Sentinel RBAC in the Unified portal: who has activated Unified RBAC, and how did it go?
Following the RSAC 2026 announcements last month, I have been working through the full permission picture for the Unified portal and wanted to open a discussion here given how much has shifted in a short period. A quick framing of where things stand. The baseline is still that Azure RBAC carries across for Sentinel SIEM access when you onboard, no changes required. But there are now two significant additions in public preview: Unified RBAC for Sentinel SIEM itself (extending the Defender Unified RBAC model to cover Sentinel directly), and a new Defender-native GDAP model for non-CSP organisations managing delegated access across tenants. The GDAP piece in particular is worth discussing carefully, because I want to be precise about what has and has not changed. The existing limitation from Microsoft's onboarding documentation, that GDAP with Azure Lighthouse is not supported for Sentinel data in the Defender portal, has not changed. What is new is a separate, Defender-portal-native GDAP mechanism announced at RSAC, which is a different thing. These are not the same capability. If you were using Entra B2B as the interim path based on earlier guidance, that guidance was correct and that path remains the generally available option today. A few things I would genuinely like to hear from practitioners: For those who have activated Unified RBAC for a Sentinel workspace in the Defender portal: what did the migration from Azure RBAC roles look like in practice? Did the import function bring roles across cleanly, or did you find gaps particularly around custom roles? For environments using Playbook Operator, Automation Contributor, or Workbook Contributor role assignments: how are you handling the fact those three roles are not yet in Unified RBAC and still require Azure portal management? Is the dual-management posture creating operational friction? For MSSPs evaluating the new Defender-native GDAP model against their existing Entra B2B setup: what factors are driving the decision either way at your scale? Writing this up as Part 3 of the migration series and the community experience here is directly useful for making sure the practitioner angle is grounded.
How do I import Purview Unified Audit Log data related to the use of the Audit Log into Sentinel?
Dear Community, I would like to implement the following scenario on an environment with Microsoft 365 E5 licenses: Scenario: I want to import audit activities into an Azure Log Analytics workspace linked to Sentinel to generate alerts/incidents as soon as a search is performed in the Microsoft 365 Purview Unified Audit Log (primarily for IRM purposes). Challenge: Neither the "Microsoft 365" connector, nor the "Defender XDR" or "Purview" (which appear to be exclusively Azure Purview) connectors are importing the necessary data. Question: Which connector do I have to use in order to obtain Purview Unified Audit Log activities about the use of the Purview Unified Audit Log so that I can identify... ...which user conducted when an audit log search and with what kind of search query. Thank you!Webinar Cancellation
Hi everyone! The webinar originally scheduled for April 14th on "Using distributed content to manage your multi-tenant SecOps" has unfortunately been cancelled for now. We apologize for the inconvenience and hope to reschedule it in the future. Please find other available webinars at: http://aka.ms/securitycommunity All the best, The Microsoft Security Community TeamNew content types supported in multi-tenant content distribution
Onboard new tenants and maintain a consistent security baseline We’re excited to announce a set of new content types that are now supported by the multi-tenant content distribution capability in the Defender portal: You can now distribute analytics rules, automation rules, workbooks, and alert tuning built in rules. What is content distribution? Content distribution is a powerful multi-tenant feature that enables scalable management of security content across tenants. With this capability, you can create content distribution profiles in the multi-tenant portal that allow you to seamlessly replicate existing content—such as custom detection rules and endpoint security policies—from a source tenant to designated target tenants. Once distributed, the content runs on the target tenant, enabling centralized control with localized execution. This allows you to onboard new tenants quickly and maintain a consistent security baseline across tenants. New supported content types With this release, we add support for several new content types: Analytics rules (Sentinel) Automation rules (Sentinel) Workbooks (Sentinel) Alert tuning rules (built-in rules) Soon, we will introduce more content types, including URBAC roles. How it works Navigate to ‘Content Distribution’ in Defender’s multi-tenant management portal Create a new distribution profile or select an existing distribution profile In the ‘Content selection’ step, select one of the new content types to distribute After choosing the content types, select the actual content that you want to distribute. For example, select analytics rules that you want to distribute to other tenants Use the filters to select which tenant (and workspace) to take the content from Choose at least one workspace that you want to distribute the content to. You can select up to 100 workspaces per tenant. Save the distribution profile and the content will be synced to your target tenants Review the sync result in your distribution profile Good to know Automation rules that trigger a playbook cannot currently be distributed Alert tuning rules are currently limited to distributing built-in rules, this will be expanded to custom rules later Learn more For more information, see Content distribution in multitenant management. To get started, navigate to Content distribution. FAQ What pre-requisites are required? Access to more than one tenant, with delegated access via Azure B2B, using multi-tenant management A subscription to Microsoft 365 E5 or Office E5 What permissions are needed to distribute? Each content type requires you to have permission to create that content type on the target tenant. For example, to create Analytics Rules, you require ‘Sentinel Contributor’ permissions. To distribute content using multi-tenant management content distribution, the Security settings (manage) or Security Data Basic (read) permission is required. Both roles are assigned to the Security Administrator and Security Reader Microsoft Entra built-in roles by default. Can I update or expand distribution profiles later? Yes. You can add more content, include additional tenants, or modify scopes as needed.
New Compliance Solutions in Microsoft Sentinel: HIPAA & GDPR Reports
What’s New? GDPR Compliance & Data Security Solution (Preview) Helps organizations demonstrate compliance with the General Data Protection Regulation (GDPR) and protect personal data in cloud and hybrid environments. Consolidates data from Alerts, Incidents, Microsoft Purview, Azure SQL, Microsoft 365, UEBA, and Entra ID into a unified workbook. Monitors GDPR-related alerts, data classification, sensitive data queries, identity risks, and insider behaviours. Provides clear audit evidence and compliance reports, supporting proactive risk detection and regulatory accountability. HIPAA Compliance Solution (Preview) Designed for healthcare organizations and business associates to meet HIPAA Security and Privacy Rules. Provides robust monitoring of Protected Health Information (PHI) across administrative, technical, and physical safeguards. Features integrated dashboards, analytics, and Azure-native security capabilities for audit readiness and operational efficiency. Includes pre-built workbook tabs for overview, attack range, audit trail reporting, and advanced analysis. Enables anomaly detection (e.g., ransomware, suspicious SQL procedures, password spray attempts) and forensic audit trails for incident investigations. Below, you will find more detailed information about the HIPAA and GDPR connectors. First, we cover the features of the HIPAA connector, followed by the key aspects of the GDPR solution. GDPR Compliance Solution This solution provides a unified workbook that consolidates data from Alerts and Incidents, Microsoft Purview, Azure SQL Databases, Microsoft 365, User & Entity Behavior Analytics (UEBA), and Entra ID. With this workbook, you can: Monitor GDPR and data-theft related alerts and incidents across your Microsoft ecosystem. Gain visibility into data classification and sensitivity labelling with Microsoft Purview. Detect sensitive data queries, anomalous database activity, and unusual access patterns in Azure SQL. Investigate identity risks, anomalous sign-ins, and insider behaviours using Entra ID and UEBA. Provide clear audit evidence and compliance reports across Microsoft 365 and related services. Key Capabilities Security Alerts & Incidents Investigate security alerts and incidents from hosts and resources that store or process personal data. Track alerts mapped to MITRE ATT&CK® tactics and measure responsiveness for breach notification requirements. Focus on GDPR-relevant systems using customizable watchlists. For the Security Alerts & Incidents section to function properly, you must create a watchlist containing servers that host personal data. You must configure this watchlist in Sentinel and populate it with the names of your personal data hosting servers. Sample Watchlist (GDPR_PersonalData_Assets) HostName server1 server2 server3 server4 Data Loss Prevention (DLP) Monitor sensitive data access, leaks, and geolocation-based usage. Detect potential leaks or unauthorized transfers of personal data. Track label-based access patterns and provide evidence of preventive controls. Purview Logs Discover and classify assets, monitor sensitivity labelling, and track data governance. Assess the application of sensitivity labels and provide auditors with data inventory and classification coverage. Azure SQL Databases Detect anomalies and monitor classified data queries. Track application and IP access to classified data for accountability and traceability. Provide auditors with proof of continuous monitoring of database activity. Microsoft 365 Activity Monitor user and administrator activity across Exchange, SharePoint, OneDrive, and Teams. Detect risky behaviours such as external sharing, non-owner mailbox access, and unusual admin operations. Provide a comprehensive audit trail of data activity in Microsoft 365 services. User & Entity Behavior Analytics (UEBA) Analyze anomalous user and entity behaviors to detect insider threats and compromised accounts. Correlate activities across multiple data sources and identify potential data exfiltration attempts. Sign-Ins and Audit (Entra ID) Track risky sign-ins, brute-force attempts, and unusual geolocations. Investigate access patterns to applications and resources handling personal data. Monitor changes to users, groups, and applications for GDPR accountability. References The metrics and monitoring approaches used in the GDPR Compliance Solution are referenced from established workbooks and solutions, including: Microsoft Purview: For data classification, sensitivity labelling, and governance metrics, leveraging Purview’s comprehensive data inventory and classification coverage. Azure SQL Database Solution for Sentinel: For monitoring classified data queries, detecting anomalies, and providing continuous database activity auditing. Microsoft Purview Insider Risk Management: For insights into M365 audits, identity risks, and anomalous activities, supporting proactive risk detection and regulatory accountability. HIPAA Compliance Solution The HIPAA Compliance Solution in Microsoft Sentinel—now available in preview—empowers security teams to validate compliance posture, detect anomalies, and respond swiftly to threats. With integrated dashboards, analytics, and Azure-native security capabilities, this solution helps you stay audit-ready while reducing operational complexity. Getting Started: Two Key Steps Connect Data Sources To unlock the full potential of the HIPAA Compliance Solution, you need to integrate key data sources into Microsoft Sentinel. These connectors ensure comprehensive visibility across your HIPAA environment: AzureDiagnostics Collect logs from Azure services, firewalls, and network devices. This is critical for monitoring HIPAA-relevant infrastructure and network traffic anomalies. Recommended Solution: [Azure Firewall Solution in Sentinel Content Hub] for enriched firewall analytics. SecurityEvent Ingest Windows Server event logs to track login activity, access attempts, and policy changes. Recommended Solution: [Windows Security Events Solution] for prebuilt analytics and dashboards. SecurityAlert Pull in alerts from Microsoft Defender and other integrated security tools for anomaly and incident detection. Recommended Solution: [Microsoft Defender for Endpoint Solution] for advanced threat detection and correlation. AuditLogs Capture Azure AD sign-in logs, MFA status, and user activity to validate identity and access controls. Recommended Solution: [Azure Active Directory Solution] for identity governance and compliance insights. DeviceEvents / DeviceProcessEvents Gather endpoint telemetry and Defender for Endpoint alerts to monitor device health and detect compromise attempts. Recommended Solution: [Microsoft Defender for Endpoint Solution] for endpoint security posture. SQLSecurityAuditEvents Enable auditing for HIPAA-relevant databases to track CRUD operations, suspicious stored procedures, and integrity checks. Recommended Solution: [SQL Security Audit Solution] for database compliance and threat detection. Define HIPAA Users and Assets Use Watchlists to specify HIPAA-relevant users and assets within your compliance scope: HIPAA Users Details Watchlist Columns: UserName, TrainingStatus, AccessLevel Upload as CSV and configure in Sentinel under Configuration > Watchlist. HIPAA Assets Watchlist Columns: DeviceName, DeviceType Follow the same steps as above with appropriate naming conventions. To learn more about how to create watchlists, see Create new watchlists - Microsoft Sentinel | Microsoft Learn What’s Included in the Solution Pre-Built Workbook Tabs Overview Tab Track user training status, asset health, login success/failure, MFA status, antivirus coverage, and incident trends. Attack Range Tab This tab focuses on real-time threat visibility and behavioral analytics, giving SOC teams the ability to detect and respond to active threats impacting HIPAA-regulated environments. It visualizes multiple high-risk indicators drawn from security logs, Defender telemetry, and database activity. Key insights provided on this dashboard include: Macaw Ransomware Detection: Identifies endpoints exhibiting encryption-like behavior typical of the Macaw ransomware family, allowing the SOC team to act before patient health data is encrypted or lost. Suspicious SQL Stored Procedures: Flags execution of destructive or data-deletion commands from stored procedures initiated by untrained or unauthorized HIPAA users — a potential insider threat or misuse case. Password Spray Attempts: Detects repeated failed login attempts from a single IP within a short time frame, helping to identify brute-force or credential-stuffing activity targeting HIPAA accounts. Unusual SMB Activity: Surfaces abnormal file-sharing or data transfer patterns between internal servers, indicating potential lateral movement or data exfiltration attempts. Audit Trail Reporting Tab This Tab serves as the organization’s forensic and compliance backbone, enabling security and compliance teams to trace every critical activity within their HIPAA environment. It provides a detailed chronological record of user actions, system processes, and network communications — essential for both incident investigations and regulatory audits. Further Analysis Tab Export pre-written queries for advanced investigation and compliance reporting.
Update content package Metadata
Hello Sentinel community and Microsoft. Ive been working on a script where i use this command: https://learn.microsoft.com/en-us/rest/api/securityinsights/content-package/install?view=rest-securityinsights-2024-09-01&tabs=HTTP Ive managed to successfully create everything from retrieving whats installed, uninstalling, reinstalling and lastly updating (updating needed to be "list, delete, install" however :'), there was no flag for "update available"). However, now to my issue. As this work like a charm through powershell, the metadata and hyperlinking is not being deployed - at all. So i have my 40 content packages successfully installed through the REST-api, but then i have to visit the content hub in sentinel in the GUI, filter for "installed" and mark them all, then press "install". When i do this the metadata and hyperlinking is created. (Its most noticeable that the analytic rules for the content hubs are not available under analytic rules -> Rule templates after installing through the rest api). But once you press install button in the GUI, they appear. So i looked in to the request that is made when pressing the button. It uses another API version, fine, i can add that to my script. But it also uses 2 variables that are not documented and encrypted-data. they are called c and t: Im also located in EU and it makes a request to SentinelUS. im OK with that, also as mentioned, another API version (2020-06-01) while the REST APi to install content packages above has 2024-09-01. NP. But i can not simulate this last request as the variables are encrypted and not available through the install rest api. They are also not possible to simulate. it ONLY works in the GUI when pressing install. Lastly i get another API version back when it successfully ran through install in GUI, so in total its 3 api versions. Here is my code snippet i tried (it is basically a mimic of the post request in the network tab of the browser then pressing "install" on the package in content hub, after i successfully installed it through the official rest api). function Refresh-WorkspaceMetadata { param ( [Parameter(Mandatory = $true)] [string]$SubscriptionId, [Parameter(Mandatory = $true)] [string]$ResourceGroup, [Parameter(Mandatory = $true)] [string]$WorkspaceName, [Parameter(Mandatory = $true)] [string]$AccessToken ) # Use the API version from the portal sample $apiVeri = "?api-version=" $RefreshapiVersion = "2020-06-01" # Build the batch endpoint URL with the query string on the batch URI $batchUri = "https://management.azure.com/\$batch$apiVeri$RefreshapiVersion" # Construct a relative URL for the workspace resource. # Append dummy t and c parameters to mimic the portal's request. $workspaceUrl = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroup/providers/Microsoft.OperationalInsights/workspaces/$WorkspaceName$apiVeri$RefreshapiVersion&t=123456789&c=dummy" # Create a batch payload with several GET requests $requests = @() for ($i = 0; $i -lt 5; $i++) { $requests += @{ httpMethod = "GET" name = [guid]::NewGuid().ToString() requestHeaderDetails = @{ commandName = "Microsoft_Azure_SentinelUS.ContenthubWorkspaceClient/get" } url = $workspaceUrl } } $body = @{ requests = $requests } | ConvertTo-Json -Depth 5 try { $response = Invoke-RestMethod -Uri $batchUri -Method Post -Headers @{ "Authorization" = "Bearer $AccessToken" "Content-Type" = "application/json" } -Body $body Write-Host "[+] Workspace metadata refresh triggered successfully." -ForegroundColor Green } catch { Write-Host "[!] Failed to trigger workspace metadata refresh. Error: $_" -ForegroundColor Red } } Refresh-WorkspaceMetadata -SubscriptionId $subscriptionId -ResourceGroup $resourceGroup -WorkspaceName $workspaceName -AccessToken $accessToken (note: i have variables higher up in my script for subscriptionid, resourcegroup, workspacename and token etc). Ive tried with and without mimicing the T and C variable. none works. So for me, currently, installing content hub packages for sentinel is always: Install through script to get all 40 packages Visit webpage, filter for 'Installed', mark them and press 'Install' You now have all metadata and hyperlinking available to you in your Sentinel (such as hunting rules, analytic rules, workbooks, playbooks -templates). Anyone else manage to get around this or is it "GUI" gated ? Greatly appreciated.[DevOps] dps.sentinel.azure.com no longer responds
Hello, Ive been using Repository connections in sentinel to a central DevOps for almost two years now. Today i got my first automated email on error for a webhook related to my last commit from the central repo to my Sentinel intances. Its a webhook that is automticly created in connections that are made the last year (the once from 2 years ago dont have this webhook automaticly created). The hook is found in devops -> service hooks -> webhooks "run state change" for each connected sentinel However, after todays run (which was successfull, all content deployed) this hook generates alerts. It says it cant reach: (EU in my case) eu.prod.dps.sentinel.azure.com full url: https://eu.prod.dps.sentinel.azure.com/webhooks/ado/workspaces/[REDACTED]/sourceControls/[REDACTED] So, what happened to this domain? why is it no longer responding and when was it going offline? I THINK this is the hook that sets the status under Sentinel -> Repositories in the GUI. this success status in screenshoot is from 2025/02/06, no new success has been registered in the receiving Sentinel instance. For the Sentinel that is 2 year old and dont have a hook in my DevOps that last deployment status says "Unknown" - so im fairly sure thats what the webhook is doing. So a second question would be, how can i set up a new webhook ? (it want ID and password of the "Azure Sentinel Content Deployment App" - i will never know that password....) so i cant manually add ieather (if the URL ever comes back online or if a new one exists?). please let me know.
