Microsoft Sentinel does not appear in the Microsoft Defender Portal

Question

Microsoft Sentinel does not appear in the Microsoft Defender Portal

Ravi Patel 0

Microsoft Sentinel does not appear in the Microsoft Defender portal. The user has Global Administrator permissions as well as the Microsoft Sentinel Contributor role on the workspace. However, when logging into the Defender portal, the Sentinel option is missing.

Additionally, when attempting to access any other option in the Defender portal, an error message appears: "Hang on! We're preparing new spaces for your data and connecting them."

Please refer to the attached screenshots for details.

Defender Dashboard

Defender Error

Monalisha Jena 4,070 Reputation points Microsoft External Staff Moderator

2025-11-27T08:54:25.5+00:00
Hello Ravi Patel,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I will try to clarify your doubt and will suggest you some workarounds.

So, the issue is likely not due to the user's explicit Azure RBAC roles (Global Administrator and Microsoft Sentinel Contributor) but rather a tenant-level provisioning state or a missing initial connection step.

Will suggest you some solutions as:

The solution focuses on verifying the connection and, if the error persists, addressing the stuck provisioning state.

The primary solution involves connecting the Microsoft Sentinel workspace to the Microsoft Defender portal and, if the "Hang on!" error persists, allowing more time for the provisioning process.

Wait for Provisioning to Complete: The "Hang on! We're preparing new spaces for your data and connecting them" error is the primary block. If this is a new tenant or the first time a user with the required permissions is accessing the unified portal, they should wait up to 24 hours for the backend data spaces to fully provision.

Manually Connect the Sentinel Workspace:

Once the "Hang on!" error is gone and the rest of the portal is accessible, an administrator with the required permissions must manually onboard the Sentinel workspace to the Defender portal.

Navigate to: Microsoft Defender portal > Settings (System) > Microsoft Sentinel (under Cloud Apps/Security Services) > Connect a workspace.

Select the relevant Log Analytics Workspace and confirm the connection.

Verify Licensing: Confirm that the organization has the necessary license for Microsoft Sentinel (pay-as-you-go or commitment tier) and, ideally, a license for a core Microsoft Defender XDR service, which acts as the foundation for the unified experience.

Please do refer:

https://learn.microsoft.com/en-us/unified-secops/microsoft-sentinel-onboard

https://learn.microsoft.com/en-us/defender-business/mdb-troubleshooting

Hope this helps!

If you need more info, feel free to ask in the comments. Happy to help!

Regards,

Monalisha
Ravi Patel 0 Reputation points

2025-11-27T16:42:23.2+00:00

The Microsoft Defender portal has been displaying the message: "Hang on! We're preparing new spaces for your data and connecting them" for over a week. Is there any way to manually trigger re-provisioning or restart the portal?

1 answer

Your answer

Ravi Patel 0 Reputation points

2025-11-27T16:42:23.2+00:00

The Microsoft Defender portal has been displaying the message: "Hang on! We're preparing new spaces for your data and connecting them" for over a week. Is there any way to manually trigger re-provisioning or restart the portal?

Answer 1

Given that you are a Global Admin and have the correct Sentinel RBAC roles, this is not a permission issue. Pls check if you did the below steps.

1. The "Azure-Side" Force Disconnect

We need to tell the backend to stop trying to provision. You can do this from the Sentinel side, which you can still access.

Log in to the Azure Portal (https://www.google.com/search?q=portal.azure.com).
Navigate to your Microsoft Sentinel workspace.
In the left menu, scroll to Configuration and select Settings.
Select the Settings tab (top middle).
Find Microsoft Defender XDR (formerly Microsoft 365 Defender) in the list.
Check the Status:
- If it says "Connected": Click it and select Disconnect.
- Crucial: Wait at least 15-30 minutes after disconnecting. This allows the "deprovisioning" signals to propagate through the backend graph.
- After waiting, check the Defender portal. The error should be gone (reverted to the old view). You can then try connecting again.
- If it says "Connect" (Not Connected): This confirms the "Zombie" state. The Azure side thinks it's off, but the Defender side thinks it's still "preparing."
- The Fix: Click Connect to force the connection active again. Wait for it to say "Connected." Then, immediately Disconnect it. This "toggle on/toggle off" action often clears the stuck flag in the backend.
2. The "Deep Link" Bypass Attempt

If you can reach the API Explorer, we can sometimes delete the stuck configuration manually.

Try navigating directly to this URL (bypassing the dashboard): https://security.microsoft.com/interoperability/apiexplorer

If this link loads: You have a backdoor. You can use the API Explorer to send a DELETE request to the provisioning endpoint (let me know if you get access, and I can provide the query).
If this link also gives the "Hang on" error: The entire portal access is blocked at the tenant level.

3. Check for "Orphaned" Connectors

If you previously had a different Sentinel workspace connected to this tenant and deleted it without disconnecting Defender first, the Defender portal might be trying to connect to a workspace that no longer exists.

Ensure the workspace you are checking in Step 1 is the only one attempting to connect.

Let me know if this helped you.

Thanks

Share via

Microsoft Sentinel does not appear in the Microsoft Defender Portal

1 answer

1. The "Azure-Side" Force Disconnect

2. The "Deep Link" Bypass Attempt

3. Check for "Orphaned" Connectors

Your answer