Forum Discussion

munterweger's avatar
munterweger
Copper Contributor
Mar 23, 2026

Sentinel datalake: private link/private endpoint

Has anyone already configured Sentinel Datalake with a private link/private endpoint setup? I can't find any instructions for this specific case.   Can I use the wizard in the Defender XDR portal, ...
azure
data retention
Log Data
siem
Caleb_A_McDowell's avatar
Caleb_A_McDowell
Brass Contributor
Mar 23, 2026

Hey munterweger​ 

Short answer: there's no documented private endpoint configuration path specific to the Sentinel data lake, and you're not missing something obvious.

What the data lake actually is under the hood

The Sentinel data lake is fully managed. You don't deploy or maintain the data infrastructure yourself. Microsoft owns the underlying storage layer. That's the core issue with private endpoint questions: you can't attach a private endpoint to something you don't provision in your own subscription.

What you can control for network isolation

The private link story for Sentinel still lives at the Log Analytics workspace and Azure Monitor layer, not the data lake tier directly. Private link in Azure Monitor is a network restriction mechanism that forces traffic to flow only through private connections from a VNet to an Azure Monitor resource. On the workspace level, there's an on/off setting to control whether to accept data ingestion not originating from a private link scope, and a separate setting to control whether to accept log queries not originating from private link scope. 

So if your requirement is private ingestion, you configure AMPLS (Azure Monitor Private Link Scope) on your Log Analytics workspace and DCEs. Data flowing into the analytics tier stays on-network. The data lake tier mirrors that data automatically.

The gap you're hitting

The Sentinel data lake supports RBAC, encryption-at-rest, and network isolation, but Microsoft's docs don't specify what "network isolation" means at the data lake tier specifically, and there's no wizard step or post-activation configuration in the Defender portal for private endpoints on the lake component itself. That documentation doesn't exist yet, and no community practitioner has published a working configuration for it.

Practical path forward

  1. Open a Microsoft support ticket and ask explicitly whether the data lake tier supports private endpoint attachment, and if not, what the roadmap looks like.
  2. If your requirement is private ingestion from on-prem or a VNet, configure AMPLS + DCE on your Log Analytics workspace. That covers the analytics tier, and the data lake mirrors from there.
  3. If you need network isolation for querying the data lake tier specifically, that's the open question. Flag it to your Microsoft account team.

This is worth posting back here once you get a definitive answer from Microsoft. Several people are hitting the same wall.

Please mark as solution if you find this helpful. It helps others in the community find the solution quickly.