Two forces dominate the last 30 days. The agentic-SOC build-out keeps
shipping - June added Security Graph tools to the Sentinel MCP server, an Agent Identities
connector, and ASIM schemas for AI-agent telemetry - while the Defender-portal
cutover hardens into concrete, dated action items. The headline retirement moved to
31 Mar 2027, but 1 Jul 2026 is still a live break-glass date for anyone
running UPN-based automation or legacy RBAC.
⚠ dates that break things if ignored
15 Jun 2026passed
Content-as-code API retirement. Older Source Control API versions used by
Sentinel repositories are unsupported. CI/CD tooling that creates or manages repo connections
must move to API version 2025-09-01, 2025-06-01, or 2025-07-01-preview. Existing connections
keep operating.automation
01 Jul 2026imminent
Account-entity naming standardization. Sentinel now resolves Account Name
by precedence, defaulting to the UPN prefix (the part before "@"). Analytics rules, automation
rules, playbooks, workbooks and hunting queries that rely on strict full-UPN matching break
unless updated - this fires regardless of whether you have migrated to Defender yet.
automationueba
01 Jul 2026imminent
Unified RBAC migration. Legacy Sentinel Azure roles do not carry into the
Defender portal. Practitioner guidance flags URBAC migration as mandatory groundwork before
cutover to avoid permission gaps; Workspace Manager deprecation pushes MSSPs toward CI/CD via
GitHub or Azure DevOps.rbacmigration
14 Sep 2026
Legacy Data Collection API deprecation. Azure's legacy Data Collection API
retires - move ingestion to the DCR-based pipeline.ingestion
30 Sep 2026
Containerized SAP connector end of support. Move to the agentless SAP
connector, now GA and billed at the same price; new deployments only offer the agentless
option.connectors
31 Mar 2027
Azure-portal Sentinel retirement (extended). After this date Sentinel runs
exclusively in the Defender portal; Azure-portal users are redirected. Extended from the
original 1 Jul 2026 target after scale-customer feedback. Log Analytics remains the data
backbone.migration
Sentinel MCP · data exploration
Security Graph tools land in the Sentinel MCP server
The data-exploration collection now exposes Microsoft Security Graph tools that let an analyst
start from an alert and walk the exposure path across identities, devices, alerts and signals -
tracing lateral movement, blast radius and configuration gaps in one interactive view. Graph
queries via these tools trigger the graph meter.
relevant to your MCP SOC agentPurpose-built Blast Radius / Path Discovery /
Exposure Perimeter tools are reachable by AI agents over the hosted MCP endpoint, which is the
natural surface for the triage agent you are building on Sentinel.
Data lake · asset connectors
Agent Identities Asset Connector adds AI-agent identity context
A new data-lake connector surfaces the identity behind your AI agents - who owns an agent and
what permissions it holds - so agent activity can be governed alongside human identities rather
than as an opaque service principal.
SIEM · ASIM
ASIM normalization broadens; two new schemas
ASIM widened its coverage so a single analytic rule reaches more sources with less per-source
work, and two new schemas normalize asset inventory and AI agent telemetry into
common form - reducing the schema-specific rule sprawl that makes detection engineering
expensive at scale.
Data lake · Agent 365
Agent 365 connector: monitor and hunt AI-agent activity
The Agent 365 connector (public preview from May) brings AI-agent telemetry into the data lake
as first-class standardized signals, so agent behavior sits next to identity, endpoint and cloud
activity for hunting and investigation.
Threat intelligence · STIX / TAXII
Bi-directional STIX threat-intel export
Sentinel can now export STIX threat-intelligence objects back out to external platforms. If you
ingest TI via the TAXII connector, you can return it to that platform for direct, secure sharing -
removing the custom-playbook plumbing teams built for outbound distribution. TAXII 2.1 platforms
only; available from both the Defender and Azure portals.
UEBA · anomalies
UEBA gains a settings tab, Okta V2, and five GCP detections
UEBA settings now live on their own tab in Sentinel settings. Okta anomaly detections extend to
the newer OktaV2_CL table alongside Okta_CL, and five new GCP Audit Logs anomaly detections cover
unusual logins, privileged actions, resource deployments, secret/KMS access and infrastructure
usage. Analysts can pull all anomalies for a user via Go Hunt in the incident graph.
Migration · enablement
Six-part "Migrate Sentinel to Defender" series + readiness scorer
Microsoft published a six-part blog series framing the move as an architecture decision, not a
portal swap: the strategic shift, incident/data anatomy, detection and automation, the governance
shift across roles and access, a readiness playbook with an adoption-helper scoring tool and cost
guidance, and a look at the AI-first SOC. Analytics rules, playbooks, workbooks, the Log Analytics
workspace and access assignments carry forward.
positioning angleThe "architecture decision, not a portal change" framing
maps cleanly onto platform/GRC-led pitches - the migration touches RBAC, data tiering and
multi-tenant operation, not just UI.
Narrative
"Security reengineered for the AI era"
Microsoft's framing this cycle is a move away from static, rule-based controls and post-breach
response toward platform-led, machine-speed defense - the throughline connecting the MCP server,
Security Graph, the data lake and agentic triage. Treat the outcome metrics that accompany it
(TCO and deployment-speed claims) as vendor figures until validated in your own environment.
Operational signal
Defender correlation reshapes incident volume
Practitioner analysis of the unified portal reports the Defender correlation engine can cut
incident volume substantially (community estimates near 80%) versus separate Sentinel/Defender
queues. That changes SLA math and playbook triggers - worth modeling before cutover rather than
discovering post-migration.
Commercial · pricing
50 GB commitment-tier promo extended to 31 Dec 2026
The Sentinel 50 GB commitment tier promotion was extended from 30 Jun to 31 Dec 2026, with the
promotional rate locked through 31 Mar 2027 - up to ~32% off pay-as-you-go depending on region.
Aimed at SMB and mid-market entry, available via EA, CSP and Direct.