API/ARM support to programmatically connect secondary Microsoft Sentinel workspaces in Microsoft Defender portal

Question

API/ARM support to programmatically connect secondary Microsoft Sentinel workspaces in Microsoft Defender portal

Michael Cain 0

I am trying to prepare for the upcoming retirement of Microsoft Sentinel in the Azure portal.

I have Microsoft Sentinel integrated with the Microsoft Defender portal, with one Log Analytics workspace configured as the Primary workspace in the Defender portal. I need to connect additional Sentinel workspaces as Secondary workspaces.

I can programmatically enable Microsoft Sentinel on a workspace via IaC, but I have not found a supported public API/ARM/REST/CLI mechanism for the Defender portal action to “Connect a workspace” as secondary (System → Settings → Microsoft Sentinel → Workspaces). I have numerous secondary workspaces, and new ones are constantly being created.

Questions

Is there a supported public API / ARM resource / REST endpoint / CLI command to connect a Sentinel-enabled Log Analytics workspace to the Microsoft Defender portal as a secondary workspace (when a primary already exists)?
- If not, is Microsoft considering adding one? If so, is there a roadmap, preview, or recommended pattern for enterprises that require automated onboarding before July 2026?
Behavior after July 2026: If my tenant already has at least one Sentinel workspace connected in the Defender portal, what happens when I create new Sentinel workspaces after July 2026?
- Will newly created Sentinel workspaces be automatically connected to the Defender portal (as secondary), or do they still require a manual “Connect” action in the Defender portal?

Rukmini 43,015 Reputation points Microsoft External Staff Moderator

2026-01-12T11:18:20.64+00:00
Michael Cain Hey Michael! It sounds like you're diving into the integration of Microsoft Sentinel with the Defender portal, especially with the impending retirement of Microsoft Sentinel in the Azure portal. Let’s break down your questions.

Connecting Secondary Workspaces: Currently, there isn't a public API, ARM resource, REST endpoint, or CLI command available to programmatically connect a secondary Sentinel-enabled Log Analytics workspace to the Microsoft Defender portal. This functionality is typically done manually via the Defender portal interface under System → Settings → Microsoft Sentinel → Workspaces.

Future Considerations: There are no official announcements or roadmaps indicating when or if this functionality might be added, so it's advisable to keep an eye on the Microsoft Sentinel documentation for updates on features.

Post July 2026 Behavior: If your tenant has at least one Sentinel workspace connected to the Defender portal, it's unclear how newly created Sentinel workspaces will be treated after July 2026. The current understanding is:

Newly created Sentinel workspaces will not automatically connect as secondary workspaces; they will require a manual “Connect” action in the Defender portal.

To give you the best possible guidance, could you clarify a couple of things?

Are you currently utilizing any automation tools to manage your workspaces?

What specific workflows do you envision needing this API support for?

Would you be open to exploring manual workflows for connecting these secondary workspaces at present?

Hope this helps you get a clearer picture! Let me know if you need more information or have any other questions.

Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.

1 answer

Your answer

Rukmini 43,015 Reputation points Microsoft External Staff Moderator

2026-01-12T11:18:20.64+00:00

Michael Cain Hey Michael! It sounds like you're diving into the integration of Microsoft Sentinel with the Defender portal, especially with the impending retirement of Microsoft Sentinel in the Azure portal. Let’s break down your questions.

Connecting Secondary Workspaces: Currently, there isn't a public API, ARM resource, REST endpoint, or CLI command available to programmatically connect a secondary Sentinel-enabled Log Analytics workspace to the Microsoft Defender portal. This functionality is typically done manually via the Defender portal interface under System → Settings → Microsoft Sentinel → Workspaces.

Future Considerations: There are no official announcements or roadmaps indicating when or if this functionality might be added, so it's advisable to keep an eye on the Microsoft Sentinel documentation for updates on features.

Post July 2026 Behavior: If your tenant has at least one Sentinel workspace connected to the Defender portal, it's unclear how newly created Sentinel workspaces will be treated after July 2026. The current understanding is:

Newly created Sentinel workspaces will not automatically connect as secondary workspaces; they will require a manual “Connect” action in the Defender portal.

To give you the best possible guidance, could you clarify a couple of things?

Are you currently utilizing any automation tools to manage your workspaces?

What specific workflows do you envision needing this API support for?

Would you be open to exploring manual workflows for connecting these secondary workspaces at present?

Hope this helps you get a clearer picture! Let me know if you need more information or have any other questions.

Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.

Answer 1

Hi Rukmini,

Thanks for the follow-up.

To clarify our current approach and why we are pushing for automation:

Automation/tools: We provision and manage Log Analytics workspaces (and enable Sentinel) using Terraform, with supporting automation via the Azure SDK for Go.

Workflow needing support: We need a supported way to perform the Defender portal action System → Settings → Microsoft Sentinel → Workspaces → “Connect workspace” for newly created Sentinel-enabled workspaces as Secondary workspaces (we already have a Primary workspace configured).

Why manual doesn’t scale: We can do the “Connect” step manually today, but it is not sustainable at the rate new workspaces are created, and it creates operational risk (missed onboarding / inconsistent coverage) as we approach July 2026.

Could you please confirm (ideally with an official reference):

Post–July 2026 behavior: In your response you noted that newly created Sentinel workspaces will not automatically connect as secondary workspaces and will require a manual “Connect” action. Can you confirm whether this is definitive product behavior and share a supporting documentation link/announcement?

Share via

API/ARM support to programmatically connect secondary Microsoft Sentinel workspaces in Microsoft Defender portal

Questions

1 answer

Your answer