Unable to connect Microsoft Sentinel workspace to Defender portal as Primary workspace

Question

Unable to connect Microsoft Sentinel workspace to Defender portal as Primary workspace

נדב שלום 0

Hello,

We are unable to connect a Microsoft Sentinel workspace to the Microsoft Defender portal and set it as the Primary workspace.

Error shown in Microsoft Defender portal:

"Failed to connect primary workspace"

"Couldn't connect <workspace-name>. A connected primary is required."

This does not appear to be a permissions issue or a Data Connector issue.

Environment:

Microsoft Sentinel workspace exists and is active.
The workspace appears in Azure Portal and Microsoft Sentinel.
The Microsoft Sentinel solution is provisioned successfully: SecurityInsights(<workspace-name>), provisioningState: Succeeded.
The Azure subscription is Enabled.
The user performing the action is Subscription Owner and Global Administrator.
Required Azure Resource Providers are Registered:
- Microsoft.SecurityInsights
- Microsoft.OperationalInsights
- Microsoft.Security
- Microsoft.Insights
- Microsoft.AlertsManagement

What we already tried:

Verified the correct tenant and subscription.
Verified the user has Owner permissions on the subscription.
Verified Microsoft Sentinel solution provisioning state is Succeeded.
Verified all required resource providers are Registered.
Tried connecting the workspace from Microsoft Defender portal: System > Settings > Microsoft Sentinel > Workspaces.
Tried using an InPrivate browser session.

Additional symptom:

In Azure Portal, when opening Microsoft Sentinel > Content hub, the page says that it was moved to Defender portal and asks to connect the workspace to the Defender portal.

I still cannot connect the workspace as primary to the Microsoft Defender

Thank you.

Shubham Sharma 16,640 Reputation points Microsoft External Staff Moderator

2026-05-18T07:13:46.1433333+00:00
Hey נדב, it sounds like you’ve ticked all the boxes on the Sentinel side but are still getting “Failed to connect primary workspace.” In most cases this comes down to how you’re onboarding in the Defender portal and making sure you’ve got all of the Defender-specific roles.

Here’s what to check and try:

Use the Defender portal (not the Azure portal) • Go to https://security.microsoft.com/ → System > Settings > Microsoft Sentinel > Workspaces • Click Connect a workspace, select yours, then Next → choose Set as primary → Confirm and proceed

Verify you meet the exact Defender-portal prerequisites • You need a Security Administrator (or higher) in Entra ID • You also need Owner (or User Access Administrator) in your subscription/resource group/workspace • AND you must have the Microsoft Sentinel Contributor role assigned on that workspace (this is often missed)

Double-check licensing & region • Your workspace must be a valid Sentinel workspace (Sentinel solution provisioningState = Succeeded) • Make sure it’s in a supported region and has the correct Log Analytics encryption settings

Try again in a fresh browser session (or InPrivate) after assigning the Sentinel Contributor role

Reference docs:

Onboard Sentinel to the Defender portal (including “Set as primary” steps) https://learn.microsoft.com/unified-secops/microsoft-sentinel-onboard?tabs=defender-portal

Prerequisites for connecting/changing primary workspace https://learn.microsoft.com/unified-secops/microsoft-sentinel-onboard?tabs=defender-portal#prerequisites

Transition your Sentinel environment to the Defender portal https://learn.microsoft.com/azure/sentinel/move-to-defender
נדב שלום 0 Reputation points

2026-05-18T07:37:25.99+00:00

Hi Shubham Sharma.

I upload a screenshot with the error message.

Isn't it dangerous to share tennet id/subscription ID on a public chat?
Shubham Sharma 16,640 Reputation points Microsoft External Staff Moderator

2026-05-18T09:14:53.02+00:00
נדב שלום

Thank you for the screenshot. Yes, do not share tenant id/subscription ID right now.

Did you check the below steps: -

Use the Defender portal (not the Azure portal) • Go to https://security.microsoft.com/ → System > Settings > Microsoft Sentinel > Workspaces • Click Connect a workspace, select yours, then Next → choose Set as primary → Confirm and proceed

Verify you meet the exact Defender-portal prerequisites • You need a Security Administrator (or higher) in Entra ID • You also need Owner (or User Access Administrator) in your subscription/resource group/workspace • AND you must have the Microsoft Sentinel Contributor role assigned on that workspace (this is often missed)

Double-check licensing & region • Your workspace must be a valid Sentinel workspace (Sentinel solution provisioningState = Succeeded) • Make sure it’s in a supported region and has the correct Log Analytics encryption settings

Try again in a fresh browser session (or InPrivate) after assigning the Sentinel Contributor role

Reference docs:

Onboard Sentinel to the Defender portal (including “Set as primary” steps) https://learn.microsoft.com/unified-secops/microsoft-sentinel-onboard?tabs=defender-portal

Prerequisites for connecting/changing primary workspace https://learn.microsoft.com/unified-secops/microsoft-sentinel-onboard?tabs=defender-portal#prerequisites

Transition your Sentinel environment to the Defender portal https://learn.microsoft.com/azure/sentinel/move-to-defender
Shubham Sharma 16,640 Reputation points Microsoft External Staff Moderator

2026-05-19T05:24:53.6+00:00

נדב שלום

Following up to check if the resolution provided was helpful. Let us know if you need any further assistance.
נדב שלום 0 Reputation points

2026-05-19T05:48:13.8233333+00:00
Shubham Sharma

I did check those before.

as i sent it before, you could see that i'm in the right page.

I'm an org admin/owner on the subscription.

i have E3 license and the region is correct.

i did try that and still got the same result.

still waiting for your help on the subject.

you can contact me diractly via mail to see more Confidential information
Shubham Sharma 16,640 Reputation points Microsoft External Staff Moderator

2026-05-19T08:04:31.4266667+00:00

נדב שלום

Thank you for your reply.

Below is the root cause: -

The Defender portal maintains a backend association (binding) between Sentinel workspace ↔ Defender XDR.

Even if the environment looks clean (1 workspace, correct RBAC), a stale or incomplete backend binding can block onboarding.

This typically results in:

"Failed to connect primary workspace" / "A connected primary is required"

Microsoft documentation confirms:

Defender portal expects one active primary workspace binding per tenant

https://learn.microsoft.com/en-us/azure/sentinel/workspaces-defender-portal

Onboarding is controlled by Defender-side integration state—not just Azure resources

https://learn.microsoft.com/en-us/unified-secops/microsoft-sentinel-onboard

There is:

No public API/PowerShell/CLI to reset Sentinel–Defender binding

No documented command to “clear” primary workspace state

Below are the resolution steps: -

1. Validate Defender XDR Integration Prerequisite

Even if roles are correct, verify:

Microsoft Defender XDR connector is installed

Go to:

Azure Portal → Sentinel → Content Hub

Search and ensure installed:

Microsoft Defender XDR

Missing this can cause connection failure

https://windowstechpro.com/couldnt-connect-to-the-workspace-3/

2. Check for Hidden / Stale Workspace Binding

Symptoms that match:

Only one workspace exists

RBAC correct

Still cannot set primary

Known cause:

Defender portal still holds old or invalid workspace reference

This can happen due to:

Previous onboarding attempts

Workspace deletion/recreation

Region migration

Partial onboarding failure

3. Validate via Activity Logs

Check:

Azure Portal → Subscription → Activity Log

Filter:

Operation name contains:

Microsoft.Security

Microsoft.OperationalInsights

Microsoft.SecurityInsights

Look for:

Failed role assignments

Null principalId issues
נדב שלום 0 Reputation points

2026-05-20T05:14:57.5633333+00:00
Shubham Sharma

Thank you for the detailed explanation.

We completed the validations you suggested, and the issue still persists.

Our goal:

We are trying to connect Microsoft Sentinel to the Microsoft Defender portal in order to use Unified SecOps / SOC capabilities for the organization.

Current issue:

When trying to connect the Microsoft Sentinel workspace to Microsoft Defender portal and set it as the Primary workspace, the Defender portal fails with:

"Failed to connect primary workspace"

"Couldn't connect <workspace-name>. A connected primary is required."

This happens from:

Microsoft Defender portal > System > Settings > Microsoft Sentinel > Workspaces

Validation completed:

Microsoft Sentinel is enabled on the Log Analytics workspace

We confirmed that the Microsoft Sentinel solution exists and provisioning completed successfully.

Command result:

SecurityInsights(<workspace-name>) <resource-group> israelcentral Succeeded

Only one Sentinel-enabled workspace exists

We confirmed there is only one Microsoft Sentinel-enabled workspace in the environment.

Command result:

SecurityInsights(<workspace-name>) <resource-group> israelcentral

Subscription and tenant context are correct

We verified the correct subscription and tenant are selected using Azure CLI.

The subscription is Enabled.

Required Azure Resource Providers are registered

All of the following providers are registered:

Microsoft.SecurityInsights

Microsoft.OperationalInsights

Microsoft.Security

Microsoft.Insights

Microsoft.AlertsManagement

Permissions were verified

The user performing the action has:

Subscription Owner

Global Administrator

Microsoft Sentinel Contributor explicitly assigned at the Log Analytics workspace scope

The Microsoft Sentinel Contributor role assignment was created successfully at the workspace scope.

Microsoft Defender XDR solution / connector validation

We validated the Microsoft Defender XDR solution in Microsoft Sentinel Content Hub.

The Microsoft Defender XDR solution is Installed.

Inside the Microsoft Defender XDR solution details:

Status: Connected

Connector: Microsoft Defender XDR

Connector is marked as In use

Content version: 1.0.0

The only field showing empty is:

Last Log Received: "--"

But the connector status itself is Connected.

Azure Activity Log validation

We checked Azure Activity Log for failed operations in the resource group during the last 24 hours.

Command used:

az monitor activity-log list \

--resource-group "<resource-group>" \

--offset 24h \

--status Failed \

--query "[].{Time:eventTimestamp, Operation:operationName.value, Status:status.value, Caller:caller, SubStatus:subStatus.value, Resource:resourceId}" \

-o table

Result:

No failed events were returned.

This suggests the failure is not being logged as a standard Azure ARM / resource group failure.

Summary of confirmed state:

Only one Sentinel-enabled workspace exists.

Microsoft Sentinel solution provisioningState is Succeeded.

Required Azure Resource Providers are Registered.

Subscription is Enabled.

The user is Subscription Owner.

The user is Global Administrator.

The user has Microsoft Sentinel Contributor directly on the workspace.

Microsoft Defender XDR solution is Installed.

Microsoft Defender XDR connector is Connected / In use.

Azure Activity Log does not show failed operations in the workspace resource group.

Despite all of the above, the Defender portal still fails when trying to connect/set the Sentinel workspace as Primary.

Based on your explanation, this now strongly looks like a stale or incomplete Defender portal / Unified SecOps backend binding between Microsoft Sentinel and Microsoft Defender XDR.

Questions:

Is there any Microsoft-side backend reset available for the Sentinel-to-Defender Primary workspace binding?

Is there any diagnostic endpoint, API, PowerShell command, or CLI command that can expose the current Defender-side onboarding/binding state?

Since there are no failed Azure Activity Log entries, where can we find the backend error generated by the Defender portal during the Primary workspace connection attempt?

Can this stale/incomplete binding be cleared without opening a paid Microsoft support ticket?

Thank you.
Shubham Sharma 16,640 Reputation points Microsoft External Staff Moderator

2026-05-20T07:47:28.57+00:00

נדב שלום

Thank you for your reply.

We are checking and we will get back to you shortly.
Raja Pothuraju 47,595 Reputation points Microsoft Employee Moderator

2026-05-20T20:27:58.5133333+00:00
@נדב שלום, Please share below details over private message.

Tenant ID

Subscription ID

Log Analytics Workspace ID and Resource ID

Affected account email address

A screenshot of owner permission assigned on affected subscription

Contact email address.

2 answers

Your answer

Shubham Sharma 16,640 Reputation points Microsoft External Staff Moderator

2026-05-18T07:13:46.1433333+00:00

Hey נדב, it sounds like you’ve ticked all the boxes on the Sentinel side but are still getting “Failed to connect primary workspace.” In most cases this comes down to how you’re onboarding in the Defender portal and making sure you’ve got all of the Defender-specific roles.

Here’s what to check and try:

Use the Defender portal (not the Azure portal) • Go to https://security.microsoft.com/ → System > Settings > Microsoft Sentinel > Workspaces • Click Connect a workspace, select yours, then Next → choose Set as primary → Confirm and proceed

Verify you meet the exact Defender-portal prerequisites • You need a Security Administrator (or higher) in Entra ID • You also need Owner (or User Access Administrator) in your subscription/resource group/workspace • AND you must have the Microsoft Sentinel Contributor role assigned on that workspace (this is often missed)

Double-check licensing & region • Your workspace must be a valid Sentinel workspace (Sentinel solution provisioningState = Succeeded) • Make sure it’s in a supported region and has the correct Log Analytics encryption settings

Try again in a fresh browser session (or InPrivate) after assigning the Sentinel Contributor role

Reference docs:

Onboard Sentinel to the Defender portal (including “Set as primary” steps) https://learn.microsoft.com/unified-secops/microsoft-sentinel-onboard?tabs=defender-portal

Prerequisites for connecting/changing primary workspace https://learn.microsoft.com/unified-secops/microsoft-sentinel-onboard?tabs=defender-portal#prerequisites

Transition your Sentinel environment to the Defender portal https://learn.microsoft.com/azure/sentinel/move-to-defender
נדב שלום 0 Reputation points

2026-05-18T07:37:25.99+00:00

Hi Shubham Sharma.

I upload a screenshot with the error message.

Isn't it dangerous to share tennet id/subscription ID on a public chat?
Shubham Sharma 16,640 Reputation points Microsoft External Staff Moderator

2026-05-18T09:14:53.02+00:00

נדב שלום

Thank you for the screenshot. Yes, do not share tenant id/subscription ID right now.

Did you check the below steps: -

Use the Defender portal (not the Azure portal) • Go to https://security.microsoft.com/ → System > Settings > Microsoft Sentinel > Workspaces • Click Connect a workspace, select yours, then Next → choose Set as primary → Confirm and proceed

Verify you meet the exact Defender-portal prerequisites • You need a Security Administrator (or higher) in Entra ID • You also need Owner (or User Access Administrator) in your subscription/resource group/workspace • AND you must have the Microsoft Sentinel Contributor role assigned on that workspace (this is often missed)

Double-check licensing & region • Your workspace must be a valid Sentinel workspace (Sentinel solution provisioningState = Succeeded) • Make sure it’s in a supported region and has the correct Log Analytics encryption settings

Try again in a fresh browser session (or InPrivate) after assigning the Sentinel Contributor role

Reference docs:

Onboard Sentinel to the Defender portal (including “Set as primary” steps) https://learn.microsoft.com/unified-secops/microsoft-sentinel-onboard?tabs=defender-portal

Prerequisites for connecting/changing primary workspace https://learn.microsoft.com/unified-secops/microsoft-sentinel-onboard?tabs=defender-portal#prerequisites

Transition your Sentinel environment to the Defender portal https://learn.microsoft.com/azure/sentinel/move-to-defender
Shubham Sharma 16,640 Reputation points Microsoft External Staff Moderator

2026-05-19T05:24:53.6+00:00

נדב שלום

Following up to check if the resolution provided was helpful. Let us know if you need any further assistance.
נדב שלום 0 Reputation points

2026-05-19T05:48:13.8233333+00:00

Shubham Sharma

I did check those before.

as i sent it before, you could see that i'm in the right page.

I'm an org admin/owner on the subscription.

i have E3 license and the region is correct.

i did try that and still got the same result.

still waiting for your help on the subject.

you can contact me diractly via mail to see more Confidential information
Shubham Sharma 16,640 Reputation points Microsoft External Staff Moderator

2026-05-20T07:47:28.57+00:00

נדב שלום

Thank you for your reply.

We are checking and we will get back to you shortly.
Raja Pothuraju 47,595 Reputation points Microsoft Employee Moderator

2026-05-20T20:27:58.5133333+00:00

@נדב שלום, Please share below details over private message.

Tenant ID

Subscription ID

Log Analytics Workspace ID and Resource ID

Affected account email address

A screenshot of owner permission assigned on affected subscription

Contact email address.

Answer 1

Update:

We also verified that there is only one Microsoft Sentinel-enabled workspace in the environment.

Command result:

SecurityInsights(<workspace-name>) <resource-group> israelcentral

We also explicitly assigned Microsoft Sentinel Contributor to the same user at the Log Analytics workspace scope.

Current state:

Only one Sentinel-enabled workspace exists.
The Sentinel solution provisioningState is Succeeded.
The subscription is Enabled.
Required Azure Resource Providers are Registered.
The user is Subscription Owner.
The user is Global Administrator.
The user is Microsoft Sentinel Contributor on the workspace.

After RBAC propagation, we will retry from an InPrivate session.

If the same error remains:

"Failed to connect primary workspace"

"Couldn't connect <workspace-name>. A connected primary is required."

then this appears to be a Defender portal / Unified SecOps onboarding state issue, not a permissions or multi-workspace issue.

Is there any way to reset the Sentinel-to-Defender workspace binding from the backend, or any diagnostic command/API that shows the onboarding state?

Answer 2

To connect a Microsoft Sentinel workspace to the Microsoft Defender portal and set it as the primary workspace, the environment must meet the documented prerequisites and role requirements, and the connection must be initiated from the Defender portal.

Based on the described environment and attempts, verify and perform the following in order:

Confirm Sentinel is correctly enabled on the workspace
- Ensure the workspace is a Log Analytics workspace with Microsoft Sentinel enabled (SecurityInsights provisioningState: Succeeded), which is already stated as done.
Verify tenant and workspace model requirements
- The Microsoft Defender portal supports a single Microsoft Entra tenant and a connection to one primary workspace plus multiple secondary workspaces. If there is only one Sentinel-enabled workspace when onboarding, that workspace becomes the primary by default.
- If there is more than one Sentinel-enabled workspace in the tenant, the additional role requirement applies (see step 3).
Verify all required roles for connecting and setting a primary workspace For onboarding and primary workspace operations, the following roles are required simultaneously:
- To onboard Microsoft Sentinel to the Defender portal (connect the first workspace):
  - Owner or User Access Administrator on the subscription, and
  - Microsoft Sentinel Contributor at subscription, resource group, or workspace scope.
  - If the tenant has more than one Sentinel-enabled workspace, the user must also be at least a Security administrator in Microsoft Entra ID.
- To change or set the primary workspace:
  - Security administrator (or higher) in Microsoft Entra ID, and
  - Owner or User Access Administrator on the subscription, and
  - Microsoft Sentinel Contributor at subscription, resource group, or workspace scope.
Ensure that, in addition to being Subscription Owner and Global Administrator, the account has:
- Microsoft Sentinel Contributor on the relevant scope, and
- Security administrator (or higher) in Microsoft Entra ID if there is more than one Sentinel-enabled workspace.
Onboard the workspace from the Defender portal
- In the Microsoft Defender portal (https://security.microsoft.com/):
  1. Go to System > Settings > Microsoft Sentinel > Connect a workspace.
  2. Select the Sentinel-enabled workspace and select Next.
  3. Select the Primary workspace.
  4. Review the product changes and select Connect.
- After successful connection, the Home page in the Defender portal shows Microsoft Sentinel metrics (data connectors, automation rules, etc.).
If a primary workspace already exists
- The error message indicating that “A connected primary is required” can occur when trying to connect or promote another workspace while the portal expects an already connected primary.
- If another workspace is currently primary, change the primary workspace:
  1. In the Defender portal, go to System > Settings > Microsoft Sentinel > Workspaces.
  2. Select the workspace that should become primary.
  3. Select Set as primary.
  4. Review the product changes and select Confirm and proceed.
- When the primary workspace is changed, the Defender XDR connector is automatically connected to the new primary and disconnected from the former one.
If the workspace was previously connected and needs to be reconnected
- If the workspace was connected and then offboarded, reconnect it:
  1. In the Defender portal, go to System > Settings > Microsoft Sentinel.
  2. On the Workspaces page, select the workspace and choose Connect a workspace.
- Note that offboarding a workspace that has the Microsoft Defender XDR connector configured also disconnects that connector; reconnecting restores the integration.
Validate access to Sentinel data once connected
- To query Sentinel data and view incidents in the Defender portal, ensure the account has at least Microsoft Sentinel Reader or a role with the documented read/query actions.
- For advanced hunting across Sentinel and Defender XDR data, ensure the account has Microsoft Sentinel Reader and that the workspace is connected via the “Connect a workspace” option in advanced hunting.

If all role prerequisites (including Microsoft Sentinel Contributor and Security administrator where required) are satisfied and the workspace is onboarded through System > Settings > Microsoft Sentinel > Connect a workspace, the workspace can be set as primary using the documented steps.

References:

Share via

Unable to connect Microsoft Sentinel workspace to Defender portal as Primary workspace

2 answers

Your answer