Microsoft Sentinel data lake (preview)

July 2025

• Microsoft Sentinel data lake (preview)
• Table management and retention settings in the Microsoft Defender portal
• Microsoft Sentinel data lake permissions integrated with Microsoft Defender XDR unified RBAC (Preview)
• For new customers only: Automatic onboarding and redirection to the Microsoft Defender portal
• No limit on the number of workspaces you can onboard to the Defender portal
• Microsoft Sentinel in the Azure portal to be retired July 2026

Microsoft Sentinel data lake (preview)
Microsoft Sentinel is now enhanced with a modern data lake, purpose-built to streamline data management, reduce costs, and accelerate AI adoption for security operations teams. The new Microsoft Sentinel data lake offers cost-effective, long-term storage, eliminating the need to choose between affordability and robust security. Security teams gain deeper visibility and faster incident resolution, all within the familiar Sentinel experience, enriched through seamless integration with advanced data analytics tools.

Key benefits of the Microsoft Sentinel data lake include:

• Single, open-format data copy for efficient and cost-effective storage
• Separation of storage and compute for greater flexibility
• Support for multiple analytics engines to unlock deeper insights from your security data
• Native integration with Microsoft Sentinel, including the ability to select tiering for log data across analytics and lake tiers For more information, see
  Explore the data lake using KQL queries, or use the new Microsoft Sentinel data lake notebook for VS Code to visualize and analyze your data.

Table management and retention settings in the Microsoft Defender portal

• Table management and retention settings are now available in the Microsoft Defender portals. You can view and manage table settings in the Microsoft Defender portal, including retention settings for Microsoft Sentinel and Defender XDR tables, and switch between analytics and data lake tiers.

Microsoft Sentinel data lake permissions integrated with Microsoft Defender XDR unified RBAC (preview)

• Starting in July 2025, Microsoft Sentinel data lake permissions are provided through Microsoft Defender XDR unified RBAC. Support for unified RBAC is available in addition the support provided by global Microsoft Entra ID roles.

For new customers only: Automatic onboarding and redirection to the Microsoft Defender portal
For this update, new Microsoft Sentinel customers are customers who are onboarding the first workspace in their tenant to Microsoft Sentinel on or after July 1, 2025.

Starting July 1, 2025, such new customers who have the permissions of a subscription Owner or a User access administrator, and are also not Azure Lighthouse-delegated users, have their workspaces automatically onboarded to the Defender portal together with onboarding to Microsoft Sentinel. Users of such workspaces, who also aren't Azure Lighthouse-delegated users, see links in Microsoft Sentinel in the Azure portal that redirect them to the Defender portal. Such users use Microsoft Sentinel in the Defender portal only.

New customers who don't have relevant permissions aren't automatically
onboarded to the Defender portal, but they do still see redirection links in the Azure portal, together with prompts to have a user with relevant permissions manually onboard the workspace to the Defender portal.
This change streamlines the onboarding process and ensures that new customers can immediately take advantage of unified security operations capabilities without the extra step of manually onboarding their workspaces.

No limit on the number of workspaces you can onboard to the Defender portal
There is no longer any limit to the number of workspaces you can onboard to the Defender portal.
Limitations still apply to the number of workspaces you can include in a Log Analytics query, and in the number of workspaces you can or should include in a scheduled analytics rule.

Microsoft Sentinel in the Azure portal to be retired July 2026
Microsoft Sentinel is generally available in the Microsoft Defender portal, including for customers without Microsoft Defender XDR or an E5 license. This means that you can use Microsoft Sentinel in the Defender portal even if you aren't using other Microsoft Defender services.

Starting in July 2026, Microsoft Sentinel will be supported in the Defender portal only, and any remaining customers using the Azure portal will be automatically redirected.

If you're currently using Microsoft Sentinel in the Azure portal, we recommend that you start planning your transition to the Defender portal now to ensure a smooth transition and take full advantage of the unified security operations experience offered by Microsoft Defender.