Forum Discussion
Azure Sentinel Pricing Clarification
I have just on-boarded a customer to my tenant and I have used ARM template to get a delegation access of a resource group from my customers tenant.
Customer resource group contains a LogAnalyticsWorkspace which I use in my Azure Sentinel Workspace. since I have delegated access. I am using Azure Sentinel of my tenant to go through the logs.
My question is that if I connect "Azure AD Data Connector" and start ingesting the customer logs into my Azure Sentinel, then would I be charged for log ingestion or will the customer be charged. Also, if there is any additional cost that will be charged from the customer.
I could not locate the correct microsoft azure documentation which covers this scenario. Your help will be much appreciated.
8 Replies
- jjsantannaCopper ContributorHi Rajkamal1960,
I have experience with your problem.
1. With the ARM template, you established the "Azure Light House" between you and your customer tenant. Well, done! From now, everything that your customer connects to their tenant you will be able to access it.
2. Anything (see 3) that is connected to the customer tenant is billed to the customer tenant. Therefore if the Azure AD Data Connector appeared turned on in the customer tenant you already know who will pay the bill. Note that as the ARM template is established you can query the data and create monitoring rules (KQL).
3. At https://azure.microsoft.com/en-us/pricing/details/azure-sentinel/ it is saying that "Azure Activity Logs, Office 365 Audit Logs (all SharePoint activity and Exchange admin activity) and alerts from Microsoft Threat Protection products (Azure Security Center, Office 365 ATP, Azure ATP, Microsoft Defender ATP, Microsoft Cloud App Security, Azure Information Protection) can be ingested at no additional cost into both Azure Sentinel, and Azure Monitor Log Analytics. Please Note: Azure Active Directory (AAD) audit data is not free and is billed for ingestion into both Azure Sentinel, and Azure Monitor Log Analytics." Therefore, if it says nothing regarding a connector (for example Azure AD Connector) then it is paid!
I hope I was helpful. - GaryBusheyBronze Contributor
Rajkamal1960 You would not want to ingest the data into your tenant (but you would pay the ingestion charges and your client would pay egress charges if in a different region). Like @Thijs Lecomte said, use Azure Lighthouse to interact with your customers.
This article will get you started:
https://docs.microsoft.com/en-us/azure/sentinel/multiple-tenants-service-providers
- Rajkamal1960Copper Contributor
GaryBushey Thanks for the clarification.
It means that I will be charged if I am working on Azure Sentinel at my tenant on the LogAnanlyticsWorkspace of my client's tenant. As I have already got the delegated access of that resource group of client's workspace. Please let me know if my understanding is correct.
Also it would be much appreciated if you can tell me more about egress charges if in a different region.
Thanks
- GaryBusheyBronze Contributor
Rajkamal1960 *IF* you do not use Azure Lighthouse, and again that is the preferred method, you will be charged for the data coming into your Azure Sentinel instance. With Lighthouse, all the data stays on the client side.
You can go here to see more on egress charges: https://azure.microsoft.com/en-us/pricing/details/bandwidth/
- CliveWatsonFormer Employee
also take a look at module 3 in the training - MSSP
"...A special use case is providing service using Azure Sentinel, for example by an MSSP (Managed Security Service Provider) or by a Global SOC in a large organization. "
- Thijs LecomteBronze ContributorHi
If you are using Lighthouse and configure the AAD Connector for their workspace, you will not be charged.
As long as the data resides in the tenant of the customer