Forum Discussion

Rajkamal1960's avatar
Rajkamal1960
Copper Contributor
Jun 01, 2020

Azure Sentinel Pricing Clarification

I have just on-boarded a customer to my tenant and I have used ARM template to get a delegation access of a resource group from my customers tenant.

 

Customer resource group contains a LogAnalyticsWorkspace which I use in my Azure Sentinel Workspace. since I have delegated access. I am using Azure Sentinel of my tenant to go through the logs.

 

My question is that if I connect "Azure AD Data Connector" and start ingesting the customer logs into my Azure Sentinel, then would I be charged for log ingestion or will the customer be charged. Also, if there is any additional cost that will be charged from the customer.

 

I could not locate the correct microsoft azure documentation which covers this scenario. Your help will be much appreciated.

8 Replies

  • jjsantanna's avatar
    jjsantanna
    Copper Contributor
    Hi Rajkamal1960,
    I have experience with your problem.

    1. With the ARM template, you established the "Azure Light House" between you and your customer tenant. Well, done! From now, everything that your customer connects to their tenant you will be able to access it.
    2. Anything (see 3) that is connected to the customer tenant is billed to the customer tenant. Therefore if the Azure AD Data Connector appeared turned on in the customer tenant you already know who will pay the bill. Note that as the ARM template is established you can query the data and create monitoring rules (KQL).
    3. At https://azure.microsoft.com/en-us/pricing/details/azure-sentinel/ it is saying that "Azure Activity Logs, Office 365 Audit Logs (all SharePoint activity and Exchange admin activity) and alerts from Microsoft Threat Protection products (Azure Security Center, Office 365 ATP, Azure ATP, Microsoft Defender ATP, Microsoft Cloud App Security, Azure Information Protection) can be ingested at no additional cost into both Azure Sentinel, and Azure Monitor Log Analytics. Please Note: Azure Active Directory (AAD) audit data is not free and is billed for ingestion into both Azure Sentinel, and Azure Monitor Log Analytics." Therefore, if it says nothing regarding a connector (for example Azure AD Connector) then it is paid!

    I hope I was helpful.
  • Thijs Lecomte's avatar
    Thijs Lecomte
    Bronze Contributor
    Hi

    If you are using Lighthouse and configure the AAD Connector for their workspace, you will not be charged.
    As long as the data resides in the tenant of the customer

Resources