How to resolve about Sentinel and XDR not connecting properly.

Ryo Suzuki 25 Reputation points
2024-11-23T16:11:42.9666667+00:00

We are currently doing integration testing between Sentinel and XDR.
After onboarding and offboarding the workspace from XDR side several times ,following the steps provided in Microsoft's official documentation, encountered the following symptoms.

1

To collect incidents & alerts on XDR, we had Installed Microsoft Defender XDR Connector.now appearing the message "One or more of your workspaces are onboarded to USX.Incidents and alerts configuration is disabled." 2

it seems no exist other workspace on the same tenant and already removed old workspace data from XDR.

Also, we had checked prequsites following this aricle ; https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender?source=recommendations&tabs=MDE#prerequisites

And, checking and tried to this method following these articles,too ;

https://techcommunity.microsoft.com/discussions/microsoftsentinel/defender-streaming-api-is-not-removed-during-offboarding-process-and-cannot-be-d/3618325

https://learn.microsoft.com/en-us/answers/questions/1661212/integrating-microsoft-sentinel-with-microsoft-defe

What shoud we do ?

What's the cause of this symptom? hope to integrate with Sentinel and XDR as USX again !

we have been spending many time to fixing about this for about 50 days.

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
5,372 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,195 questions
Microsoft Defender for Identity
Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
230 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,645 questions
{count} vote

Accepted answer
  1. Givary-MSFT 34,521 Reputation points Microsoft Employee
    2024-11-26T09:22:41.71+00:00

    @Ryo Suzuki Please capture browser trace at the time of issue (HAR trace)
    Refer to this links on the steps how to capture

    https://learn.microsoft.com/en-us/azure/azure-portal/capture-browser-trace

    https://www.youtube.com/watch?v=thsPBE0lA5I

    Also, help me with the tenant id to investigate this further.

    Share these details over the email 'AzCommunity@microsoft.com' with Sub - Attn: Givary

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    2 deleted comments

    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.