Merge pull request #313843 from EdB-MSFT/updates-2903-01

updates

Author: prmerger-automator[bot]

articles/sentinel/datalake/data-federation-overview.md

@@ -6,7 +6,7 @@ author: EdB-MSFT
 ms.service: microsoft-sentinel
 ms.subservice: sentinel-platform
 ms.topic: concept-article
-ms.date: 03/22/2026
+ms.date: 03/29/2026
 ms.author: edbaynash
 ms.collection: ms-security
 
@@ -22,7 +22,7 @@ Data federation in Microsoft Sentinel enables seamless querying of multiple exte
 Data federation allows you to query external data sources directly from the Microsoft Sentinel data lake using Kusto Query Language (KQL) or Jupyter notebooks using the Microsoft Sentinel Visual Studio Code extension. Instead of ingesting the data into Sentinel, federation creates connections to external data stores, enabling:
 
 - **Unified analytics**: Query federated sources alongside native Microsoft Sentinel data lake tables.
-- **Cost optimization**: Avoid data duplication by querying data where it resides.
+- **Preserve governance and compliance controls**: Maintain data security and compliance by querying data in place without moving it.
 - **Enhanced insights**: Combine security data with business data, logs, or other datasets stored in external systems.
 - **Flexible data access**: Access historical or specialized datasets that complement your security operations.
 
@@ -96,11 +96,6 @@ Combine security event data in Sentinel with context from external sources, such
 - Historical logs stored in ADLS Gen 2
 - Business application data from Microsoft Fabric
 
-### Cost efficiency
-
-- Reduce data ingestion costs by querying data in place
-- Avoid storage duplication across systems
-
 ### Operational flexibility
 
 - Access data across organizational boundaries

articles/sentinel/datalake/data-federation-setup.md

@@ -6,7 +6,7 @@ author: EdB-MSFT
 ms.service: microsoft-sentinel
 ms.subservice: sentinel-platform
 ms.topic: how-to
-ms.date: 03/23/2026
+ms.date: 03/29/2026
 ms.author: edbaynash
 ms.collection: ms-security
 
@@ -136,6 +136,8 @@ Before configuring the Fabric connector instance, you must set up permissions wi
 
 1. Select **Connect** to create the connection instance.
 
+> [!NOTE]
+> The files in your target data source must be in delta parquet format to be read from the Sentinel data lake.
 
 # [Azure Data Lake Storage Gen 2](#tab/adls)
 
@@ -147,8 +149,7 @@ Before creating the connector, prepare your storage account:
 1. Assign the **Storage Blob Data Reader** role to the service principal you created earlier. For more information on granting access through the Azure portal, see [Assign Azure roles using the Azure portal - Azure RBAC](/azure/role-based-access-control/role-assignments-portal).
 
 
-> [!NOTE]
-> The files in your ADLS Gen 2 storage account must be in delta parquet format to be read from the Sentinel data lake.
+
 
 
 1. On the **Data federation** > **Catalog** page, select **Azure Data Lake Storage**.

articles/sentinel/datalake/using-data-federation.md

@@ -6,7 +6,7 @@ author: EdB-MSFT
 ms.service: microsoft-sentinel
 ms.subservice: sentinel-platform
 ms.topic: how-to
-ms.date: 03/22/2026
+ms.date: 03/29/2026
 ms.author: edbaynash
 ms.collection: ms-security
 
@@ -22,7 +22,7 @@ After setting up federated data connectors, you can access your federated tables
 Before you begin, ensure:
 
 - Your tenant must be onboarded to the Sentinel data lake. For more information, see [Onboard to Microsoft Sentinel data lake](./sentinel-lake-onboard-defender.md)
-- You have appropriate permissions to query data in the Sentinel data lake.
+- You have appropriate permissions to query data in the Sentinel data lake. For more information,see [Roles and permissions in the Microsoft Sentinel platform](../roles.md#microsoft-sentinel-data-lake-read-permissions).
 
 ## Understand federated table naming
 
@@ -34,6 +34,8 @@ Federated table names follow the pattern `<tableName>_<connectorInstanceName>`.
 | `sales_data` | `AzureDBX01` | `sales_data_AzureDBX01` |
 | `inventory` | `Fabric01` | `inventory_Fabric01` |
 
+If multiple tables in the connector instance have the same table name, a numerical identifier is appended to the connector instance name, for example `widgets_ADLS01_1` when two tables within the `ADLS01` connector instance are called `widgets`.
+
 Use the federated table name when querying data from the Sentinel data lake.
 
 ## View federated tables in table management
@@ -73,6 +75,9 @@ The KQL queries page in Microsoft Sentinel allows you to query federated tables
 1. Expand the federation type to see your federated tables.
 1. Expand a table to view its columns.
 
+> [!NOTE]
+> Due to query performance optimization in KQL, it can take up to 15 minutes for new data in a federated table to become available for query.
+
 :::image type="content" source="./media/using-data-federation/kql-schema-federated.png" alt-text="Screenshot showing the KQL queries schema tab with federated tables expanded." lightbox="./media/using-data-federation/kql-schema-federated.png":::
 
 ### Write and execute queries
@@ -127,6 +132,10 @@ Working with federated tables in Jupyter notebooks follows the same patterns as
 1. **Don't specify a workspace name**: Read operations don't require a workspace specification.
 1. **Read-only access**: Federated tables are read-only; you can't write data back to federated sources.
 
+> [!NOTE]
+> After enabling data federation the first time, it can take up to 24 hours before you see federated tables within Jupyter notebooks.
+
+
 ### Jupyter notebook jobs
 
 You can create scheduled Jupyter notebook jobs that utilize federated tables in the same way that you would create a notebook job for native data lake tables: