Forum Discussion
LAW Architecture for Security Center
Hi msmotto,
From an enterprise architecture perspective, I've generally seen organizations standardize on a small number of centralized Log Analytics Workspaces rather than creating one workspace per subscription. Centralizing logs simplifies cross-subscription investigations, enables better correlation for Microsoft Sentinel, reduces operational overhead, and provides more consistent governance through RBAC, retention policies, and cost management.
That said, there are valid reasons to use separate workspaces, for example, regulatory requirements, data residency, business unit isolation, or delegated administration. Regarding sending data to multiple destinations, with the legacy Log Analytics Agent (MMA) there were limitations around multiple workspaces depending on the data type. Today, the recommended approach is to use the Azure Monitor Agent (AMA) together with Data Collection Rules (DCRs), which provides much greater flexibility in controlling what data is collected and where it's sent.
My recommendation would be to design the workspace architecture around operational and governance requirements, not subscription boundaries. In most enterprise environments, fewer well-governed workspaces tend to be easier to manage while still supporting security monitoring, compliance, and centralized analytics.