Work with incidents in many workspaces at once

Note

Azure Sentinel is now called Microsoft Sentinel, and we’ll be updating these pages in the coming weeks. Learn more about recent Microsoft security enhancements.

To take full advantage of Microsoft Sentinel’s capabilities, Microsoft recommends using a single-workspace environment. However, there are some use cases that require having several workspaces, in some cases – for example, that of a Managed Security Service Provider (MSSP) and its customers – across multiple tenants. Multiple workspace view lets you see and work with security incidents across several workspaces at the same time, even across tenants, allowing you to maintain full visibility and control of your organization’s security responsiveness.

Note

For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.

Entering multiple workspace view

When you open Microsoft Sentinel, you are presented with a list of all the workspaces to which you have access rights, across all selected tenants and subscriptions. To the left of each workspace name is a checkbox. Selecting the name of a single workspace will bring you into that workspace. To choose multiple workspaces, select all the corresponding checkboxes, and then select the View incidents button at the top of the page.

Important

Multiple Workspace View now supports a maximum of 100 concurrently displayed workspaces.

Note that in the list of workspaces, you can see the directory, subscription, location, and resource group associated with each workspace. The directory corresponds to the tenant.

Screenshot of selecting multiple workspaces.

Working with incidents

Multiple workspace view is currently available only for incidents. This page looks and functions in most ways like the regular Incidents page, with the following important differences:

Screenshot of viewing incidents across multiple workspaces.

  • The counters at the top of the page - Open incidents, New incidents, Active incidents, etc. - show the numbers for all of the selected workspaces collectively.

  • You'll see incidents from all of the selected workspaces and directories (tenants) in a single unified list. You can filter the list by workspace and directory, in addition to the filters from the regular Incidents screen.

  • You'll need to have read and write permissions on all the workspaces from which you've selected incidents. If you have only read permissions on some workspaces, you'll see warning messages if you select incidents in those workspaces. You won't be able to modify those incidents or any others you've selected together with those (even if you do have permissions for the others).

  • If you choose a single incident and click View full details or Actions > Investigate, you will from then on be in the data context of that incident's workspace and no others.

Next steps

In this article, you learned how to view and work with incidents in multiple Microsoft Sentinel workspaces concurrently. To learn more about Microsoft Sentinel, see the following articles: