What Changed
The Microsoft Sentinel Training Lab has been simplified to use only User-Assigned Managed Identity (UAMI) authentication for deploying custom detection rules to Microsoft Defender XDR, removing the previous dual-option choice between UAMI and Service Principal (App Registration) authentication.
Deployment Impact
The ARM template deployDetectionRules.json has been significantly streamlined:
- Removed conditional deployment logic that supported both UAMI and Service Principal authentication
- Eliminated Service Principal parameters (spnTenantId, spnClientId, spnClientSecret) from the template
- Simplified the Automation Account resource creation to require only UAMI configuration
- Updated rule count reference from 17 to 22 detection rules in lab documentation
User Experience Improvements
Documentation has been restructured with clearer Cloud Shell guidance:
- Consolidated authentication setup from two complex options to a single UAMI workflow
- Added specific Azure portal Cloud Shell instructions with step-by-step PowerShell commands
- Removed Service Principal setup documentation that included manual portal steps and CLI alternatives
- Simplified deployment parameter requirements from multiple auth fields to a single UAMI resource ID
This change reduces deployment complexity while maintaining the same Microsoft Graph CustomDetection.ReadWrite.All permission requirement for creating custom detection rules in Microsoft Defender XDR.
Affected Files
Tools/Microsoft-Sentinel-Training-Lab/Artifacts/LinkedTemplates/deployDetectionRules.json
Tools/Microsoft-Sentinel-Training-Lab/Exercises/E03_mitre_attack_coverage.md
Tools/Microsoft-Sentinel-Training-Lab/Exercises/Onboarding.md
Tools/Microsoft-Sentinel-Training-Lab/README.md
(packaging artefacts: mainTemplate.json)