Sentinel Foundry - MCP Server (Preview) (Github Community Release)
I’ve been cooking something that a lot of people in SOC have been struggling with — especially on the engineering side of Microsoft Sentinel. Thanks to the Microsoft Security team for shaping the capabilities of Sentinel even better with Sentinel Data Lake & Modern SecOps. Today’s the day I can finally share it. Note: This is not an official Microsoft product, but it is designed to make the Sentinel Build even better (complement) with much more intelligence. 🚀 Sentinel Foundry is now in public preview with 43 tools. (Sentinel Foundry - MCP Server) It’s an MCP server built to act like the brain of a strong Sentinel engineer — helping make building, improving, and operating Sentinel far more practical, faster, and honestly more enjoyable. For a lot of teams, the challenge is not understanding what Sentinel can do. The hard part is the engineering work around it: -> Deciding what data should actually be ingested -> Building a clean, scalable Sentinel foundation -> Writing useful detections instead of noisy ones -> Balancing security value with cost -> Turning ideas into deployable engineering outputs That is exactly why I built Sentinel Foundry to help communities grow stronger. It helps with the real engineering tasks behind Sentinel — from architecture thinking to detection design, deployment planning, ingestion strategy, automation ideas, and many of the workflows outlined in the GitHub project. How does it work? Here’s one of the flagship prompts I ran with it: “Give me a complete security posture report for our workspace. Score each pillar and tell me what to prioritise.” And within seconds, it produced a structured engineering blueprint that would normally take a lot longer to pull together manually. You can see the example prompts here in what it can do: https://github.com/prabhukiranveesam/Sentinel-Foundry#what-can-it-do I want building Sentinel to feel less like repetitive engineering overhead — and more like real security engineering that is fast, creative, and enjoyable. If you work with Sentinel as a SOC L2 analyst, engineer, detection engineer, consultant, or architect, I’d genuinely love for you to try it and tell me what you think. 🔗 Public Preview: https://github.com/prabhukiranveesam/Sentinel-Foundry This is just the start of an AI era — and I’m excited to keep shaping it with more powerful features over the coming days. This is very easy to set up and will be available to all of you at no cost during this month as part of the public preview, and your feedback is extremely valuable to shape this as a powerful solution.
How to control your Azure costs with Governance and Azure Policy
Azure resources can be configured in many ways, including ways which affect their performance, security, reliability, available features and ultimately cost. The challenge is, all these resources and configurations are completely available to us by default. As long as someone has permission, they can create any resource and configuration they like. This implicit “anything goes” gives our technical teams the freedom to decide what’s best. Like a kid in a toy shop, they will naturally favour the biggest, fastest and coolest toys. The immediate risk of course, is building beyond business requirements. Too much SKU, too much resilience, too much performance and too high cost. Left unchecked, and we risk increasingly challenging and long-term issues: Over-delivering will quickly become the norm. Excessive resources configurations will become the habitual default in all environments. Teams will become mis-aligned from wider business requirements. Teams will become used to working in a frictionless environment, and challenge any restrictions. FinOps teams will be stuck in endless cost optimisation work. You may already be feeling the pain. Trapped in a cycle of repetitive, reactive cost optimisation work, seeing the same repeat offenders and looking for a way out. To break (or prevent) the cycle, a new approach is needed. We must switch priorities from detection and removal, to prevention and control. We must keep waste out. We must avoid over-provisioning. We can achieve this with governance. What is governance Governance is a collection of rules, processes and tools that control how an organization consumes IT resources. It ensures our teams deploy resources that align to certain business goals, like security, cost, resource management and compliance. Governance rules are like rules for a boardgame. They define how the game should be played, no matter who is playing the game. This is important. It aligns everyone to our organization's rules regardless of role, position, seniority and authority. It helps ensures people play by the rules rather than their rules. Try playing Monopoly with no rules. What’s going to happen? I will pass go, and I will collect 200 dollars. For Microsoft Azure, and the cloud in general, governance is centered around controlling how resources can and cannot be configured. Storage Accounts should be configured like this. Virtual Machines must be configured like that. Disks can’t be configured with this. It's as much about keeping wrong configurations out, as the right configurations in. When we enforce configurations that meet our goals and restrict those that don’t, we drastically increase our chance of success. Why governance matters for FinOps Almost all over-provisioning and waste can be traced back to how a resource is configured. From SKU, to size, redundancy and additional features, if it’s not needed it’s being wasted. That’s all over-provisioning and waste is; Resources, properties and values that we don’t need. Too much SKU, like Premium Disks Standard HDD/SSD. Too much redundancy, like Storage Accounts with GRS when LRS is fine. Too many features, like App Gateways with WAF but it’s disabled. Have a think for a moment. What over-provisioning have you seen in the past? Was it one or two resource properties causing the problems? Whatever you’ve seen, with governance we can stop it happening again. When we control how resources get configured, we can control over-provisioning and waste, too. We can determine configurations we don’t need through our optimization efforts, and then create rules that define the configurations we do need: “We don’t need Premium SSD disks.” becomes “Disks must be Standard HDD/SSD.” “We don’t need Storage Accounts with GRS.” becomes “Storage Accounts must use LRS.” “We don’t need WAF enabled Application Gateways” becomes “Application Gateways should be Standard SKUs” These rules effectively remove the option to build beyond requirements. They will help teams avoid building too much/too big, stay within their means, hold them a bit more accountable and protect us from future overspend. Detection becomes Prevention. Removal becomes Control. Over time, we will: Help our teams deliver just enough. Raise and improve awareness of over-configurations and waste. Help keep waste out once it’s found. Reduce the chances over-provisioning in future. Steadily reduce the need for ongoing Cost Optimisation efforts. Free up time for other FinOps stuff. This is why governance is a natural evolution from cost optimization, and why it’s critical for FinOps teams who want to be more proactive and spend less time cleaning up after tech teams. How can we natively govern Microsoft Azure? In Microsoft Azure, we can use the native governance service Azure Policy to help control our environments. We can embed our governance rules into Azure itself and have Azure Policy do the heavy lifting of checking, reporting and enforcing. Azure Policy has many useful features: Supports over 74000 resource properties, including all that generate costs. Can audit resources, deny deployments and even auto-resolve resources as they come into Azure. Provides easy reporting of compliance issues, saving time on manual checks. Checks every deployment from every source. From Portal to Terraform, it’s got you covered. Supports different scopes from Resource Groups to Management Groups, allowing policies to be used at any scale. Supports parameters, making policies re-usable and quick to modify when responding to change in requirements. Exemptions can be used on resources we want to ignore for now. Supports different enforcement modes, for safe rollout of new policies. It comes at no additional cost. Free! These features make Azure Policy an extremely flexible and powerful tool that can help control resources, properties and values at any scale. We can: Create Policies for almost any cost-impacting value. SKUs, Redundancy Tiers, Instance Sizes, you name it… Use different effects based on how ‘strict’ the rule should be. For example, we can use Deny (resource creation) for resource missing “Must have” attributes, and Audit to check if resources are still compliant with “Should have” attributes. Use a combination of effects, enforcement modes and exemptions to control the rollout of new policies. Reuse the Policies on multiple environments (like development versus production), with different values and effects depending on the environment's needs. Quickly change the values when needed. When requirements change, the parameters can be modified with little effort. How to avoid unwanted Friction A common concern with governance is that it will create friction, interrupt work and slow teams down. This is a valid concern, and Azure Policy’s features allow for a controlled and safe rollout. With a good plan there is no need to worry. Consider the following: Start with Audit-Only policies and non-production environments. Start with simpler resources and regular/top offenders. Test policies in sandboxes before using them in live environments. Use the ‘Do not Enforce’ mode when first assigning Deny policies. This treats them as Audit-only, allowing review before being enforced. Always parameterize Effects and Values, for quick modification when needed. Use exemptions when there are sensitive resources that are best to ignore for now. Work with your teams and agree to a fair and balanced approach. Governance is for everyone and should include everyone where possible. The biggest challenge of all may be breaking habits formed over years of freedom in the Cloud. It’s natural to resist change, especially when it takes away our freedom. Remember, it’s friction where it’s needed, Interuption where it’s needed, slow down where it’s needed. They key to getting teams onboard is delivering the right message. Why are we doing this? How will they benefit? How does it help them? How could they be impacted if you do nothing? This needs to be more than “To meet our FinOps goals”. That’s your goal, not theirs. They won’t care. Try something like: We keep seeing over-utilization and waste and are spending an additional ‘X amount’ of time and money trying to remove it. This is now impacting our ability invest properly into our IT teams, affecting other departments and impacting our overall growth. If we can get over-spend reduced and under control, we can re-invest where you need it; tooling, people, training and anything else that makes your lives better. We want to implement governance rules and policies that will prevent issues reoccurring. With your insights and support we can achieve this faster, avoid unwanted impact, and can re-invest back into our IT teams once done. Sound good to you?! This is far more compelling and gives them reason to get onboard and help out. How to start your FinOps governance journey Making the jump from workload optimization into governance might initially sound challenging, but it’s actually pretty straightforward. Consider the typical workload optimization cycle: Discover potential misconfiguration, optimization and waste cleanup opportunities. Compare to actual business requirements. Optimize workload to meet those business requirements. A governance practice extends this to the following: Identify potential misconfigurations, optimization and waste cleanup opportunities. Compare to actual business requirements. Optimize workload to meet those business requirements. Create an Azure Policy based on how the resource should have originally been configured, and how it should remain in future. Thats it, one extra step. Most of the hard work has already happened in steps 1-3, in the workload optimization we’ve already been doing. Step 4 simply turns the optimization into rule that says “This resource must be like this from now on”, preventing it happening again. Let's do it again with a real resource, an Azure Disk: Identify Premium SSD Disks in non-production environment. Compare to business requirements, which confirms Standard HDD is fine. Change Disk SKU from Premium to Standard HDD. Create Azure Policy that only allows Disks with Standard HDD in the environment and denies other SKUs. Done. No more Premium SSDs in this environment again. Prevention and Control. The real work lies in being able to understand and identify how resources become over-provisioned and wasteful. Until then we will struggle to optimize, let alone govern. The Wasteful Eight There's so many resources and properties available. Understanding all the ways they can create waste can be challenging. Fortunately, we can group resource properties into eight main categories, which make our efforts a bit easier. Lets look at the Wasteful Eight: Category Examples Over-provisioned SKUs - Disks with Premium SSD instead of Standard HDD/SSD. - App Service Plans with Premium SKU, instead of Standard. - Azure Bastion with Premium SKU, instead of Developer. Too much redundancy - Storage Accounts configured with GRS, when LRS is fine. - Recovery Services Vaults with GRS, when LRS is fine. - SQL Databases with Zone Redundancy enabled. Too large / too many instances. - Azure VMs with too many CPUs. - SQL Databases with too many vCores/DTUs. - Disks which are over 1024GB. Supports auto-scaling/serverless, but aren’t using it. - Application Gateway doesn’t have auto-scaling enabled. - App Service Plans without Auto-Scaling. - SQL Databases using fixed provisioning, instead of Serverless or Elastic Pools Too many backups. - Backups that are too frequent. - Backups with too long retention periods. - Non-prod backups with similar retentions as Prod. Too much logging. - Logging enabled in non-prod. - Log retentions too long. - Logging to Log Analytics instead of Storage Accounts. - Log Analytics not using cheaper table plans. Extra features that are disabled, or not being used. - Application Gateway with WAF SKU, but the WAF is disabled. - Azure Firewall with Premium SKU, but IDPS is disabled. - Storage Accounts with SFTP enabled but not used. Orphaned/Unused. - Unattached Disks - Empty App Service Plans - Unattached NAT Gateways Remember, it's only wasteful if you don't have a business need for it, like too much redundancy in a non-production/development environment. In a production environment, you're likely to need premium disks or SKUs, GRS, and longer logging and backup retention periods. Governance is about reducing spend where you don't need it, and frees up money to spend where you do need it, for better redundancy, faster response times etc. All resources will fall somewhere in the above categories. A single resource can be found in most of them. For example, an Application Gateway can: Have an over-provisioned/unused SKU (WAF vs Standard). Have auto-scaling disabled. Have too many instances. Have excessive logging enabled. Have the WAF SKU, but the WAF is for some reason disabled. Be orphaned, by having no backend VMs. Breaking down any resource like this will uncover most of its cost-impacting properties and give us a good idea of what to focus on. A few outliers are inevitable, but the vast majority will be covered. Let's explore the Application Gateway examples further, the reasons why each item is wasteful and the subsequent Policies we might consider in a non-production environment. I’ve also included some links to respective Azure Policy definitions available in GitHub (test before use!). Discovery Reason Governance Rule/Policy Allowed Values and effects if applicable Application Gateway has WAF SKU but doesn’t need it. We use another firewall product. Allowed Application Gateway SKUs Standard Deny Application Gateway isn’t configured with Auto-Scaling, creating inefficient use of instances. Auto-Scaling improves efficiency by scaling up and down as demand changes. Manual scaling is inefficient. Application Gateway should be configured with Auto-Scaling. Deny Application Gateway min/max instance counts are higher than needed. Setting Min/Max instance thresholds avoids them being too high. Particularly the min count, which might not need more than 1 instance. Allowed App Gateway Min/Max instance counts Min Count: 1 Max Count: 2 Deny Non-Prod Application Gateways have logging enabled, when it’s not needed. We don't have usage that needs to be logged in non-production environments. Non-Prod Application Gateways should avoid logging Deny Application Gateway has WAF but it’s disabled. A disabled WAF is doing nothing yet still paid for. Either use it, or change the Tier to Standard to reduce costs. Application Gateway WAF is disabled. Audit Application Gateway has no Backend Pool resources. Indicates an orphaned/unused App Gateway. It should be removed. Application Gateway has empty Backend Pool and appears Orphaned Audit Now this might seem a bit over the top. Do we really to be controlling our App Gateway min/max scaling counts? It depends. If you have a genuine problem with too many instances then yes, you probably should. The point is, you can if you need to. This simply demonstrates how powerful governance and Azure Policy can be at controlling how resources are used. A more likely starting point will be things like SKUs, Sizes, Redundancy Tiers and Logging. These are the high risk, high impact areas you’ve probably seen before and want to avoid again. Once you exhaust those it's time to jump into Cost Management and explore your most expensive resources and services. Explore the Billing Meters to see how each resources costs are broken down. This is where your money is going and where your governance rules will have the biggest impact. Where to find Azure Policies If you want to use Azure policy you're going to need some Policy Definitions. A Definition is your governance rule defined in Azure. It tells Azure what configurations you do and don't want, and how to deal with problems. It's recommended that you start with some of the in-built policies first, before creating your own. These are provided by Microsoft, available inside Azure Policy to be applied, and are maintained by Microsoft. Fortunately, there are plenty of policies to choose from: built-in, community provided, Azure Landing Zone related and a few of my own: Azure Built-in Policy Repo: https://github.com/Azure/azure-policy Azure Community Policy Repo: https://github.com/Azure/Community-Policy Azure Landing Zones Policies: https://github.com/Azure/Enterprise-Scale/blob/main/docs/wiki/ALZ-Policies.md My stuff: https://github.com/aluckwell/Azure-Cost-Governance Making the search even easier is the AzAdvertizer. This handy tool brings thousands of policies into a single location, with easy search and filter functionality to help find useful ones. It even includes 'Deploy to Azure' links for quick deployment. AzAdvertizer: https://www.azadvertizer.net/azpolicyadvertizer_all.html Of the thousands of policies in AzAdvertizer, the list below is a great starting point for FinOps. These are all built-in, ready to go and will help you get familiar with how Azure Policy works: Policy Name Use Case Link Not Allowed Resource Types Block the creation of resources you don't need. Helps control when resource types can/can't be used. https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html Allowed virtual machine size SKUs Allow the use of specific VM SKUs and Sizes and block SKUs that are too big or not fit for our use-case. https://www.azadvertizer.net/azpolicyadvertizer/cccc23c7-8427-4f53-ad12-b6a63eb452b3.html Allowed App Services Plan SKUs Allow the use of specific App Service Plan SKUs. Block SKUs that are too big or not fit for our use-case. https://www.azadvertizer.net/azpolicyadvertizer/27e36ba1-7f72-4a8e-b981-ef06d5c78c1a.html [Preview]: Do not allow creation of Recovery Services vaults of chosen storage redundancy. Avoid Recovery Services Vaults with too much redundancy. If you don't need GRS, block it. https://www.azadvertizer.net/azpolicyadvertizer/8f09fda1-91a2-4e14-96a2-67c6281158f7.html Storage accounts should be limited by allowed SKUs Avoid too much redundancy and performance when it's not needed. https://www.azadvertizer.net/azpolicyadvertizer/7433c107-6db4-4ad1-b57a-a76dce0154a1.html Configure Azure Defender for Servers to be disabled for resources (resource level) with the selected tag Disable Defender for Servers on Virtual Machines if they don't need it. Help control the rollout of Defender for Servers, avoiding machines that don't need it. https://www.azadvertizer.net/azpolicyadvertizer/080fedce-9d4a-4d07-abf0-9f036afbc9c8.html Unused App Service plans driving cost should be avoided Highlight when App Service Plans are 'Orphaned'. Either put them to use or get them deleted ASAP. https://www.azadvertizer.net/azpolicyadvertizer/Audit-ServerFarms-UnusedResourcesCostOptimization.html New policies are always being added, and existing policies improved (see the Versioning). Check back occasionally for changes and new additions that might be useful. When you get the itch to create your own, I'd suggest watching the following videos to understand the nuts and bolts of Azure Policy, and then onto Microsoft Learn for further reading. https://www.youtube.com/watch?v=4wGns611G4w https://www.youtube.com/watch?v=fhIn_kHz4hk https://learn.microsoft.com/azure/governance/policy/overview Good luck!Understanding the Total Cost of Ownership
Whether you're just beginning your journey in Azure or are already managing workloads in the cloud, it's essential to ground your strategy in proven guidance. The Microsoft Cloud Adoption Framework for Azure offers a comprehensive set of best practices, documentation, and tools to help you align your cloud adoption efforts with business goals. One of the foundational steps in this journey is understanding the financial implications of cloud migration. When evaluating the migration of workloads to Azure, calculating the Total Cost of Ownership (TCO) is a crucial step. TCO is a comprehensive metric that includes all cost components over the life of the resource. A well-constructed TCO analysis can provide valuable insights that aid in decision-making and drive financial efficiencies. By understanding the comprehensive costs associated with moving to Azure, you can make informed choices that align with your business goals and budget. Here is a breakdown of the main elements that you need to build your own TCO: 1. Current infrastructure configuration: Servers: details about your existing servers, including the number of servers, their specifications (CPU, memory, storage), and operating systems. Databases: information about your current databases, such as the type, size, and any associated licensing costs. Storage: type and amount of storage you are currently using, including any redundancy or backup solutions. Network Traffic: Account for outbound network traffic and any associated costs. 2. Azure Environment Configuration: Virtual Machines (VMs): appropriate Azure VMs that match your current server specifications. This has to be based on CPU, memory, storage, and region. Storage Options: type of storage (e.g., Standard HDD, Premium SSD), access tiers, and redundancy options that align with your needs. Networking: networking components, including virtual networks, load balancers, and bandwidth requirements. 3. Operational Costs: Power and Cooling: Estimate the costs associated with power and cooling for your on-premises infrastructure. IT Labor: Include the costs of IT labor required to manage and maintain your current infrastructure. Software Licensing: Account for any software licensing costs that will be incurred in both the current and Azure environments. Once you have more clarity of these inputs you can complement your analysis with other tools depending on your needs. The Azure Pricing Calculator is well suited to providing granular cost estimation for different Azure services and products. However, if the intent is to estimate cost and savings during migrations, Azure Migrate business case feature should be the preferred approach as it will allow the user to perform detailed financial analysis (TCO/ROI) for the best path forward and assess readiness to move workloads to Azure with confidence. Understand your Azure costs The Azure pricing calculator is a free cost management tool that allows users to understand and estimate costs of Azure Services and products. It serves as the only unauthenticated experience that allows you to configure and budget the expected cost of deploying solutions in Azure The Azure pricing calculator is key for properly adopting Azure. Whether you are in a discovery phase and trying to figure out what to use, what offers to apply or in a post purchase phase where you are trying to optimize your environment and see your negotiated prices, the azure pricing calculator fulfills both new users and existing customers' needs. The Azure pricing calculator allows organizations to plan and forecast cloud expenses, evaluate different configurations and pricing models, and make informed decisions about service selection and deployment options. Decide, plan, and execute your migration to Azure Azure Migrateis Microsoft’s free platform for migrating to and modernizing in Azure. It provides capabilities for discovery, business case (TCO/ROI), assessments, planning and migration in a workload agnostic manner. Customers must have an Azure account and create a migration project within the Azure portal to get started. Azure Migrate supports various migration scenarios, including for VMware and Hyper-V virtual machines (VM), physical servers, databases, and web apps. The service offers accurate appliance based and manual discovery options, to cater to customer needs. The Azure Migrate process consists of three main phases: Decide, Plan, and Execute. In the Decide phase, organizations discover their IT estate through several supported methods and can get a dependency map for their applications to help collocate all resources belonging to an application. Using the data discovered, one can also estimate costs and savings through the business case (TCO/ROI) feature. In the Plan phase, customers can assess for readiness to migrate, get right-sized recommendations for targets in Azure and tools to use for their migration strategy (IaaS/PaaS). Users can also create a migration plan consisting of iterative “waves” where each wave has all dependent workloads for applications to be moved during a maintenance window. Finally, the Execute phase focuses on the actual migration of workloads to a test environment in Azure in a phased manner to ensure a non-disruptive and efficient transition to Azure. A crucial step in the Azure Migrate process is building a business case prior to the move, which helps organizations understand the value Azure can bring to their business. The business case capability highlights the total cost of ownership (TCO) with discounts and compares cost and savings between on-premises and Azure including end-of-support (EOS) Windows OS and SQL versions. It provides year-on-year cash flow analysis with resource utilization insights and identifies quick wins for migration and modernization with an emphasis on long-term cost savings by transitioning from a capital expenditure model to an operating expenditure model, paying only for what is used. Understanding the Total Cost of Ownership (TCO) is essential for making informed decisions when migrating workloads to Azure. By thoroughly evaluating all cost components, including infrastructure, operational, facilities, licensing and migration costs, organizations can optimize their cloud strategy and achieve financial efficiencies. Utilize tools like the Azure Pricing Calculator and Azure Migrate to gain comprehensive insights and ensure a smooth transition to the cloud.Optimize your Azure costs with our expert guidance, pricing tools, and resources
Efficient management of cloud resources is pivotal for controlling costs and building resilient infrastructure. Taking a strategic approach not only maximizes return on investment but also positions your organization to innovate and manage risk. Recognizing the needs of our customers to bolster their cloud management practices, Microsoft recently launched Azure Essentials as an all-in-one showcase for prescriptive guidance, expert training, and AI-assisted solutions.Moving to a Microsoft Customer Agreement (MCA) from an Enterprise Agreement (EA)
Microsoft has introduced a new contractual model for Azure enterprise customers, called the Microsoft Customer Agreement. Guidance on changes to the billing hierarchy can be found here: Set up billing for Microsoft Customer Agreement - Azure Microsoft Senior Cloud Solution Architect Dina Fatkulbayanova has written a great article on LinkedIn sharing her knowledge and recommendations of the transition process and billing hierarchy changes: Moving from EA to MCA: what you should know Check it out and please share with your networks on LinkedIn!
Announcing savings plan for databases: flexible savings for modern, evolving workloads
As organizations modernize their data platforms, database environments are constantly changing. Teams migrate between services, scale across regions, and evolve architectures to support new applications and AI driven workloads. But optimizing costs in these environments can be challenging, especially when savings options require locking into specific services, regions, or configurations. To help with these challenges, we’re introducing savings plan for databases, a new way to save on eligible database services while maintaining the flexibility needed to modernize and grow your business. Savings plan for databases helps IT, engineering, and FinOps teams reduce database costs with a simple, spend based commitment—without slowing down architectural change. What is savings plan for databases? Savings plan for databases is a spend based pricing model that enables customers to save on eligible database services by committing to a fixed hourly spend for one year. In return, customers receive lower prices—up to 35% compared to pay-as-you go pricing on select services*. Instead of committing to a specific database service, region, or configuration, customers commit to an hourly dollar amount (for example, $5 per hour). The plan automatically applies savings to eligible database usage each hour, prioritizing the usage that delivers the greatest savings first—across services and regions—until the hourly commitment is met. Any usage beyond the commitment continues at pay-as-you go rates, ensuring flexibility as needs change. Pricing is for illustrative purposes only. Benefits designed for modern database workloads Flexibility as environments evolve Savings plan for databases is designed for change. Savings continue to apply as workloads modernize or move across regions—without requiring customers to repurchase or reconfigure commitments. This makes it well suited for dynamic environments where architectures are expected to evolve over time. Automatic cost optimization With a single hourly commitment, customers unlock discounted prices on eligible database usage. Savings are applied automatically each hour, ensuring customers get the most value from their commitment without manual management or constant tuning. Predictable budgeting and forecasting A fixed hourly spend replaces variable pay-as-you-go costs with a predictable commitment, making it easier for FinOps and IT finance teams to forecast spend, plan budgets, and manage cloud investments with confidence. What services that are covered with the savings plan for databases: Savings plan for databases pricing How to purchase a savings plan for databases Getting started is simple: Review personalized recommendations in the Azure portal based on recent database usage. Choose an hourly commitment and scope it into a subscription, resource group, management group, or entire account. Select a payment option—pay monthly or upfront at no additional cost—and optionally enable auto‑renewal. Once purchased, savings are applied automatically to eligible database usage every hour. Learn more here on how to purchase a savings plans here. Example: saving while modernizing Consider a team running a global application that uses Azure SQL Database and Azure Database for PostgreSQL today, with plans to expand into additional regions over the next year. Instead of purchasing individual reservations tied to specific services or regions, the team purchases a 1‑year savings plan for databases with a $5/hour commitment. As usage shifts across database services and regions, Azure automatically applies discounted prices to eligible usage up to the hourly commitment. The team continues modernizing without disruption—while benefiting from predictable savings. Summary Savings plan for databases provides a new way to optimize database costs —without locking into fixed architectures. With hourly commitments, automatic optimization, and predictable costs, it’s designed to support modernization today and continued growth tomorrow. Get started You can begin saving today: View your recommendation in Azure Advisor Purchase a plan in Azure portal Visit the Savings plan homepage Review the Microsoft Documentation Watch demo videos at the Azure Essentials Show *Customers may see savings estimated to be between 0% and 35%. The 35% savings estimate is based on one Azure SQL Database serverless running for 12 months at a pay-as-you-go rate vs. a reduced rate for a 1-year savings plan. Based on Azure pricing as of March 2026. Prices are subject to change. Actual savings may vary based on location, database service, and/or usage. ** Note that savings plan for databases will also be consumed by SQL Server on Azure Virtual Machines and SQL Server enabled by Azure Arc hourly license at the normal pay-go price.
Understand New Sentinel Pricing Model with Sentinel Data Lake Tier
Introduction on Sentinel and its New Pricing Model Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platform that collects, analyzes, and correlates security data from across your environment to detect threats and automate response. Traditionally, Sentinel stored all ingested data in the Analytics tier (Log Analytics workspace), which is powerful but expensive for high-volume logs. To reduce cost and enable customers to retain all security data without compromise, Microsoft introduced a new dual-tier pricing model consisting of the Analytics tier and the Data Lake tier. The Analytics tier continues to support fast, real-time querying and analytics for core security scenarios, while the new Data Lake tier provides very low-cost storage for long-term retention and high-volume datasets. Customers can now choose where each data type lands—analytics for high-value detections and investigations, and data lake for large or archival types—allowing organizations to significantly lower cost while still retaining all their security data for analytics, compliance, and hunting. Please flow diagram depicts new sentinel pricing model: Now let's understand this new pricing model with below scenarios: Scenario 1A (PAY GO) Scenario 1B (Usage Commitment) Scenario 2 (Data Lake Tier Only) Scenario 1A (PAY GO) Requirement Suppose you need to ingest 10 GB of data per day, and you must retain that data for 2 years. However, you will only frequently use, query, and analyze the data for the first 6 months. Solution To optimize cost, you can ingest the data into the Analytics tier and retain it there for the first 6 months, where active querying and investigation happen. After that period, the remaining 18 months of retention can be shifted to the Data Lake tier, which provides low-cost storage for compliance and auditing needs. But you will be charged separately for data lake tier querying and analytics which depicted as Compute (D) in pricing flow diagram. Pricing Flow / Notes The first 10 GB/day ingested into the Analytics tier is free for 31 days under the Analytics logs plan. All data ingested into the Analytics tier is automatically mirrored to the Data Lake tier at no additional ingestion or retention cost. For the first 6 months, you pay only for Analytics tier ingestion and retention, excluding any free capacity. For the next 18 months, you pay only for Data Lake tier retention, which is significantly cheaper. Azure Pricing Calculator Equivalent Assuming no data is queried or analyzed during the 18-month Data Lake tier retention period: Although the Analytics tier retention is set to 6 months, the first 3 months of retention fall under the free retention limit, so retention charges apply only for the remaining 3 months of the analytics retention window. Azure pricing calculator will adjust accordingly. Scenario 1B (Usage Commitment) Now, suppose you are ingesting 100 GB per day. If you follow the same pay-as-you-go pricing model described above, your estimated cost would be approximately $15,204 per month. However, you can reduce this cost by choosing a Commitment Tier, where Analytics tier ingestion is billed at a discounted rate. Note that the discount applies only to Analytics tier ingestion—it does not apply to Analytics tier retention costs or to any Data Lake tier–related charges. Please refer to the pricing flow and the equivalent pricing calculator results shown below. Monthly cost savings: $15,204 – $11,184 = $4,020 per month Now the question is: What happens if your usage reaches 150 GB per day? Will the additional 50 GB be billed at the Pay-As-You-Go rate? No. The entire 150 GB/day will still be billed at the discounted rate associated with the 100 GB/day commitment tier bucket. Azure Pricing Calculator Equivalent (100 GB/ Day) Azure Pricing Calculator Equivalent (150 GB/ Day) Scenario 2 (Data Lake Tier Only) Requirement Suppose you need to store certain audit or compliance logs amounting to 10 GB per day. These logs are not used for querying, analytics, or investigations on a regular basis, but must be retained for 2 years as per your organization’s compliance or forensic policies. Solution Since these logs are not actively analyzed, you should avoid ingesting them into the Analytics tier, which is more expensive and optimized for active querying. Instead, send them directly to the Data Lake tier, where they can be retained cost-effectively for future audit, compliance, or forensic needs. Pricing Flow Because the data is ingested directly into the Data Lake tier, you pay both ingestion and retention costs there for the entire 2-year period. If, at any point in the future, you need to perform advanced analytics, querying, or search, you will incur additional compute charges, based on actual usage. Even with occasional compute charges, the cost remains significantly lower than storing the same data in the Analytics tier. Realized Savings Scenario Cost per Month Scenario 1: 10 GB/day in Analytics tier $1,520.40 Scenario 2: 10 GB/day directly into Data Lake tier $202.20 (without compute) $257.20 (with sample compute price) Savings with no compute activity: $1,520.40 – $202.20 = $1,318.20 per month Savings with some compute activity (sample value): $1,520.40 – $257.20 = $1,263.20 per month Azure calculator equivalent without compute Azure calculator equivalent with Sample Compute Conclusion The combination of the Analytics tier and the Data Lake tier in Microsoft Sentinel enables organizations to optimize cost based on how their security data is used. High-value logs that require frequent querying, real-time analytics, and investigation can be stored in the Analytics tier, which provides powerful search performance and built-in detection capabilities. At the same time, large-volume or infrequently accessed logs—such as audit, compliance, or long-term retention data—can be directed to the Data Lake tier, which offers dramatically lower storage and ingestion costs. Because all Analytics tier data is automatically mirrored to the Data Lake tier at no extra cost, customers can use the Analytics tier only for the period they actively query data, and rely on the Data Lake tier for the remaining retention. This tiered model allows different scenarios—active investigation, archival storage, compliance retention, or large-scale telemetry ingestion—to be handled at the most cost-effective layer, ultimately delivering substantial savings without sacrificing visibility, retention, or future analytical capabilities.Microsoft Agent Pre-Purchase Plan: One Unified Path to Scale AI Agents
AI is now essential, and at Microsoft Ignite 2025, we introduced a new foundation for intelligent agents: Work IQ, Fabric IQ, and Foundry IQ. These three IQs represent the intelligence layer that gives agents deep context; understanding how people work, connecting to enterprise data, and orchestrating knowledge across platforms. Together with the launch of Microsoft Agent Factory, organizations now have a unified program to build, deploy, and manage agents powered by these IQs. Microsoft Agent Pre-Purchase Plan (P3) is designed to for organizations looking to confidently invest in AI agent development with a single, predictable budget. It empowers businesses to experiment, build, and scale sophisticated AI agents without the friction of fragmented licensing or unexpected costs. By unifying access to agentic services across Microsoft Foundry, Microsoft Copilot Studio*, Microsoft Fabric, and GitHub, Microsoft Agent P3 empowers organizations to harness the full potential of the IQ layer thus removing barriers and unlocking the value of truly intelligent, context-driven agents. What is Microsoft Agent Pre-Purchase Plan and how to does it work? Microsoft Agent P3 is a one-year pay-upfront option. Customers commit upfront to a lump-sum pool of Agent Commit Units (ACU) that can be used at any time during the one-year term. Every time you consume eligible services across Microsoft Foundry, Microsoft Copilot Studio*, Microsoft Fabric, and GitHub, the ACUs are automatically drawn down from your P3 balance. If you use up your balance before the year ends, you can add another P3 plan or switch to pay-as-you-go. If you don’t use all your credits by the end of the year, the remaining balance expires. Pricing* *Pricing as of November 2025, subject to change. **Example if Microsoft Copilot Studio generates a retail cost of $100 based on Copilot Credit and Microsoft Foundry usage, then 100 Agent CUs (ACUs) are consumed. What is covered by the Microsoft Agent Pre-Purchase Plan? * List as of February 2026, subject to change ** Currently in Private Preview *** Covers Copilot Credits enabled agentic services: Microsoft Copilot Studio, Dynamics 365 first-party agents, and Copilot. Microsoft reserves the right to update Copilot Credit eligible products. Customer Example Suppose a customer expects to consume 1,500,000 Copilot Credit with custom agents created in Microsoft Copilot Studio. Assuming the pay-as-you-go rate for Copilot Credit to be $0.01, then at the pay-as-you-go rate, this will cost $15,000. In addition, if they are using 5000 Microsoft Foundry Provisioned Throughput Units (PTU) and assuming the pay-as-you-go rate for PTU to be $1, then at the pay-as-you-go rate, this will cost $5,000. By purchasing Tier 1 (20,000 ACUs) Microsoft Agent P3 at the cost of $19,000, it will give a 5% saving compared to the pay-as-you-go rate for the same usage. How to purchase a Microsoft Agent Pre-Purchase Plan? Sign in to the Azure portal →Reservations → + Add → Microsoft Agent Pre-Purchase Plan. Select your subscription and scope Choose your tier and complete payment. What sets Microsoft Agent Pre-Purchase Plan apart? At the heart of Microsoft Agent Pre-Purchase Plan are four pillars that redefine how organizations consume AI services: One Plan: A single offer that spans Microsoft Foundry, Microsoft Copilot Studio*, Microsoft Fabric, and GitHub. No more siloed credits or SKU-level complexity, just one pool for all your AI workloads. Breadth of Services: Access to 30+ services, from Azure AI Search and Cognitive Services to orchestration tools and Copilot-enabled experiences. One Governance Path: Simplifies procurement and budget management. Procurement teams gain visibility and control without sacrificing agility. Predictable Savings: Get discounts and avoid surprises when you choose this plan. Conclusion The Microsoft Agent Pre-Purchase Plan is designed to make your AI journey simpler, smarter, and more cost-effective. By combining the strengths of Microsoft Foundry, Microsoft Copilot Studio*, Microsoft Fabric, and GitHub into a single, unified offer, the plan eliminates the need to choose one platform or manage multiple contracts. Organizations benefit from predictable budgeting, streamlined procurement, and the flexibility to innovate across more than 30+ agentic services—all with one pool of funds. Whether you’re just starting with AI or scaling enterprise-wide adoption, the Microsoft Agent Pre-Purchase Plan empowers you to unlock the full value of Microsoft’s agentic platform—driving innovation, efficiency, and business impact. And with support for agents built on Work IQ, Fabric IQ, and Foundry IQ, customers can be confident their solutions are grounded in the latest intelligence announced at Ignite. What’s next Read the Microsoft Agent P3 Offer MS Learn Doc Purchase Microsoft Agent P3 in your Azure Portal * Covers Copilot Credits enabled agentic services: Microsoft Copilot Studio, Dynamics 365 first-party agents, and Copilot. Microsoft reserves the right to update Copilot Credit eligible productsManaging Azure OpenAI costs with the FinOps toolkit and FOCUS: Turning tokens into unit economics
By Robb Dilallo Introduction As organizations rapidly adopt generative AI, Azure OpenAI usage is growing—and so are the complexities of managing its costs. Unlike traditional cloud services billed per compute hour or storage GB, Azure OpenAI charges based on token usage. For FinOps practitioners, this introduces a new frontier: understanding AI unit economics and managing costs where the consumed unit is a token. This article explains how to leverage the Microsoft FinOps toolkit and the FinOps Open Cost and Usage Specification (FOCUS) to gain visibility, allocate costs, and calculate unit economics for Azure OpenAI workloads. Why Azure OpenAI cost management is different AI services break many traditional cost management assumptions: Billed by token usage (input + output tokens). Model choices matter (e.g., GPT-3.5 vs. GPT-4 Turbo vs. GPT-4o). Prompt engineering impacts cost (longer context = more tokens). Bursty usage patterns complicate forecasting. Without proper visibility and unit cost tracking, it's difficult to optimize spend or align costs to business value. Step 1: Get visibility with the FinOps toolkit The Microsoft FinOps toolkit provides pre-built modules and patterns for analyzing Azure cost data. Key tools include: Microsoft Cost Management exports Export daily usage and cost data in a FOCUS-aligned format. FinOps hubs Infrastructure-as-Code solution to ingest, transform, and serve cost data. Power BI templates Pre-built reports conformed to FOCUS for easy analysis. Pro tip: Start by connecting your Microsoft Cost Management exports to a FinOps hub. Then, use the toolkit’s Power BI FOCUS templates to begin reporting. Learn more about the FinOps toolkit Step 2: Normalize data with FOCUS The FinOps Open Cost and Usage Specification (FOCUS) standardizes billing data across providers—including Azure OpenAI. FOCUS Column Purpose Azure Cost Management Field ServiceName Cloud service (e.g., Azure OpenAI Service) ServiceName ConsumedQuantity Number of tokens consumed Quantity PricingUnit Unit type, should align to "tokens" DistinctUnits BilledCost Actual cost billed CostInBillingCurrency ChargeCategory Identifies consumption vs. reservation ChargeType ResourceId Links to specific deployments or apps ResourceId Tags Maps usage to teams, projects, or environments Tags UsageType / Usage Details Further SKU-level detail Sku Meter Subcategory, Sku Meter Name Why it matters: Azure’s native billing schema can vary across services and time. FOCUS ensures consistency and enables cross-cloud comparisons. Tip: If you use custom deployment IDs or user metadata, apply them as tags to improve allocation and unit economics. Review the FOCUS specification Step 3: Calculate unit economics Unit cost per token = BilledCost ÷ ConsumedQuantity Real-world example: Calculating unit cost in Power BI A recent Power BI report breaks down Azure OpenAI usage by: SKU Meter Category → e.g., Azure OpenAI SKU Meter Subcategory → e.g., gpt 4o 0513 Input global Tokens SKU Meter Name → detailed SKU info (input/output, model version, etc.) GPT Model Usage Type Effective Cost gpt 4o 0513 Input global Tokens Input $292.77 gpt 4o 0513 Output global Tokens Output $23.40 Unit Cost Formula: Unit Cost = EffectiveCost ÷ ConsumedQuantity Power BI Measure Example: Unit Cost = SUM(EffectiveCost) / SUM(ConsumedQuantity) Pro tip: Break out input and output token costs by model version to: Track which workloads are driving spend. Benchmark cost per token across GPT models. Attribute costs back to teams or product features using Tags or ResourceId. Power BI tip: Building a GPT cost breakdown matrix To easily calculate token unit costs by GPT model and usage type, build a Matrix visual in Power BI using this hierarchy: Rows: SKU Meter Category SKU Meter Subcategory SKU Meter Name Values: EffectiveCost (sum) ConsumedQuantity (sum) Unit Cost (calculated measure) Unit Cost = SUM(‘Costs’[EffectiveCost]) / SUM(‘Costs’[ConsumedQuantity]) Hierarchy Example: Azure OpenAI ├── GPT 4o Input global Tokens ├── GPT 4o Output global Tokens ├── GPT 4.5 Input global Tokens └── etc. Power BI Matrix visual showing Azure OpenAI token usage and costs by SKU Meter Category, Subcategory, and Name. This breakdown enables calculation of unit cost per token across GPT models and usage types, supporting FinOps allocation and unit economics analysis. What you can see at the token level Metric Description Data Source Token Volume Total tokens consumed Consumed Quantity Effective Cost Actual billed cost BilledCost / Cost Unit Cost per Token Cost divided by token quantity Effective Unit Price SKU Category & Subcategory Model, version, and token type (input/output) Sku Meter Category, Subcategory, Meter Name Resource Group / Business Unit Logical or organizational grouping Resource Group, Business Unit Application Application or workload responsible for usage Application (tag) This visibility allows teams to: Benchmark cost efficiency across GPT models. Track token costs over time. Allocate AI costs to business units or features. Detect usage anomalies and optimize workload design. Tip: Apply consistent tagging (Cost Center, Application, Environment) to Azure OpenAI resources to enhance allocation and unit economics reporting. How the FinOps Foundation’s AI working group informs this approach The FinOps for AI overview, developed by the FinOps Foundation’s AI working group, highlights unique challenges in managing AI-related cloud costs, including: Complex cost drivers (tokens, models, compute hours, data transfer). Cross-functional collaboration between Finance, Engineering, and ML Ops teams. The importance of tracking AI unit economics to connect spend with value. By combining the FinOps toolkit, FOCUS-conformed data, and Power BI reporting, practitioners can implement many of the AI Working Group’s recommendations: Establish token-level unit cost metrics. Allocate costs to teams, models, and AI features. Detect cost anomalies specific to AI usage patterns. Improve forecasting accuracy despite AI workload variability. Tip: Applying consistent tagging to AI workloads (model version, environment, business unit, and experiment ID) significantly improves cost allocation and reporting maturity. Step 4: Allocate and Report Costs With FOCUS + FinOps toolkit: Allocate costs to teams, projects, or business units using Tags, ResourceId, or custom dimensions. Showback/Chargeback AI usage costs to stakeholders. Detect anomalies using the Toolkit’s patterns or integrate with Azure Monitor. Tagging tip: Add metadata to Azure OpenAI deployments for easier allocation and unit cost reporting. Example: tags: CostCenter: AI-Research Environment: Production Feature: Chatbot Step 5: Iterate Using FinOps Best Practices FinOps capability Relevance Reporting & analytics Visualize token costs and trends Allocation Assign costs to teams or workloads Unit economics Track cost per token or business output Forecasting Predict future AI costs Anomaly management Identify unexpected usage spikes Start small (Crawl), expand as you mature (Walk → Run). Learn about the FinOps Framework Next steps Ready to take control of your Azure OpenAI costs? Deploy the Microsoft FinOps toolkit Start ingesting and analyzing your Azure billing data. Get started Adopt FOCUS Normalize your cost data for clarity and cross-cloud consistency. Explore FOCUS Calculate AI unit economics Track token consumption and unit costs using Power BI. Customize Power BI reports Extend toolkit templates to include token-based unit economics. Join the conversation Share insights or questions with the FinOps community on TechCommunity or in the FinOps Foundation Slack. Advance Your Skills Consider the FinOps Certified FOCUS Analyst certification. Further Reading Managing the cost of AI: Understanding AI workload cost considerations Microsoft FinOps toolkit Learn about FOCUS Microsoft Cost Management + Billing FinOps Foundation Appendix: FOCUS column glossary ConsumedQuantity: The number of tokens or units consumed for a given SKU. This is the key measure of usage. ConsumedUnit: The type of unit being consumed, such as 'tokens', 'GB', or 'vCPU hours'. Often appears as 'Units' in Azure exports for OpenAI workloads. PricingUnit: The unit of measure used for pricing. Should match 'ConsumedUnit', e.g., 'tokens'. EffectiveCost: Final cost after amortization of reservations, discounts, and prepaid credits. Often derived from billing data. BilledCost: The invoiced charge before applying commitment discounts or amortization. PricingQuantity: The volume of usage after applying pricing rules such as tiered or block pricing. Used to calculate cost when multiplied by unit price.
