Re-onboard LogAnalytics to Sentinel, if SecurityInsights solution is deleted by mistake

Critical features will break or stop working, if you delete too much in Legacy solutions like SecurityInsights, SQLAdvancedThreatProtection or SQLVulnerabilityAssessment.


Azure Automation and Microsoft Monitoring Agent (MMA) is being retired 31. aug. 2024.

As part of removing these legacy services, you will need to remove legacy solutions inside Azure LogAnalytics like Updates and Change Tracking.

Note: Please don’t remove all Legacy solutions, as some of them are important for Sentinel and Defender for Cloud:

Used by Microsoft Defender for Cloud for Database Protection
SecurityInsightsThis solution is important showing that the LogAnalytics workspace has been onboarded to Sentinel.

If you delete this solution (or have deleted it by mistake), please check the guide below with instructions on how to re-create.

I deleted SecurityInsights solution and now I cannot use Microsoft Sentinel – how to fix ?

If you have deleted SecurityInsights, you will loose access to the Microsoft Sentinel portal.

You can re-create access by running the following Powershell commands:

install-module Az
import-module Az

install-module Az.SecurityInsights
import-module Az.SecurityInsights

Set-AzContext -Subscription <subscription-id for sub with LogAnalytics workspace>

Remove-AzSentinelOnboardingState -ResourceGroupName "<rg-name" -workspaceName "<LogAnalytics workspacename>" -Name "default"
New-AzSentinelOnboardingState -ResourceGroupName "<rg-name" -workspaceName "<LogAnalytics workspacename>" -Name "default"
Remove-AzSentinelOnboardingState -ResourceGroupName "rg-logworkspaces" -workspaceName "log-platform-management-srvnetworkcloud-p" -Name "default"
New-AzSentinelOnboardingState -ResourceGroupName "rg-logworkspaces" -workspaceName "log-platform-management-srvnetworkcloud-p" -Name "default"

Now you will have access after approx. 1 min. You will again see all your incidents, connectors, etc.

If your Sentinel was connected to the Universal XDR portal, you will need to connect it again in the portal.

3 thoughts on “Re-onboard LogAnalytics to Sentinel, if SecurityInsights solution is deleted by mistake”

  1. After the last New-AzSentinelOnboardingState command, I get the error

    New-AzSentinelOnboardingState : The gateway did not receive a response from ‘Microsoft.SecurityInsights’ within the specified time period.

    Ideas how to fix this?

    • Same person here. It seems something was wrong on Microsoft’s end as creating brand new Sentinel workspace had exactly same error. Next day, the problem was gone and last “New-AzSentinelOnboardingState” command executed succesfully and old Sentinel workspace was up and running again.

      Thanks for this guide!


Leave a Reply