We are currently doing integration testing between Sentinel and XDR.
After onboarding and offboarding the workspace from XDR side several times ,following the steps provided in Microsoft's official documentation, encountered the following symptoms.
To collect incidents & alerts on XDR, we had Installed Microsoft Defender XDR Connector.now appearing the message "One or more of your workspaces are onboarded to USX.Incidents and alerts configuration is disabled."
it seems no exist other workspace on the same tenant and already removed old workspace data from XDR.
Also, we had checked prequsites following this aricle ; https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender?source=recommendations&tabs=MDE#prerequisites
And, checking and tried to this method following these articles,too ;
https://techcommunity.microsoft.com/discussions/microsoftsentinel/defender-streaming-api-is-not-removed-during-offboarding-process-and-cannot-be-d/3618325
https://learn.microsoft.com/en-us/answers/questions/1661212/integrating-microsoft-sentinel-with-microsoft-defe
What shoud we do ?
What's the cause of this symptom? hope to integrate with Sentinel and XDR as USX again !
we have been spending many time to fixing about this for about 50 days.