Merge pull request #311836 from poliveria/poliveria-entity-analyzer-02162026

Update entity analyzer docs and preview limits

Author: prmerger-automator[bot]

articles/sentinel/datalake/sentinel-mcp-billing.md

@@ -14,6 +14,8 @@ ms.custom: references_regions
 
 # Understand Microsoft Sentinel MCP server pricing, limits, and availability
 
+> [!IMPORTANT]
+> Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
 This article provides information on pricing, limits, and availability when setting up and using Microsoft Sentinel's Model Context Protocol (MCP) collection of security tools.
 
@@ -45,9 +47,10 @@ The following limits are specific to Microsoft Sentinel data lake MCP tools:
 | Query window for tools | 800 characters |
 
 ### Microsoft Sentinel entity analyzer tool
-Each tenant can use the entity analyzer MCP tool up to the following limits:
-- 100 total runs an hour
-- 250 total runs a day 
+Each tenant can use the entity analyzer MCP tool up to the following limits while this feature is in preview:
+- 250 total runs an hour
+- 500 total runs a day 
+- 10 concurrent runs at a time (based on available service capacity)
 
 ### Triage tool
 Regular API throttling applies to the tools in the triage tool collection. In addition, tools that call the advanced hunting API are bound by the existing advanced hunting quotas and service limits. [Learn more about advanced hunting quotas and usage parameters](/defender-xdr/advanced-hunting-limits#understand-advanced-hunting-quotas-and-usage-parameters)

articles/sentinel/datalake/sentinel-mcp-data-exploration-tool.md

@@ -75,7 +75,7 @@ Entity analysis tools might require a few minutes to generate results, so there
 
 | Parameters | Required? | Description | 
 |----------|----------|----------|
-| Microsoft Entra object ID or URL| Yes |This parameter takes in the user or URL you want to analyze. |
+| Microsoft Entra object ID, User Principal Name (UPN), or URL| Yes |This parameter takes in the user or URL you want to analyze. |
 | `startTime`| Yes |This parameter takes in the start time of the analysis window.  |
 | `endTime`| Yes |This parameter takes in the end time of the analysis window.  |
 | `workspaceId`| No |This parameter takes in a workspace identifier to limit the search to a single connected Microsoft Sentinel data lake workspace. |
@@ -95,18 +95,19 @@ While this tool automatically polls for a few minutes until results are ready, i
 
 #### Additional information
 - `analyze_user_entity` supports a maximum time window of seven days to maximize accuracy of the results. 
+- `analyze_user_entity` only works for users with a Microsoft Entra object ID (cloud users). On-premises Active Directory-only users aren't supported for user analysis.
 - `analyze_user_entity` requires the following tables to be present in the data lake to ensure accuracy of the analysis:
     - [AlertEvidence](../connect-microsoft-365-defender.md)
     - [SigninLogs](../connect-azure-active-directory.md)
-    - [BehaviorAnalytics](../enable-entity-behavior-analytics.md)
     - [CloudAppEvents](../connect-microsoft-365-defender.md)
     - [IdentityInfo](/defender-xdr/advanced-hunting-identityinfo-table) (Available only for tenants with Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, or Microsoft Defender for Endpoint P2 licensing)
 
     If you don't have any of these required tables, `analyze_user_entity` generates an error message that lists the tables you didn't onboard, along with links to their corresponding onboarding documentation.
 
 - `analyze_user_entity` works best when the following table is also present in the data lake, but continues to work and assess risk, even if the said table is unavailable:
     - [AADNonInteractiveUserSignInLogs](../connect-azure-active-directory.md)
-
+    - [BehaviorAnalytics](../enable-entity-behavior-analytics.md)
+    
 - `analyze_url_entity` works best when the following tables are present in the data lake, but continues to work and assess risk, even if the said tables are unavailable:
     - [EmailUrlInfo](../connect-microsoft-365-defender.md)
     - [UrlClickEvents](../connect-microsoft-365-defender.md)
@@ -116,7 +117,7 @@ While this tool automatically polls for a few minutes until results are ready, i
 
     If you don't have any of these tables, `analyze_url_entity` generates a response with a disclaimer that lists the tables you didn't onboard, along with links to their corresponding onboarding documentation.
 
-- Running multiple instances of the entity analyzer at the same time can increase latency for each run. To prevent timeouts, start by running a maximum of five analyses at once and then adjust this number as needed based on how the analyzer runs in your organization.
+- Running multiple instances of the entity analyzer at the same time can increase latency for each run. To prevent timeouts and avoid hitting the entity analyzer's [preview thresholds](sentinel-mcp-billing.md#microsoft-sentinel-entity-analyzer-tool-1), start by running a maximum of five analyses at once and then adjust it as needed based on how often the logic app is triggered in your organization. 
 
 ## Sample prompts
 

articles/sentinel/datalake/sentinel-mcp-logic-apps.md

@@ -85,7 +85,7 @@ To add the entity analyzer tool by using an existing logic app:
             ```
             {
             "entityType": "User",
-            "userId": "[Microsoft Entra object ID]"
+            "userId": "[Microsoft Entra object ID or User Prinicpal Name]"
             }
             ```
         You can enter these properties either manually or as dynamic values from previous actions.
@@ -103,11 +103,10 @@ Every logic app connector requires an authentication connection. This new action
 
 Running multiple instances of the entity analyzer at the same time can increase latency for each run. This issue is especially important when you use a **For each** loop in your entity analyzer logic apps, because it can queue multiple analyses at once (for example, multiple users in an incident, multiple incidents triggered at once). 
 
-To prevent timeouts from too many analyses running at once, turn on the **Concurrency control** in the **For each** action. Start by setting the **Degree of parallelism** to `5` and then adjust it as needed based on how the analyzer runs in your organization.
+To prevent timeouts from too many analyses running at once and to avoid hitting the entity analyzer's [preview thresholds](sentinel-mcp-billing.md#microsoft-sentinel-entity-analyzer-tool-1), turn on the **Concurrency control** in the **For each** action. Start by setting the **Degree of parallelism** to `5` and then adjust it as needed based on how often the logic app is triggered in your organization. 
 
 :::image type="content" source="media/sentinel-mcp/logic-app-concurrency.png" alt-text="Screenshot of the logic app loop settings." lightbox="media/sentinel-mcp/logic-app-concurrency.png":::
 
-
 For more information about loops, see [Add loops to repeat actions in workflows for Azure Logic Apps](../../logic-apps/logic-apps-control-flow-loops.md).