Azure sentinel and Azure defender sharing the same workspace, this is a good practice or a bad practice. In the training I did, everything was separate, but I came across this scenario where I work, and I'm wanting to separate, but I need arguments for that.
I prefer one, mainly so all correlation happens in a single workspace and I have less resources to manage (RBAC, retention, Archive etc...). Also for cost, one workspace with more data will get you to a Capacity Reservation tier quicker (e.g. 2 workspaces at 50GB, will be PAYG, 1 workspace at 100GB using 100GB reservation will be 50% cheaper).