Forum Discussion
Rajkamal1960
Jun 01, 2020Copper Contributor
Azure Sentinel Pricing Clarification
I have just on-boarded a customer to my tenant and I have used ARM template to get a delegation access of a resource group from my customers tenant. Customer resource group contains a LogAnalytic...
jjsantanna
Jun 03, 2020Brass Contributor
Hi Rajkamal1960,
I have experience with your problem.
1. With the ARM template, you established the "Azure Light House" between you and your customer tenant. Well, done! From now, everything that your customer connects to their tenant you will be able to access it.
2. Anything (see 3) that is connected to the customer tenant is billed to the customer tenant. Therefore if the Azure AD Data Connector appeared turned on in the customer tenant you already know who will pay the bill. Note that as the ARM template is established you can query the data and create monitoring rules (KQL).
3. At https://azure.microsoft.com/en-us/pricing/details/azure-sentinel/ it is saying that "Azure Activity Logs, Office 365 Audit Logs (all SharePoint activity and Exchange admin activity) and alerts from Microsoft Threat Protection products (Azure Security Center, Office 365 ATP, Azure ATP, Microsoft Defender ATP, Microsoft Cloud App Security, Azure Information Protection) can be ingested at no additional cost into both Azure Sentinel, and Azure Monitor Log Analytics. Please Note: Azure Active Directory (AAD) audit data is not free and is billed for ingestion into both Azure Sentinel, and Azure Monitor Log Analytics." Therefore, if it says nothing regarding a connector (for example Azure AD Connector) then it is paid!
I hope I was helpful.
I have experience with your problem.
1. With the ARM template, you established the "Azure Light House" between you and your customer tenant. Well, done! From now, everything that your customer connects to their tenant you will be able to access it.
2. Anything (see 3) that is connected to the customer tenant is billed to the customer tenant. Therefore if the Azure AD Data Connector appeared turned on in the customer tenant you already know who will pay the bill. Note that as the ARM template is established you can query the data and create monitoring rules (KQL).
3. At https://azure.microsoft.com/en-us/pricing/details/azure-sentinel/ it is saying that "Azure Activity Logs, Office 365 Audit Logs (all SharePoint activity and Exchange admin activity) and alerts from Microsoft Threat Protection products (Azure Security Center, Office 365 ATP, Azure ATP, Microsoft Defender ATP, Microsoft Cloud App Security, Azure Information Protection) can be ingested at no additional cost into both Azure Sentinel, and Azure Monitor Log Analytics. Please Note: Azure Active Directory (AAD) audit data is not free and is billed for ingestion into both Azure Sentinel, and Azure Monitor Log Analytics." Therefore, if it says nothing regarding a connector (for example Azure AD Connector) then it is paid!
I hope I was helpful.