.
5. Built-In Integration With Defender Stack
Data connectors for Defender for Endpoint, Defender for Identity, and Defender for Cloud Apps are natively integrated. This cuts down on duplicated alert ingestion and ensures all signals are automatically normalized and enriched within a single platform.
The Defender Portal Will Become Mandatory
Microsoft has made the transition timeline clear: by July 1, 2026, you’ll no longer be able to manage Sentinel from the Azure portal. After that date, the Microsoft Defender portal will be the only supported interface for Sentinel.
Here’s how the timeline breaks down:
| Date | Milestone |
| Late 2023 | Microsoft launches preview of unified SIEM + XDR experience in Defender portal. |
| Mid-2024 | Key features like multi-workspace support, unified hunting, and RBAC improvements are rolled out. |
| July 1, 2025 | One-year notice begins. Microsoft formally announces the deprecation timeline. |
| Throughout 2025 | Microsoft continues adding enhancements to the Defender portal only. Customers are encouraged to pilot migration. |
| July 1, 2026 | Mandatory cutover – Azure portal experience for Sentinel is retired. All access redirects to the Defender portal. |
Microsoft has confirmed that there will be no dual-support model after the deadline. The Azure portal UI for Sentinel will not just be deprecated, it will be removed entirely. If you’re still relying on the classic experience at that point, your security operations could face serious disruption.
You don’t need to wait until 2026 to move. Microsoft recommends transitioning as early as possible to validate permissions, update automation, and retrain staff. Many customers have already made the switch with our help.
Don’t Wait for the Deadline
Microsoft Sentinel will stop working in the Azure portal on July 1, 2026.
Make sure you’re ready for the switch!
Azure Portal vs Microsoft Defender Portal: What’s Different?
If you’ve been using Sentinel in the Azure portal for years, switching interfaces can feel disruptive, but there are benefits. Here’s a side-by-side comparison of what’s changing and why it matters:
| Feature/Area | Azure Portal (Classic Sentinel) | Microsoft Defender Portal |
| Access Point | portal.azure.com → Sentinel resource | security.microsoft.com → Microsoft Sentinel (in unified portal) |
| Incident Queue | Separate from Defender incidents; no native correlation | Single queue combining Sentinel and XDR incidents with automatic correlation |
| Advanced Hunting | Sentinel-only (Log Analytics) or separate Defender hunting | Unified KQL across Sentinel and Defender datasets |
| Role-Based Access (RBAC) | Azure-native roles (e.g., Sentinel Reader) | Unified Defender roles, including fine-grained cross-tool access |
| Data Connectors | Configured individually in Sentinel | Defender-native connectors; no duplication when connected through Defender |
| Automation | Sentinel playbooks via Logic Apps | Still supported, but incident triggers now come from unified incident logic |
| Multi-Workspace Support | Requires Azure Lighthouse for MSSP/multi-tenant view | Built-in multitenant view across Sentinel and Defender workspaces |
| New Features | Slower rollout; limited to Sentinel scope | Priority access to AI (Security Copilot), Copilot prompts, and new hunting UI |
The core analytics engine and data storage model (Log Analytics) remain the same. What’s changing is the user experience and operational layer. Everything is now routed through the Defender portal for a cleaner, faster, and more connected security workflow.
You have a pressing issue, but you’re not sure if Levacloud can help. We get it. Everyone has unique challenges they face in their IT environments. Schedule a free call today and talk us through it.
We’ll let you know how we can best support you.
Migration Checklist
How to Transition Sentinel to the Defender Portal
The shift to the Microsoft Defender portal doesn’t change how Sentinel collects data or runs analytics, it changes how you interact with it, how incidents are handled, and how access is managed. This section provides a detailed migration checklist to help you plan, test, and fully transition to the Defender portal before the July 1, 2026 deadline.
-
Review Microsoft’s Requirements and Prepare Your Environment
Start by reading Microsoft’s official transition documentation. Not all workspaces are ready out of the box, there are a few prerequisites to check:
- Your Sentinel workspace must be deployed in a region that supports the Defender portal experience.
- Certain preview features may need to be enabled.
- Licensing for Microsoft Defender for Endpoint or other XDR components may be required to take full advantage of the unified interface.
If you’re working in a government cloud (GCC High, DoD), note that Defender portal support may vary. Microsoft is still working to bring full parity to sovereign environments.
-
Choose a Workspace to Pilot the Migration
Instead of switching everything at once, begin with a non-production workspace or one with lower operational risk. This allows you to:
- Validate alert flow and correlation behavior.
- Explore changes in navigation and UI with minimal impact to your SOC.
- Test whether custom roles, hunting queries, and playbooks behave as expected in the new context.
This workspace can be run in parallel using both the Azure and Defender portals while you prepare for full adoption.
-
Enable Sentinel in the Defender Portal
Once you’re ready, onboard the workspace by enabling Microsoft Sentinel in the Defender portal:
- Go to Microsoft Sentinel > Settings > Defender portal integration.
- Toggle the option to enable the Defender portal experience for that workspace.
After enabling it, the same workspace becomes available at security.microsoft.com, under the Microsoft Sentinel blade. This doesn’t disable the Azure experience, you can still access Sentinel in the Azure portal during the transition window.
-
Validate Analytics Rules, Alert Flow, and Incident Correlation
This is a critical step. Once the workspace is visible in the Defender portal, verify that:
- Analytics rules are firing as expected.
- Incidents appear in the unified queue alongside Defender XDR incidents.
- Correlation works properly. For example, Defender for Endpoint alerts may now automatically group with Sentinel incidents in a single correlated thread.
- Incident severity, description fields, and entities match what you expect.
Be aware of duplicate alerts if you’ve already connected Defender products to both Sentinel and the Defender portal. Microsoft recommends disabling cross-sync in Sentinel for Defender-based connectors once you move to unified correlation to prevent this.
-
Review and Re-Map RBAC Permissions
The Defender portal uses unified role-based access control (RBAC) that’s separate from Azure’s native RBAC model.
Actions to take:
- Identify all existing Sentinel roles in Azure: Reader, Contributor, Responder, Playbook Operator, etc.
- Map those roles to Microsoft Defender portal roles, such as:
- Security Reader
- Security Operator
- Hunting Operator
- Custom roles with scoped access
- Reassign access in the Microsoft 365 Defender role-based access system.
The access model in the Defender portal allows cross-product scopes, which is a benefit, but it also means you need to validate who can access what. Don’t assume existing permissions will translate automatically.
-
Test Automation and Logic Apps
If your Sentinel implementation relies on automated response, especially Logic App-based playbooks, test each one thoroughly after enabling Defender portal integration.
Considerations:
- Are your playbooks still triggering as expected?
- Have any incident triggers changed? For example, Sentinel’s native “fusion” rule is replaced by Defender’s incident correlation engine.
- If you use dynamic conditions based on incident titles or providers, verify that your logic accounts for changes in field naming or source.
- Reauthorize any connectors that may be scoped differently under the Defender portal.
Where possible, migrate your incident triggers to unified incident logic so that your response playbooks work consistently across both Sentinel and Defender alerts.
-
Retrain Analysts and Update Runbooks
The Defender portal is a different experience, your team needs to be comfortable navigating it before you fully transition.
Training should cover:
- Where common Sentinel functions now live (analytics rules, hunting, playbooks, logs).
- How to use the unified incident queue.
- Running KQL queries across combined Sentinel and Defender data sources in Advanced Hunting.
- Identifying changes in incident correlation and alert enrichment.
Update any runbooks, internal documentation, and onboarding materials that reference the Azure portal. The sooner your team starts using the Defender portal, the easier the final cutover will be.
-
Monitor During the Transition Period
As you onboard more workspaces or move into production, monitor closely for:
- Alert flow consistency and latency.
- Incident duplication or missed correlation.
- Permission issues or failed automation.
- Analyst feedback on workflow disruptions.
During this dual-access period (Azure + Defender portal), you can iterate and refine. Encourage your SOC to use the Defender portal as their primary interface and treat Azure as a fallback only.
-
Plan for Final Cutover Before July 1, 2026
Don’t wait until the deadline.
Once your environment is validated and your team is confident in the new portal, plan a full transition:
- Communicate the final switch to the SOC team and stakeholders.
- Disable training or internal links that point to the Azure portal.
- Remove any cross-sync settings that could create alert duplication.
- Lock in a final date where all day-to-day security operations occur exclusively in the Defender portal.
This final cutover should feel like a natural progression, not a forced disruption, if you’ve followed the steps above.
Need help moving Sentinel to the Defender portal?
Levacloud has already helped teams like yours navigate this shift.
Common Challenges During Migration
Even with careful planning, the transition to the Microsoft Defender portal can introduce unexpected issues. The architecture is shifting, the access model is different, and some integrations behave differently than they did in the Azure portal. Here are the most common challenges we’ve seen, and how Levacloud can help you work through them efficiently.
RBAC and Permission Gaps
The Defender portal uses a separate RBAC model from Azure. If you don’t re-map your roles properly, users who had access in the Azure portal may suddenly find themselves locked out of incidents, hunting queries, or automation tools.
Where it gets complicated:
- Defender roles don’t have 1:1 equivalents for all Sentinel roles.
- Permissions may need to be layered (e.g. Sentinel Contributor + Security Operator).
- Custom roles in Azure may require complete redesign for Defender.
We can walk through your existing access model, identify what needs to be replicated, and implement a clean, least-privilege role structure in the Defender portal. That includes testing and validating permissions for each persona in your SOC—from Tier 1 responders to threat hunters and automation engineers.
Automation Behaving Unexpectedly
Many organizations use Logic Apps or API-based integrations that rely on Sentinel incident triggers or specific incident fields. Once you switch to the Defender portal, some of those assumptions no longer apply.
What might break:
- Incident names or sources that are now auto-correlated and renamed.
- Playbooks triggered from “Sentinel-only” incidents may no longer fire.
We review your automation stack (playbooks, ticketing workflows, Teams alerts, etc.) and adjust the logic to align with Defender’s incident model. We also help configure and test new triggers based on the Defender correlation engine so your response playbooks stay effective.
Connector Duplication or Data Overlap
If you’ve already integrated Microsoft 365 Defender products into Sentinel, enabling the Defender portal can cause duplicate alerts or incidents if you don’t reconfigure connectors properly.
Typical signs:
- Alerts from Defender for Endpoint appear twice.
- Incidents in Sentinel and Defender show the same underlying threat.
- Correlation logic doesn’t group related events.
We help you review and normalize your connector configuration. That includes deconflicting overlapping alert flows, disabling redundant syncs, and ensuring everything flows through the unified correlation engine. The result: a cleaner incident queue and more reliable automation.
SOC Readiness and Workflow Disruption
Analysts trained on the Azure portal may not immediately know how to work in the new interface, especially during high-pressure incidents.
The risk:
- Slower response times.
- Missed alerts or escalations.
- Frustration and workflow friction.
We offer hands-on training tailored to your IT team. That includes walkthroughs of the new UI, advanced hunting in the unified dataset, and Defender-specific tools your analysts may not be using yet. We can also help revise your internal documentation and runbooks to reflect the new environment.
Compliance and Governance Uncertainty
The governance context shifts slightly in the Defender portal. Retention, access logging, data region controls, and incident metadata may behave differently depending on how you’re licensed and configured.
Potential concerns:
- Do your auditors need a new explanation of how data is stored and retained?
- Will access to incident data still be logged for compliance reporting?
- Does the move impact your ISO/SOC/HIPAA documentation?
We bring compliance into the planning phase, not just as an afterthought. We help you document the impact of the change, ensure audit requirements are still met, and work with your compliance or GRC teams to update policies, logs, and access review processes accordingly.
Too Many Moving Parts, Not Enough Time
You may simply not have the internal bandwidth to handle this migration thoroughly. While Microsoft offers documentation, the real effort lies in implementation, validation, and rollout.
We can handle the heavy lifting. That includes:
- Reviewing your current Sentinel deployment.
- Planning and executing the migration.
- Updating RBAC, integrations, and playbooks.
- Training your team and providing ongoing support.
With the 2026 deadline approaching, it’s worth getting ahead of the curve. Our role is to make sure you don’t just meet the requirement, but actually improve your security operations in the process.
Wondering if Levacloud can solve your Microsoft Cybersecurity related challenge? Drop us a message!
Start Your Transition to the Defender Portal Now
Microsoft Sentinel will no longer be accessible through the Azure portal after July 1, 2026, and while that may feel like a distant deadline, the complexity of the transition makes early planning essential.
By moving to the Defender portal, you gain access to:
- A unified incident queue that brings Sentinel and Defender XDR alerts together
- Cross-platform advanced hunting
- Role-based access control that spans multiple Microsoft security tools
- Improved automation, better correlation, and enhanced analyst workflows
- Priority access to new capabilities, including Security Copilot and AI-driven triage
But the benefits only come if your migration is done right. That means aligning permissions, cleaning up connectors, adjusting automation, and retraining your team. If you leave that until the last minute, you’ll be reacting under pressure, instead of upskilling your security team.
At Levacloud, we help teams like yours navigate these transitions quickly, thoroughly, and with minimal disruption. Whether you need help planning your migration, executing the technical steps, or training your IT team, we’re ready to support you.
Need help moving Microsoft Sentinel to the Defender portal?
Reach out to Levacloud for expert guidance, hands-on migration support, or a custom migration readiness assessment. You don’t have to figure this out alone, and you shouldn’t have to.
Migrating Sentinel to the Defender Portal FAQs
Is Microsoft Sentinel going away?
No. Microsoft Sentinel is not being retired, only the Azure portal interface for managing Sentinel is being phased out. The service itself remains fully supported and is being enhanced within the Microsoft Defender portal, where it will operate alongside Defender XDR tools.
When will the Azure portal stop supporting Microsoft Sentinel?
Microsoft has set July 1, 2026 as the cutoff date. After that, Sentinel will only be accessible and managed through the Microsoft Defender portal at security.microsoft.com.
Do I need to redeploy my Sentinel workspace or infrastructure?
No. You don’t need to redeploy anything. The underlying Log Analytics workspace and data connectors remain in Azure. This change affects only the management interface, not the underlying architecture.
Can I use both the Azure portal and Defender portal during the transition?
Yes. Microsoft supports a dual-access period, allowing you to use both portals while testing the new experience. However, all new features, like unified incident queues and AI support, are only available in the Defender portal.
Will my current Sentinel roles and permissions still work?
Not automatically. The Defender portal uses a different RBAC model. You’ll need to map your existing Sentinel roles to new Microsoft Defender roles. If not configured properly, this can result in analysts losing access to incidents or hunting tools.
What happens to my automation playbooks and alerts?
Most playbooks will continue to work, but you’ll need to verify incident triggers and parameters. The Defender portal uses its own correlation logic, which may group alerts differently and affect how your automation responds.
Do I need a Microsoft Defender license to use Sentinel in the Defender portal?
You can access Sentinel without licensing other Defender products, but you’ll get significantly more value from the unified portal if you have Microsoft 365 Defender or Defender for Endpoint licensed and integrated. Some connectors and features may require additional licensing.
Can Levacloud help with our migration?
Yes. Levacloud specializes in Microsoft Security migrations, including Sentinel. We can help you:
- Plan your cutover
- Reconfigure RBAC
- Validate integrations
- Update automation
- Empower your IT team
This blog post was reviewed and validated by Gareth Young, a Microsoft Security and Compliance Expert with 15 years of experience in Microsoft solutions. As the founder of Levacloud, Gareth specializes in Security, Modern Work and Security Arcitecture. He holds multiple Microsoft certifications, including: AZ-500, MS-500, SC-400, MS-101, MS-100, MS-900 as well as the CISSP certification.





