Following on from months of working alongside customers, partners and our internal teams we have now added a Security Management Group & Subscription in the platform landing zone area within the Azure landing zone.
At the start of 2025, during the January 2025 ALZ Community Call, we asked everyone for their feedback, via these discussions on our GitHub repo: 1898 & 1978 , on the future of Microsoft Sentinel in the Azure landing zone (ALZ) architecture as we were receiving feedback that it needed some changes and additional clarity from what ALZ was deploying and advising then.
We have now worked with customers, partners, and internal teams to figure out what we should update in ALZ around Microsoft Sentinel and Security tooling and have updated the ALZ conceptual architecture to show this.
What did ALZ advise and deploy before, by default?
Prior to these updates ALZ advised the following:
- The central Log Analytics Workspace (LAW) in the Management Subscription should
- Be used to capture all logs, including security/SIEM logs
- The Microsoft Sentinel solution (called Security) should be installed upon this LAW also
And in the accelerators and tooling it deployed, by default:
- The central Log Analytics Workspace (LAW) in the Management Subscription with the Microsoft Sentinel solution installed
- Microsoft Sentinel had no additional configuration apart from being installed as a solution on the central LAW
What are the changes being made to ALZ from today?
Based on the feedback from the GitHub discussions and working with customers, partners and internal teams we are making the following changes:
- A new dedicated Security Management Group beneath the Platform Management Group
- A new dedicated Security Subscription placed in the new Security Management Group
- Nothing will be deployed into this subscription by ALZ by default. This allows:
- Customers & partners to deploy and manage the Microsoft Sentinel deployment how they wish to
- The 31-day 10GB/day free trial can be started when the customer or partner is ready to utilise it
- Nothing will be deployed into this subscription by ALZ by default. This allows:
- No longer deploy the Microsoft Sentinel solution (called Security) on the central LAW in the Management Subscription
- This allows for separating of operational/platform logs from security logs, as per considerations documented in Design a Log Analytics workspace architecture
The changes have only been made to our ALZ CAF/MS Learn guidance as of now, and the changes to the accelerators and implementation tools will be made over the coming months π
These changes can be seen in the latest ALZ conceptual architecture snippet below
The full ALZ conceptual architecture can be seen here on MS Learn. You can also download a Visio or PDF copy of all the ALZ diagrams.
What if we have already deployed ALZ?
If you have already deployed ALZ and haven't tailored the ALZ default Management Group hierarchy to create a Security Management Group then you can now review and decide whether this is something you'd like to create and align with.
While not mandatory, this enhancement to the ALZ architecture is recommended for new customers. The previous approach remains valid; however, feedback from customers, partners, and internal teams indicates that using a dedicated Microsoft Sentinel and Log Analytics Workspace within a separate security-focused Subscription and Management Group is a common real-world practice. To reflect these real-world implementations and feedback, weβre evolving the ALZ conceptual architecture accordingly π
Closing
We hope you benefit from this update to the ALZ conceptual architecture. As always we welcome any feedback via our GitHub Issues
Microsoft
