Forum Discussion
Sentinel RBAC in the Unified portal: who has activated Unified RBAC, and how did it go?
At RSAC 2026, Microsoft announced two things that materially change the Part 3 story.
The first: Unified RBAC for Sentinel SIEM is now in public preview. You can now manage Sentinel permissions directly from the Defender portal alongside your Defender XDR permissions, in a single consistent system. It is opt-in, activated per workspace, and once activated it replaces Azure RBAC as the primary permissions source for that workspace. The role import function means you do not have to rebuild from scratch.
The second: a new Defender-native GDAP model for non-CSP organisations is arriving in public preview. This is not the same as the Azure Lighthouse GDAP integration that remains unsupported for Sentinel data in the Defender portal. These are two different things, and the distinction matters if you are an MSSP planning your multi-tenant access model.
Part 3 of the Sentinel to Defender Portal series covers all of this: the five permission layers in the Unified portal, the Unified RBAC activation decision and its consequences, row-level scoping for shared-workspace environments, and the current state of multi-tenant access for both enterprise and MSSP operators.
It also acknowledges directly where Part 2 stood at the time, because this is a fast-moving space and I think practitioners deserve a clear view of what changed and when.
Link if you're keen to read: https://securingm365.com/defenderxdr/sentinel/sentineldefender-part3/
At RSAC 2026, Microsoft announced two things that materially change the Part 3 story.
The first: Unified RBAC for Sentinel SIEM is now in public preview. You can now manage Sentinel permissions directly from the Defender portal alongside your Defender XDR permissions, in a single consistent system. It is opt-in, activated per workspace, and once activated it replaces Azure RBAC as the primary permissions source for that workspace. The role import function means you do not have to rebuild from scratch.
The second: a new Defender-native GDAP model for non-CSP organisations is arriving in public preview. This is not the same as the Azure Lighthouse GDAP integration that remains unsupported for Sentinel data in the Defender portal. These are two different things, and the distinction matters if you are an MSSP planning your multi-tenant access model.
Part 3 of the Sentinel to Defender Portal series covers all of this: the five permission layers in the Unified portal, the Unified RBAC activation decision and its consequences, row-level scoping for shared-workspace environments, and the current state of multi-tenant access for both enterprise and MSSP operators.
It also acknowledges directly where Part 2 stood at the time, because this is a fast-moving space and I think practitioners deserve a clear view of what changed and when.
Link if you're keen to read: https://securingm365.com/defenderxdr/sentinel/sentineldefender-part3/