Connect Incidents & Alerts for Microsoft 365 Defender Now in Public Preview

Many of you have been waiting for Microsoft to take the wraps off the ability to connect Microsoft 365 Defender​ to Azure Sentinel so that the Microsoft 365 Defender Incidents will appear in the incidents queue.

This is also the capability that allows bi-directional synching between both products, i.e., close an incident in one, the related incident is auto-closed in the other. For full context for what enabling this provides, see: What’s new: Azure Sentinel and Microsoft 365 Defender incident integration – Microsoft Tech Community

To enable it

Open the Microsoft 365 Defender (Preview) Connector in Azure Sentinel, and in the Configuration area click the Connect Incidents & alerts button. Make sure to keep the “Turn off all Microsoft incident creation rules for these products. Recommended.” option. This ensures dupes aren’t generated in the system.

Creating the connection


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]


Leave a Reply