Sentinel Data Lake – Features unavailable for a specific workspace

Hello QA User

It looks like you’ve onboarded your workspace into the Defender portal data lake (you can see it under Search & Restore), but it isn’t showing up under Data lake exploration > KQL queries because that view only lists workspaces that:

1. Have been fully transitioned to the new Defender-portal experience for Sentinel
2. Have at least one table tiered into the data-lake (or both analytics+lake)
3. Your account holds the required Data Lake RBAC roles

Here’s what to check and how to get your workspace to appear:

1. Confirm full Defender-portal onboarding
   • In the Defender portal: Microsoft Sentinel > Settings > Transition your Sentinel environment to the Defender portal.
   • Make sure your workspace is redirected and set to the new unified experience. If you haven’t done this step, follow “Transition your Microsoft Sentinel environment to the Defender portal.”
2. Verify table tier settings
   • In Defender portal: Microsoft Sentinel > Data lake > Table management & retention
   • Ensure at least one of your connector tables (for example SecurityEvent, AzureActivity, etc.) is set to the data-lake tier (or “both” for analytics+lake).
   • If every table is in analytics-only, the KQL‐queries blade will hide the workspace because there’s nothing in the lake to query.
3. Check your RBAC on the Data Lake endpoint
   • You already have Contributor/Microsoft Sentinel Contributor at subscription scope, but KQL queries also require specific lake roles.
   • Assign the built-in Microsoft Defender XDR Data Lake Reader (or higher) on the Data Lake resource. For authoring queries/jobs, Microsoft Sentinel Data Lake Contributor may be needed.
   • Double-check you also have Log Analytics Data Reader on the workspace itself.
4. Wait for propagation & refresh
   • After toggling tiers or adding roles, it can take up to 30 minutes for the workspace to show up in Data lake exploration > KQL queries.
   • Refresh the browser and you should now see your target workspace in the list.

If after those steps it’s still missing, please let us know and we can dig deeper.

Reference list

• Transition your Microsoft Sentinel environment to the Defender portal https://dori-uw-1.kuma-moon.com/azure/sentinel/move-to-defender
• What is Microsoft Sentinel data lake? https://dori-uw-1.kuma-moon.com/azure/sentinel/datalake/sentinel-lake-overview
• Manage data tiers and retention in Microsoft Defender portal https://aka.ms/manage-data-defender-portal-overview
• KQL and the Microsoft Sentinel data lake (preview) https://dori-uw-1.kuma-moon.com/azure/sentinel/datalake/kql-overview
• Microsoft Defender XDR integration with Microsoft Sentinel https://dori-uw-1.kuma-moon.com/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=defender-portal

Hello Shubham Sharma,

Thank you for the detailed guidance. I reviewed each of the items you mentioned and here are my findings:

1. Defender-portal onboarding

I could not find “Microsoft Sentinel > Settings > Transition your Sentinel environment to the Defender portal” in the Defender portal. It appears that this workspace is already fully onboarded, which may be why the transition option is not displayed.

2. Table tier settings

I confirmed that the workspace includes tables configured with the Data Lake tier.

3. Data Lake endpoint RBAC

I checked the RBAC settings and found that other Data Lake endpoints that do appear under “KQL queries” also do not have additional Data Lake–specific roles assigned. Based on this, I believe RBAC is not related to the issue.

4. Propagation and refresh

Several days have passed since the configuration changes, so I don’t think this is due to propagation delay.

Additional information:

When reviewing the Log Analytics workspace template in the Azure portal, I noticed that only this workspace is missing the following entries:

"associations": [

"SentinelGraph"

],

"isMsgEnabled": true

I hope this information is helpful. Please let me know if there is anything else I should verify.

QA User

Thank you for your reply. We apologize for a late response.

Your workspace is partially onboarded to the Defender portal data lake.

Specifically:

• Data Lake is enabled (workspace appears under Search & Restore)
• Tables are tiered to Data Lake

Workspace is connected and set as Primary

• Other workspaces behave correctly

The workspace is missing the internal SentinelGraph association

isMsgEnabled = true is not set

This matches your ARM template observation exactly:

"associations"``: [

  ``"SentinelGraph"

]``,

"isMsgEnabled"``: true

``

Workspaces that lack this association are intentionally hidden from:

Defender portal → Data lake exploration → KQL queries

while still being valid for Search & Restore.

This behavior is by design

Why Search & Restore Works but KQL Queries Does Not

Microsoft documents that KQL queries in the Defender portal rely on the unified Sentinel + Defender graph layer, not just raw data lake storage.

Search & Restore operates directly on the lake storage

KQL queries require:

Full Defender‑portal Sentinel onboarding

SentinelGraph registration

Messaging/graph enablement (isMsgEnabled)

Microsoft documentation confirms that Data Lake exploration (KQL) is only available after full onboarding and graph enablement

For your reference: https://dori-uw-1.kuma-moon.com/en-us/azure/sentinel/datalake/kql-queries

Below is the resolution: -

At this time, Microsoft does not support manually adding SentinelGraph or isMsgEnabled to an existing workspace.

Supported fix:

Create a new Log Analytics workspace

Enable Microsoft Sentinel

Onboard Sentinel Data Lake from the Defender portal

Connect it to Defender XDR

Set it as Primary

Configure table tiers

Workspaces created through the current Defender‑portal flow are automatically stamped with:

SentinelGraph

isMsgEnabled = true

https://dori-uw-1.kuma-moon.com/en-us/azure/sentinel/datalake/kql-overview

Let us know the above steps helps

Thanks