Architectural Guidance – Azure Monitor private links with Microsoft Sentinel

by Contributed | Dec 8, 2022 | Technology

This article is contributed. See the original author and article here.

Firstly, I would like to thank  Benjamin Kovacevic for his help with this article.

In this blog post, I will try to simplify one of the confusions and a popular question seen by many organizations around the ability to use private links together with Microsoft Sentinel.

Starting with basics:

Microsoft Sentinel

Microsoft Sentinel is a cloud-native SIEM solution that is built on top of the log analytics workspace and hence, Microsoft Sentinel requires data to be ingested into that same log analytics workspace for its operation.

Log analytics workspace

Log analytics workspace is a native Azure monitoring resource that is part of Azure monitor as Azure monitor contains also resources like application insights and DCR resources and so on.

Microsoft Sentinel log source types

Microsoft Sentinel log sources are either:

• Diagnostic-based data sources: This type covers data ingested through the diagnostic settings from Azure PaaS and/or Saas services. Examples like: Activity logs, Azure AD audit logs, Azure Data factories, Key vaults, and so on. Once configured, data starts to flow from the Azure resource to the log analytics workspace.

• Service-to-service data integration: This type covers direct connections from other Microsoft services like Defender for Endpoint, Defender for Cloud, Defender for Office365, and so on. Once the connection is turned on, data starts to flow automatically through the Azure backend to the log analytics workspace.

• Agent-based-ingestion log sources: This covers all ingestion that is based on either AMA or LAA (MMA) agents. Data sources could be VMs that are running in Azure, on-premises, or in other cloud platforms.

• REST API based ingestion: This covers data ingestion and queries through pipelines line LogicApp connectors, Function Apps, and some 3^rd party connectors in Microsoft Sentinel.

Azure Monitor Private link

Private link in Azure Monitor is a network restriction and security mechanism that could be used to force traffic to flow only through private connections from a VNET to an azure monitor resource. In this context, we will focus on log analytics workspace as our Azure monitor resource.

Type1: Ingesting data through diagnostic settings

As mentioned in this document under exception section, data ingested through diagnostic settings pipeline by default go over a secure private channel and is not impacted by private links.

The same goes for type2 service-to-service data integrations as they also flow through Azure backbone.

Type3: Agent-based-ingestion log sources

The best way to look at the concept under the context of this type3 is to examine the following diagram taken from this document

Note that On-premises here could also be replaced by VNETs on azure as well because the same concept applies.

So the idea is simply that traffic from on-premises (or any VNET on Azure) will communicate to the private endpoint IP address that is associated with the private link scope object.

Fact 1: This basically means that it primarily depends on how DNS is configured.

Fact 2: On the workspace level, an On/Off setting exists to control whether to accept data ingestion not originating from private link scope or not.

Fact 3: On the workspace level, an On/Off setting exists to control whether to accept log queries not originating from private link scope or not.

Fact 4: The private link scope could be covering all log analytic workspaces or some of them. At this point, we need to pay attention to the private link mode (private only or open).

Private only mode: allows the traffic VNet to only reach resources in the link scope. traffic to log analytics workspace out of the link scope is blocked.

Open mode: allows the VNet to reach log analytic workspaces that are covered by the private link scope AND log analytics workspaces that are not covered by the private link scope. (if they accept traffic from public networks). The Open mode is useful for a mixed mode of work (accessing some resources publicly and others over a Private Link), or during a gradual onboarding process.

So to simplify it, the following matrix should give an idea of how the result looks like for interactions between these four items. For other workspaces that are not covered by the same link scope, the following matrix applies

As expected, any log ingestion traffic for log analytics workspaces that are not covered by the same private link scope will be denied and only allowed if the link scope mode is set to Open

Our Recommendations from the field

• Considering Azure monitor private link should be associated with either a concrete requirement or certain compliance obligations.


• Use link mode: open when newly onboarding Microsoft Sentinel and switch to link mode: private only mode only after careful assessment of implication on all log analytics workspaces that are available and assessment of network and DNS design.

Announcing new pricing and capabilities in Compliance Manager premium templates

by Contributed | Dec 7, 2022 | Technology

This article is contributed. See the original author and article here.

In the modern era, organizations need to comply with several international, federal, or local regulatory obligations. Microsoft Purview Compliance Manager contains a library of 350+ regulations designed to help you reduce the time it takes to get compliant, stay compliant, and scale your company’s compliance. Today, we are excited to announce the following changes to your premium templates:

What you need to know:

1. Pricing is dropping to $6,000 per unit, per year


2. Regulations under the same family will count as a single template


3. Microsoft 365 E5 customers will be able to use their first 3 premium templates for free

Reduced pricing

Research suggests that organizations need to comply with 5-10 regulations on average. At Microsoft, we strive to empower every organization to achieve more, and that means giving you access to the greatest number of templates at the most affordable price. Starting today, customers across all segments can purchase our premium templates at an all-time low price of $6,000 per year or just $500 per month!

Figure 1: New price for Compliance Manager Add-On

Grouped regulations

Some regulations have different maturity levels. Starting today, regulations under this category are considered part of the same “family” and will count as a single premium template. The examples below showcase what is and what is not grouped together as part of this change.

Grouped: Payment Card Industry Data Security Standard (PCI-DSS) version 3 and version 4 are all versions of the same standard and will count as a single template.

Not Grouped: NIST 800-53 and NIST 800-171 are different standards, and therefore count as different templates

Figure 2: Example of grouped templates (ie: Australia – ASD Essential 8)

Benefits for E5 customers

Prior to today, you were entitled to the following regulations: ISO27001, NIST 800-53, and GDPR as part of your E5 services. Starting today, we are no longer prescribing these regulations. You can now choose up to any 3 premium templates from the library of supported regulations and select the ones that fit your specific needs.

Figure 3: E5 customers can choose their first 3 premium templates for free

*Note: Customers on E1, E3, and other license types will have to purchase these at $6,000 per unit.

Get started today!

We are committed to helping organizations do more with less by delivering capabilities that make the end-to-end compliance experience more efficient and affordable. Get started with Compliance Manager through the Microsoft Purview portal today!

Have any questions? Visit our Technical Documentation for the latest information.