Important Update for Microsoft Sentinel Users: Deprecation of Alert-Triggered Playbooks in Analytics Rules
Saying Goodbye to the “One-Click Wonder” (Before It Ghosts You on March 15, 2026)
If you’re managing security operations with Microsoft Sentinel, you’ve likely received a notification about an upcoming change to how playbooks are triggered by analytics rules. Microsoft has announced the deprecation of the classic method for assigning alert-triggered playbooks directly within analytics rules. This change takes effect on March 15, 2026, and it’s time to prepare your environment to avoid disruptions.
What’s Changing?
Currently, in the “classic experience,” you can assign playbooks that trigger on alerts directly in the analytics rule creation or edit wizard, under the Automated response tab in the Alert automation (classic) section. This legacy feature allows playbooks (built on Azure Logic Apps) to run automatically when an analytics rule generates an alert.
Effective March 15, 2026: The ability to add or assign playbooks this way will be fully deprecated and removed. Existing assignments will stop working after this date.
Existing classic assignments will continue to function with full support until March 15, 2026.
As of June 2023, new playbook assignments via this classic method have already been disabled—you must use the modern approach.
This shift aligns with Microsoft’s push toward centralized and more flexible automation in Sentinel.
Why Migrate Now?
The replacement uses automation rules with the “When an alert is created“ trigger. This isn’t just a workaround—it’s an improvement. Benefits include:
Centralized management: Handle all automations (incidents, alerts, tags, tasks) in one place under the Automation blade.
Apply to multiple rules: One automation rule can trigger the same playbook across many analytics rules, reducing configuration overhead.
Execution order control: Define the sequence in which multiple actions or playbooks run.
Health monitoring: Better visibility into automation performance and failures.
Since December 2022, this automation rules approach has been generally available and provides the same core capabilities as the classic method, plus these enhancements.
Good news: No changes to your playbooks themselves are required. Your existing alert-triggered Logic Apps playbooks will work seamlessly when invoked via automation rules.
Required Action: Check and Migrate
Identify Affected Rules:
Navigate to Microsoft Sentinel > Configuration > Analytics.
Review your active analytics rules.
Edit a rule and go to the Automated response tab.
Look for playbooks listed under Alert automation (classic). If any are present, note them—these need migration.
Migrate to Automation Rules:
Follow Microsoft’s official guide: Migrate your Microsoft Sentinel alert-trigger playbooks to automation rules.
For playbooks tied to a single analytics rule: Create the automation rule directly from the analytics rule edit page (convenient shortcut).
For playbooks used across multiple rules: Create a new automation rule from the Automation page.
Set the trigger to When alert is created.
Add conditions (e.g., specific analytics rule names).
Add an action to run your playbook.
After migration, remove the playbook from the classic section in the analytics rule.
Testing your new automation rules in a non-production environment is recommended to ensure they fire correctly.
Final Thoughts
This deprecation encourages better practices in Sentinel’s SOAR (Security Orchestration, Automation, and Response) capabilities. By migrating early—well before the March 2026 deadline—you’ll gain more robust tools and avoid last-minute issues.
If your organization relies heavily on alert-level automations (especially for rules where incident creation is disabled), prioritize this migration. For most scenarios, Microsoft recommends shifting to incident-triggered playbooks where possible, as incidents aggregate related alerts for more efficient response.
Stay ahead of the curve, and your Sentinel deployments will be more scalable and manageable in the long run.
For the full retirement announcement, see the Azure Updates page.
If you have questions or need help with migration, reach out to your Microsoft account team or the Sentinel community.