Microsoft Sentinel | scope: SOC + Security | updated 2026-07-07
Security operations intelligence brief

What changed in Sentinel
this cycle.

window: 07 Jun 202607 Jul 2026  ·  30-day lookback

Two forces dominate the last 30 days. The agentic-SOC build-out keeps shipping - June added Security Graph tools to the Sentinel MCP server, an Agent Identities connector, and ASIM schemas for AI-agent telemetry - while the Defender-portal cutover hardens into concrete, dated action items. The headline retirement moved to 31 Mar 2027, but 1 Jul 2026 is still a live break-glass date for anyone running UPN-based automation or legacy RBAC.

01

Action deadlines on the clock

⚠ dates that break things if ignored
15 Jun 2026passed
Content-as-code API retirement. Older Source Control API versions used by Sentinel repositories are unsupported. CI/CD tooling that creates or manages repo connections must move to API version 2025-09-01, 2025-06-01, or 2025-07-01-preview. Existing connections keep operating.automation
01 Jul 2026imminent
Account-entity naming standardization. Sentinel now resolves Account Name by precedence, defaulting to the UPN prefix (the part before "@"). Analytics rules, automation rules, playbooks, workbooks and hunting queries that rely on strict full-UPN matching break unless updated - this fires regardless of whether you have migrated to Defender yet. automationueba
01 Jul 2026imminent
Unified RBAC migration. Legacy Sentinel Azure roles do not carry into the Defender portal. Practitioner guidance flags URBAC migration as mandatory groundwork before cutover to avoid permission gaps; Workspace Manager deprecation pushes MSSPs toward CI/CD via GitHub or Azure DevOps.rbacmigration
14 Sep 2026
Legacy Data Collection API deprecation. Azure's legacy Data Collection API retires - move ingestion to the DCR-based pipeline.ingestion
30 Sep 2026
Containerized SAP connector end of support. Move to the agentless SAP connector, now GA and billed at the same price; new deployments only offer the agentless option.connectors
31 Mar 2027
Azure-portal Sentinel retirement (extended). After this date Sentinel runs exclusively in the Defender portal; Azure-portal users are redirected. Extended from the original 1 Jul 2026 target after scale-customer feedback. Log Analytics remains the data backbone.migration
02

What shipped in June

all mcp / agents data lake threat intel ueba migration
Sentinel MCP · data exploration

Security Graph tools land in the Sentinel MCP server

The data-exploration collection now exposes Microsoft Security Graph tools that let an analyst start from an alert and walk the exposure path across identities, devices, alerts and signals - tracing lateral movement, blast radius and configuration gaps in one interactive view. Graph queries via these tools trigger the graph meter.

relevant to your MCP SOC agentPurpose-built Blast Radius / Path Discovery / Exposure Perimeter tools are reachable by AI agents over the hosted MCP endpoint, which is the natural surface for the triage agent you are building on Sentinel.
Data lake · asset connectors

Agent Identities Asset Connector adds AI-agent identity context

A new data-lake connector surfaces the identity behind your AI agents - who owns an agent and what permissions it holds - so agent activity can be governed alongside human identities rather than as an opaque service principal.

SIEM · ASIM

ASIM normalization broadens; two new schemas

ASIM widened its coverage so a single analytic rule reaches more sources with less per-source work, and two new schemas normalize asset inventory and AI agent telemetry into common form - reducing the schema-specific rule sprawl that makes detection engineering expensive at scale.

Data lake · Agent 365

Agent 365 connector: monitor and hunt AI-agent activity

The Agent 365 connector (public preview from May) brings AI-agent telemetry into the data lake as first-class standardized signals, so agent behavior sits next to identity, endpoint and cloud activity for hunting and investigation.

Threat intelligence · STIX / TAXII

Bi-directional STIX threat-intel export

Sentinel can now export STIX threat-intelligence objects back out to external platforms. If you ingest TI via the TAXII connector, you can return it to that platform for direct, secure sharing - removing the custom-playbook plumbing teams built for outbound distribution. TAXII 2.1 platforms only; available from both the Defender and Azure portals.

UEBA · anomalies

UEBA gains a settings tab, Okta V2, and five GCP detections

UEBA settings now live on their own tab in Sentinel settings. Okta anomaly detections extend to the newer OktaV2_CL table alongside Okta_CL, and five new GCP Audit Logs anomaly detections cover unusual logins, privileged actions, resource deployments, secret/KMS access and infrastructure usage. Analysts can pull all anomalies for a user via Go Hunt in the incident graph.

Migration · enablement

Six-part "Migrate Sentinel to Defender" series + readiness scorer

Microsoft published a six-part blog series framing the move as an architecture decision, not a portal swap: the strategic shift, incident/data anatomy, detection and automation, the governance shift across roles and access, a readiness playbook with an adoption-helper scoring tool and cost guidance, and a look at the AI-first SOC. Analytics rules, playbooks, workbooks, the Log Analytics workspace and access assignments carry forward.

positioning angleThe "architecture decision, not a portal change" framing maps cleanly onto platform/GRC-led pitches - the migration touches RBAC, data tiering and multi-tenant operation, not just UI.
03

Context & signals

Narrative

"Security reengineered for the AI era"

Microsoft's framing this cycle is a move away from static, rule-based controls and post-breach response toward platform-led, machine-speed defense - the throughline connecting the MCP server, Security Graph, the data lake and agentic triage. Treat the outcome metrics that accompany it (TCO and deployment-speed claims) as vendor figures until validated in your own environment.

Operational signal

Defender correlation reshapes incident volume

Practitioner analysis of the unified portal reports the Defender correlation engine can cut incident volume substantially (community estimates near 80%) versus separate Sentinel/Defender queues. That changes SLA math and playbook triggers - worth modeling before cutover rather than discovering post-migration.

Commercial · pricing

50 GB commitment-tier promo extended to 31 Dec 2026

The Sentinel 50 GB commitment tier promotion was extended from 30 Jun to 31 Dec 2026, with the promotional rate locked through 31 Mar 2027 - up to ~32% off pay-as-you-go depending on region. Aimed at SMB and mid-market entry, available via EA, CSP and Direct.