How to Install Microsoft Sentinel in 2026: Defender Portal, Data Lake & Agentic Security Copilot

Microsoft Sentinel is no longer just a SIEM. In 2025, Microsoft repositioned it as a cloud-native SIEM and unified security platform for agentic defense — a data-first foundation that powers AI agents, a security graph, and a hosted Model Context Protocol (MCP) server, all in the Microsoft Defender portal. That changes how you install it, where you install it, and what you can do with it on day one.

This guide walks federal agencies, Defense Industrial Base (DIB) contractors, FedRAMP cloud service providers, and regulated commercial teams through a 2026-ready Microsoft Sentinel installation — from licensing and workspace design through Defender portal onboarding, data lake activation, and Security Copilot agent integration. It is written for security architects and SOC leaders who need an installation path that survives the March 2027 Azure portal retirement and inherits the controls required by CMMC, FedRAMP, FISMA, and DoD Impact Levels 4–5.

What Microsoft Sentinel Is in 2026: The Agentic Security Platform

Three official Microsoft commitments define the modern install path, and together they reshape what a Microsoft Sentinel deployment looks like in 2026:

• Sentinel is generally available in the Microsoft Defender portal, with or without Microsoft Defender XDR or an E5 license. New customers onboarding after July 1, 2025 with subscription Owner or User Access Administrator permissions are automatically routed to the Defender portal.
• The Microsoft Sentinel data lake is GA as of July 2025 — a Parquet-backed, fully managed lake that decouples storage from compute and supports up to 12 years of retention.
• Microsoft Sentinel in the Azure portal will be retired after March 31, 2027. Starting July 2026, any remaining Azure-portal users will be automatically redirected to the Defender portal.

Microsoft’s own product documentation now describes Sentinel as an AI-ready platform that “transforms telemetry into a security graph, standardizes access for agents, and coordinates autonomous actions, while keeping humans in command of strategy and high-impact investigations.” In practice, that means a 2026 Sentinel install is no longer just “turn on a SIEM” — it’s deploying a SIEM, a data lake, a security graph, and an agentic toolchain in one motion.

The four pillars of the modern Sentinel platform

Three Timelines That Shape Your 2026 Installation Roadmap

Before you create your first Log Analytics workspace, anchor your project plan to these three Microsoft-published dates. Skipping any of them today creates rework before March 2027.

1. July 1, 2025 — Automatic Defender portal onboarding for new customers. Net-new Sentinel tenants are automatically connected to the Defender portal at onboarding time if the deploying user has subscription Owner or User Access Administrator permissions and is not an Azure Lighthouse-delegated user.
2. July 2026 — Azure portal users auto-redirected. Microsoft begins redirecting all remaining Azure-portal Sentinel users to the Defender portal. The Azure portal Sentinel blade is no longer the supported experience.
3. March 31, 2027 — End of Azure portal support. After this date, Sentinel is only available in the Defender portal. Azure-portal-only workflows, dashboards, and automations need to be migrated or rebuilt.

For federal and DIB readers, there is a fourth date worth tracking: the CMMC Final Rule phase-in beginning Phase 1 on November 10, 2025, with increasing requirements over the following 36 months. A FedRAMP-High-Authorized Sentinel-based MDR — like Quzara Cybertorch™ — gives prime contractors and subcontractors a way to inherit the SC, SI, AU, and IR control families instead of building them from scratch.

Pre-Install Planning: Licensing, Permissions, and Workspace Design

A clean Sentinel install starts before you click Create. Microsoft’s prerequisites for deployment are explicit, and the design decisions you lock in here are hard to reverse later.

Licensing and subscription requirements

• Azure subscription with a payment method. Microsoft Sentinel is a paid service; pricing is tier-based (pay-as-you-go or commitment tiers) on top of Log Analytics ingestion costs. Legacy Log Analytics pricing tiers are not supported.
• Microsoft Entra ID tenant for identity. Federal customers using GCC High must use Microsoft Entra ID for Government.
• Permissions to deploy: Contributor on the subscription that will host the Sentinel workspace. To install or manage content hub solutions, you’ll also need the Microsoft Sentinel Contributor role on the resource group.
• Permissions to be auto-onboarded to the Defender portal: Subscription Owner or User Access Administrator, and not an Azure Lighthouse-delegated user.

RBAC design (do this once, do it right)

Microsoft’s guidance is to assign roles at the resource-group level for least-privileged access, and to use custom roles where you need finer separation. For Defender-portal Sentinel, role assignments increasingly flow through Microsoft Defender XDR Unified RBAC — including data lake permissions, which were brought under Unified RBAC in July 2025.

• Use a dedicated resource group for the Log Analytics workspace and all Sentinel-adjacent resources (playbooks, workbooks, Logic Apps).
• Plan for at least three role tiers: Sentinel Reader (analysts viewing data), Sentinel Responder (incident investigation), and Sentinel Contributor (rule and connector management).
• For MSSP / multi-tenant scenarios, plan workspaces and Azure Lighthouse delegation carefully — Lighthouse-delegated users are not auto-onboarded to the Defender portal.

Workspace design

Sentinel runs on a Log Analytics workspace, and Microsoft now allows you to onboard unlimited workspaces to the Defender portal (with the caveat that one workspace serves as the primary per tenant). Key design rules:

• Set retention to at least 90 days in the Analytics tier to use all Sentinel features. The default 30 days will cripple incident timelines.
• Do not apply a resource lock to the workspace before enabling Sentinel — Microsoft blocks Sentinel enablement on locked workspaces.
• Do not place the workspace behind a Network Security Perimeter — analytic rules are automatically disabled if you do.
• Sentinel does not support moving a workspace between resource groups or subscriptions once deployed — choose carefully.

Cloud selection — commercial vs. Azure Government

Where you install Sentinel is as important as how. Microsoft Sentinel runs on Azure (commercial) and Azure Government, with feature parity that has been steadily improving but is not yet identical. The table below summarizes the practical decision:

If you are deploying Sentinel for CMMC L2 or DoD IL-4/IL-5 workloads, this decision is the single most consequential one in your install plan. Quzara Cybertorch™ runs natively on Azure Government and operates entirely with U.S.-citizen analysts, which preserves ITAR posture for customers who would otherwise have to engineer it themselves.

Step-by-Step: Install Microsoft Sentinel in the Defender Portal

This is the modern, supported install path. If you are deploying net-new in 2026, do not start in the Azure portal — start here.

Step 1 — Create the Log Analytics workspace

1. Sign in to the Azure portal and search for Microsoft Sentinel.
2. Choose Create, then Create a new workspace.
3. Pick (or create) the dedicated resource group, name the workspace, and select the region. Region choice matters for data residency — GCC High customers must pick a U.S. Gov region.
4. Confirm the pricing tier is pay-as-you-go or a Sentinel commitment tier. Save.

Step 2 — Add Microsoft Sentinel to the workspace

1. Return to Microsoft Sentinel in the Azure portal and select Create.
2. Pick the new workspace and click Add. Default Defender for Cloud workspaces will not appear in the list; this is expected.
3. If you have Owner or User Access Administrator on the subscription, the workspace is automatically onboarded to the Defender portal at this point. You will see redirect prompts in the Azure portal pointing you to security.microsoft.com.

Step 3 — Onboard to (or jump straight into) the Defender portal

1. Open security.microsoft.com and sign in.
2. If your workspace was not auto-onboarded, go to System > Settings > Microsoft Sentinel > Connect a workspace, select your workspace, mark it as the primary workspace, and select Connect.
3. Confirm the Microsoft Sentinel nodes now appear in the Defender portal navigation pane, and that the Home page shows Sentinel-side metrics (connectors, automation rules).

Microsoft removed the previous cap on how many workspaces you can onboard to the Defender portal. For enterprises and MSSPs, that means you can centralize multitenant SOC operations behind a single Defender portal experience without artificially fragmenting workspaces.

Step 4 — Install your first content hub solution

1. In the Defender portal, navigate to Microsoft Sentinel > Content management > Content hub.
2. Install the Azure Activity solution as your smoke-test connector. It’s free to ingest and validates the data path end-to-end.
3. Open Configuration > Data connectors, find Azure Activity, and run the policy assignment wizard targeting your Sentinel-enabled subscription.

Step 5 — Validate ingestion

1. In the Defender portal, open Advanced hunting.
2. Run AzureActivity | take 10 to confirm data is landing.
3. From the Content hub, open the Azure Activity solution again and enable a baseline analytics rule (the “Suspicious Resource deployment” template is a good first rule because it actually generates events you can trace).

You now have a functional Sentinel deployment in the Defender portal. The next two sections — data lake and agentic Copilot — are where a 2026 Microsoft Sentinel install delivers value beyond a traditional SIEM.

Activate the Microsoft Sentinel Data Lake

The Sentinel data lake is the architectural shift that ends the historical SIEM tradeoff between cost and coverage. Instead of forcing you to pick which logs are worth ingesting at hot-tier prices, Sentinel now mirrors every Analytics-tier ingest into the data lake automatically, in open-format Parquet, and lets you keep that data for up to 12 years.

Why this matters operationally

• Long-tail threat hunting: SolarWinds-class compromises lived in environments for months. With the data lake, you can hunt across months or years of historical telemetry without ingesting it into the hot tier.
• FedRAMP and CMMC evidence retention: Audit-quality log retention for AU-11, AU-9, and CM-6 evidence packages without separate archive infrastructure.
• AI-ready foundation: The lake is the substrate Security Copilot agents and the Sentinel MCP server query against. Without it, you cannot use the new agentic tooling effectively.

Two-tier architecture

Onboard the data lake

1. In the Defender portal, navigate to System > Settings > Microsoft Sentinel.
2. Select Set up data lake and choose the workspace(s) to onboard. Data already in the Analytics tier is mirrored automatically into the lake tier.
3. Configure table-level retention from Manage data > Tables — you can now manage retention and switch between Analytics and Lake tiers per table directly in the Defender portal.
4. Assign data lake permissions through Microsoft Defender XDR Unified RBAC. Reader and Operator scopes are sufficient for most analysts.

For Quzara customers, the data lake also unlocks a quieter benefit: it makes long-retention NIST SP 800-53 Rev 5 AU-family evidence cheap to keep. That maps directly to NISTCompliance.AI’s auditor co-pilot, which can pull from that evidence pool when generating SSP and POA&M artifacts.

Bring On the Agents: Security Copilot and the Sentinel MCP Server

The agentic layer is where a 2026 Microsoft Sentinel install separates itself from everything that came before. As of November 18, 2025, Microsoft Security Copilot is included for all Microsoft 365 E5 and E7 customers — no separate license required — and it ships with 12 new Microsoft-built agents and access to 30+ partner-built agents in the Microsoft Security Store.

Embedded Security Copilot inside the Defender portal

When you open an incident in Sentinel in the Defender portal, Security Copilot is embedded directly into the experience. Out of the box it gives you:

• Automated incident summaries on every incident (configurable to auto-generate based on severity, or on demand).
• Guided response actions that walk analysts through next steps with context-aware recommendations.
• Script and file analysis against suspicious artifacts inside the incident view.
• Incident report generation that consolidates the summary, response actions, and analyst attribution into a shareable artifact.
• KQL query assistant in Advanced hunting that converts natural language questions into ready-to-run KQL across both Sentinel and Defender XDR tables.

The Microsoft Sentinel MCP server

The Sentinel MCP server is Microsoft’s hosted Model Context Protocol server — a unified, no-infrastructure interface that lets compatible AI clients reason over Sentinel data lake content using natural language. Supported clients include Microsoft Security Copilot, Microsoft Copilot Studio, Microsoft Foundry, Visual Studio Code (with GitHub Copilot agent mode), ChatGPT, and Claude.

The MCP server is organized into scenario-focused tool collections. The ones to know:

Enable Security Copilot and connect Sentinel’s MCP server

1. Confirm your tenant has Security Copilot capacity. Existing M365 E5/E7 customers as of Nov 18, 2025 are activated in a phased rollout with 7-day advance notice.
2. Assign Security Copilot roles in https://securitycopilot.microsoft.com. You’ll need at least Copilot owner for one user to perform setup.
3. Integrate Microsoft Defender XDR with Sentinel (or confirm auto-onboarding) so Copilot can reason across unified incidents.
4. For agent-building, install Visual Studio Code, enable GitHub Copilot agent mode, and authenticate to the Sentinel MCP endpoints (https://sentinel.microsoft.com/mcp/data-exploration for the data exploration collection).
5. Assign at least the Security Reader role to any user or service principal that needs to invoke MCP tools. The triage collection respects the caller’s existing permissions.

Practical day-1 use cases for the agentic stack

• Phishing triage agent — embedded in Defender; auto-classifies user-reported phishing and routes only true-positives to analysts.
• Identity risk summarization — Entra-side agent gives analysts a one-screen risk view for an account under investigation.
• Entity enrichment — the MCP entity analyzer collapses what used to be 30 minutes of manual enrichment per entity into a single verdict.
• Hypothesis-based hunting — analysts describe a hunt hypothesis in plain English to the data-exploration collection; the agent returns the relevant tables, the KQL, and the results.

The takeaway for federal and DIB SOC leaders: an agentic SOC is no longer a vendor pitch deck. It’s an out-of-the-box experience inside the Defender portal you just stood up. The strategic question is not whether to use it — it’s which agents you trust to act, and which you keep in advisory mode.

Build Out Detections, Automation, and Hunting

Analytics rules

Use the Content hub to install solution-packaged rules for every connector you enable. Microsoft’s solution model has matured to the point where rolling your own from scratch is rarely the right starting move — install the solution, enable the templates, and tune from there.

• Scheduled rules — KQL on a schedule; the workhorse rule type.
• NRT (near-real-time) rules — single-table, low-latency triggers for high-fidelity detections.
• Microsoft Security rules — pass-through detections from Defender XDR.
• Fusion — Microsoft’s built-in multi-stage correlation that produces high-confidence incidents from low-signal alerts across products.

Automation

Sentinel automation rules can trigger playbooks (Azure Logic Apps), assign incidents, change severity, or call agents. Common day-1 automations:

• Auto-assign incidents by entity (e.g., AD account, host, geography) to specific analyst queues.
• Auto-comment with enrichment from the MCP entity analyzer.
• Trigger phishing triage and identity risk agents for the relevant alert types.
• Push incident updates into Microsoft Teams or ticketing systems.

Threat hunting

Use the Advanced hunting experience for active investigations and the data lake KQL exploration for long-horizon hunts (months or years of historical data). For unstructured hunts, lean on the MCP data-exploration collection so analysts can interrogate the lake without remembering table names. Microsoft has also added AI MITRE ATT&CK tagging recommendations in SOC optimization to suggest tactics and techniques for your existing detections.

Federal and DIB Considerations: GCC High, FedRAMP, CMMC, and DoD IL-4/IL-5

If your install is for a federal agency, DIB contractor, or a FedRAMP cloud service provider, the install path is the same — but the cloud, the connectors, the analysts, and the inheritance story are very different.

Cloud feature parity — what to verify before you commit

Sentinel feature availability varies across Azure Commercial, Azure Government (GCC), Azure Government (GCC High), and Azure Government (DoD). Most core SIEM and SOAR capability is GA across all four, but specific connectors lag. Before you commit to a cloud:

• Check the Microsoft connector availability matrix for the specific data sources you need. Microsoft Defender XDR, Defender for Endpoint, Defender for Identity, and Office 365 are GA across Azure Government environments; Defender for Cloud Apps direct integration is commercial-only and must be routed through the Defender XDR connector for GCC, GCC High, and DoD.
• Confirm Security Copilot and Sentinel MCP availability for your tenant — government cloud rollouts for some AI features lag commercial by months.
• If you are subject to ITAR, plan for a U.S.-citizen-only operations posture from day one.

Inheriting controls with a FedRAMP-High-Authorized MDR

For a prime contractor pursuing CMMC L2, building a Sentinel install in-house solves the tooling problem but leaves you with the staffing, 24/7 monitoring, and continuous-monitoring evidence problem. Quzara Cybertorch™ is a FedRAMP High Authorized, Azure Government-native managed detection and response service that lets your enterprise inherit the relevant SC, SI, AU, IR, and CA control families instead of standing them up yourself. That’s the difference between “we deployed Sentinel” and “we deployed Sentinel and we have an auditable, US-citizen-staffed 24/7 SOC behind it.”

Common Installation Pitfalls (and How to Avoid Them)

• Starting the install in the Azure portal. The 2026 path is the Defender portal. Start there or you’ll create migration work for yourself before March 2027.
• Using a default Defender-for-Cloud workspace. Sentinel cannot be installed on these. Create a clean Log Analytics workspace.
• Leaving retention at the 30-day default. Bump to 90 days minimum on the Analytics tier, and configure long-term retention on the data lake tier per table.
• Placing the workspace behind a network security perimeter. This silently disables analytics rules.
• Skipping the data lake. You can run Sentinel without it, but you forfeit the agentic tooling, the long-retention story, and the cost optimization. Onboard it during initial setup.
• Ignoring Unified RBAC. If you’re still using global Entra ID roles for everything in 2026, you’ll over-permission analysts and fail evidence collection for AC-2, AC-3, and AC-6.
• Standing up Copilot agents in production without a review loop. Start agents in advisory mode, validate their outputs, then escalate to autonomous actions.

Where Quzara Cybertorch™ Picks Up From Here

A clean Microsoft Sentinel installation is necessary but not sufficient for federal and DIB security operations. You still need 24/7 monitoring, US-citizen analysts, audit-grade evidence collection, FedRAMP and CMMC alignment, and the operational discipline to keep all of it running through audits, contract changes, and threat surges.

Quzara Cybertorch™ is a FedRAMP High Authorized Managed Detection and Response (MDR) and SOC-as-a-Service built natively on Azure Government and Microsoft Sentinel. Cybertorch gives you:

• 24/7/365 monitoring and triage from a 100% U.S.-citizen analyst team — ITAR-aligned by construction, not policy.
• FedRAMP High Authorized SOC operations, with inheritable controls for FedRAMP, CMMC L2, FISMA, and DoD IL-4/IL-5 environments.
• Pre-built Sentinel content — analytics rules, automation playbooks, hunting queries, and Security Copilot agents tuned for federal threat models, including content authored in partnership with SOC Prime.
• Native support for Microsoft GCC High, GCC, and DoD environments alongside Azure Commercial deployments.
• Integration with NISTCompliance.AI — Quzara’s AI-powered compliance automation platform that turns Sentinel-side evidence into audit-ready SSP and POA&M artifacts.

If you are installing Sentinel as part of a CMMC L2, FedRAMP, or FISMA effort, the most efficient path is to deploy the platform once with Cybertorch as your MDR layer from day one — so your install plan and your audit plan move forward together.

Frequently Asked Questions

When is the Microsoft Sentinel Azure portal retired?

Microsoft Sentinel in the Azure portal will no longer be supported after March 31, 2027. Starting in July 2026, remaining Azure-portal users will be automatically redirected to the Microsoft Defender portal at security.microsoft.com.

Do I need Microsoft Defender XDR or an E5 license to use Sentinel in the Defender portal?

No. As of 2025, Microsoft Sentinel is generally available in the Defender portal for all customers, with or without Microsoft Defender XDR or an E5 license. You can use Sentinel in the Defender portal even if you aren’t using other Microsoft Defender services.

What is the Microsoft Sentinel data lake, and do I need it?

The Microsoft Sentinel data lake is a fully managed, Parquet-format security data lake that mirrors your Analytics-tier data, supports up to 12 years of retention, and serves as the substrate for Security Copilot agents and the Sentinel MCP server. It’s technically optional, but skipping it forfeits agentic tooling and the long-retention story that compliance frameworks like FedRAMP, FISMA, and CMMC reward.

Is Microsoft Security Copilot included with Microsoft 365 E5?

Yes. Starting November 18, 2025, Microsoft Security Copilot is included for all Microsoft 365 E5 and E7 customers in a phased rollout. The rollout includes 12 new Microsoft-built agents and access to the Microsoft Security Store of partner-built agents.

Can I install Microsoft Sentinel in GCC High or DoD environments?

Yes. Sentinel is available in Azure Government, including GCC, GCC High, and DoD clouds, supporting FedRAMP High, DFARS, ITAR, and DoD Impact Level 4–5 workloads. Connector availability varies by environment — check Microsoft’s feature availability matrix before committing.

What is the Microsoft Sentinel MCP server?

The Microsoft Sentinel MCP server is a hosted Model Context Protocol server that lets AI clients — Security Copilot, Copilot Studio, Foundry, Visual Studio Code, ChatGPT, Claude — interact with Sentinel data lake content using natural language. It exposes scenario-focused tool collections for data exploration, entity analysis, triage, agent creation, and custom KQL-as-tools.

Key Takeaways

• Microsoft Sentinel is now a SIEM and unified security platform for agentic defense — install for the platform, not just the SIEM.
• Install in the Defender portal, not the Azure portal. The Azure portal experience retires March 31, 2027.
• Activate the Sentinel data lake during onboarding. It is the foundation for agentic Copilot and long-retention compliance evidence.
• Plan for an agentic SOC from day one. Embedded Security Copilot, Sentinel MCP, and the Microsoft Security Store agent catalog change what a junior analyst can accomplish in their first week.
• For federal and DIB workloads, the cloud choice (Commercial vs. GCC vs. GCC High vs. DoD), the analyst nationality, and the inheritance story behind the SIEM matter as much as the install itself.
• Pair the platform with a FedRAMP High Authorized MDR like Quzara Cybertorch™ to inherit the controls and the 24/7 operational layer instead of building them from scratch.

Ready to Install Sentinel the Right Way?

Quzara Cybertorch™ deploys Microsoft Sentinel and runs the 24/7 SOC behind it for federal agencies, DIB primes and subs, and FedRAMP cloud service providers. We’re a Microsoft Intelligent Security Association (MISA) member, FedRAMP High Authorized, Azure Government-native, and U.S.-citizen staffed — built specifically for the missions that can’t afford to get this wrong.

Schedule a Cybertorch™ briefing to map a Sentinel deployment plan against your CMMC, FedRAMP, or FISMA timeline. For AI-powered NIST, FedRAMP, and CMMC compliance automation that feeds directly off your Sentinel evidence, see NISTCompliance.AI.