Management

Management Security Baselines

Management services form the operational backbone of Azure security. Log Analytics Workspace is the central data platform for security logs, metrics, and alerts — it feeds Sentinel, Defender for Cloud, and all diagnostic telemetry across your environment.

Log Analytics Security Data Flow

graph LR subgraph Sources["Log Sources"] AZ[Azure Resources] DC[Defender for Cloud] ENT[Entra ID] ON[On-Premises] end subgraph Platform["Data Platform"] LA[Log Analytics
Workspace] end subgraph Consumers["Security Consumers"] SEN[Microsoft Sentinel] WB[Workbooks & Dashboards] AL[Alert Rules] end AZ -->|Diagnostic Settings| LA DC -->|Security Alerts| LA ENT -->|Sign-in & Audit Logs| LA ON -->|AMA Agent| LA LA --> SEN LA --> WB LA --> AL style Sources stroke:#22d3ee,stroke-width:2px style Platform stroke:#a855f7,stroke-width:2px style Consumers stroke:#ec4899,stroke-width:2px

Log Analytics Workspace

Centralized log ingestion and query platform that underpins Microsoft Sentinel, Defender for Cloud, and Azure Monitor. The workspace stores all security telemetry — sign-in logs, resource diagnostics, threat alerts, and custom application logs. Securing the workspace protects the integrity of your entire detection and response capability.

Property	Value
Defender Plan	N/A — Log Analytics is the Defender backend
Azure Policy Built-in	Yes — CMK, Private Link, retention, workspace access mode
Network Isolation	Azure Monitor Private Link Scope (AMPLS)
Key Feature	Resource-context RBAC for per-table access control

Baseline Controls

Domain	Feature	Supported	Default	Responsibility
NS	Private Link Scope	✓	Manual	Customer
PA	RBAC Access Control	✓	Manual	Customer
DP	Encryption at Rest	✓	Default	Microsoft
DP	CMK Encryption	✓	Manual	Customer
BR	Data Retention	✓	Default	Customer

NS✓ Supported

Private Link Scope

○ ManualCustomer

PA✓ Supported

RBAC Access Control

○ ManualCustomer

DP✓ Supported

Encryption at Rest

● DefaultMicrosoft

DP✓ Supported

CMK Encryption

○ ManualCustomer

BR✓ Supported

Data Retention

● DefaultCustomer

Terraform: Hardened Log Analytics Workspace

hcl

resource "azurerm_log_analytics_workspace" "main" {
  name                = "law-security-prod"
  resource_group_name = azurerm_resource_group.management.name
  location            = azurerm_resource_group.management.location
  sku                 = "PerGB2018"

  # BR-1: Retention configuration
  retention_in_days   = 90                      # Interactive retention

  # PA-7: Resource-context RBAC
  internet_ingestion_enabled = false            # NS-2: Disable public ingestion
  internet_query_enabled     = false            # NS-2: Disable public queries
}

# NS-2: Azure Monitor Private Link Scope
resource "azurerm_monitor_private_link_scope" "main" {
  name                = "ampls-prod"
  resource_group_name = azurerm_resource_group.management.name

  ingestion_access_mode = "PrivateOnly"
  query_access_mode     = "PrivateOnly"
}

resource "azurerm_monitor_private_link_scoped_service" "law" {
  name                = "ampls-law-link"
  resource_group_name = azurerm_resource_group.management.name
  scope_name          = azurerm_monitor_private_link_scope.main.name
  linked_resource_id  = azurerm_log_analytics_workspace.main.id
}

resource "azurerm_private_endpoint" "ampls" {
  name                = "pe-ampls-prod"
  location            = azurerm_resource_group.management.location
  resource_group_name = azurerm_resource_group.management.name
  subnet_id           = azurerm_subnet.management.id

  private_service_connection {
    name                           = "psc-ampls-prod"
    private_connection_resource_id = azurerm_monitor_private_link_scope.main.id
    subresource_names              = ["azuremonitor"]
    is_manual_connection           = false
  }
}

# LT-3: Diagnostic settings for the workspace itself
resource "azurerm_monitor_diagnostic_setting" "law" {
  name                       = "diag-law-audit"
  target_resource_id         = azurerm_log_analytics_workspace.main.id
  log_analytics_workspace_id = azurerm_log_analytics_workspace.main.id

  enabled_log { category = "Audit" }
  enabled_log { category = "SummaryLogs" }
  metric { category = "AllMetrics" }
}
resource "azurerm_log_analytics_workspace" "main" {
  name                = "law-security-prod"
  resource_group_name = azurerm_resource_group.management.name
  location            = azurerm_resource_group.management.location
  sku                 = "PerGB2018"

  # BR-1: Retention configuration
  retention_in_days   = 90                      # Interactive retention

  # PA-7: Resource-context RBAC
  internet_ingestion_enabled = false            # NS-2: Disable public ingestion
  internet_query_enabled     = false            # NS-2: Disable public queries
}

# NS-2: Azure Monitor Private Link Scope
resource "azurerm_monitor_private_link_scope" "main" {
  name                = "ampls-prod"
  resource_group_name = azurerm_resource_group.management.name

  ingestion_access_mode = "PrivateOnly"
  query_access_mode     = "PrivateOnly"
}

resource "azurerm_monitor_private_link_scoped_service" "law" {
  name                = "ampls-law-link"
  resource_group_name = azurerm_resource_group.management.name
  scope_name          = azurerm_monitor_private_link_scope.main.name
  linked_resource_id  = azurerm_log_analytics_workspace.main.id
}

resource "azurerm_private_endpoint" "ampls" {
  name                = "pe-ampls-prod"
  location            = azurerm_resource_group.management.location
  resource_group_name = azurerm_resource_group.management.name
  subnet_id           = azurerm_subnet.management.id

  private_service_connection {
    name                           = "psc-ampls-prod"
    private_connection_resource_id = azurerm_monitor_private_link_scope.main.id
    subresource_names              = ["azuremonitor"]
    is_manual_connection           = false
  }
}

# LT-3: Diagnostic settings for the workspace itself
resource "azurerm_monitor_diagnostic_setting" "law" {
  name                       = "diag-law-audit"
  target_resource_id         = azurerm_log_analytics_workspace.main.id
  log_analytics_workspace_id = azurerm_log_analytics_workspace.main.id

  enabled_log { category = "Audit" }
  enabled_log { category = "SummaryLogs" }
  metric { category = "AllMetrics" }
}

Azure Portal Instructions

Step-by-step instructions for configuring each Log Analytics Workspace control through the Azure Portal.

NS-2 — Private Link Scope

Navigate to Azure Monitor Private Link Scopes in the Azure Portal
Click + Create to create a new AMPLS resource
Under Azure Monitor Resources, click + Add and select your Log Analytics workspace
Navigate to the AMPLS resource > Networking > Private endpoint connections
Click + Private endpoint and select the VNet, subnet, and DNS zone
On the AMPLS resource, set Access mode to Private Only for both ingestion and query
Verify that agents and queries can still reach the workspace over the private link

PA-7 — RBAC Access Control

Navigate to your Log Analytics workspace in the Azure Portal
In the left menu, select Access control (IAM)
Click + Add role assignment
Assign "Log Analytics Reader" for read-only access or "Log Analytics Contributor" for management
For fine-grained control, set Access control mode to "Use resource or workspace permissions"
This enables resource-context RBAC where users can only query logs from resources they have access to
Navigate to Settings > Tables to configure per-table RBAC for sensitive data types

DP-4 — Encryption at Rest

This feature is managed by Microsoft and enabled by default. All log data, saved queries, and alert definitions are encrypted at rest with AES-256. No portal configuration is required.

DP-5 — CMK Encryption

Navigate to Log Analytics clusters in the Azure Portal
Click + Create to create a dedicated cluster (minimum 500 GB/day commitment tier)
On the Encryption tab, select Customer-managed key
Select the Key Vault and encryption key
Configure the managed identity for Key Vault access
Click Review + Create
After the cluster is created, link your workspace: navigate to your workspace > Settings > Linked storage > Cluster link

BR-1 — Data Retention & Archive

Navigate to your Log Analytics workspace in the Azure Portal
In the left menu under General, select Usage and estimated costs
Click Data Retention and set the interactive retention period
For per-table retention, navigate to Settings > Tables
Select a table and click the context menu (...) > Manage table
Set the Interactive retention and Total retention periods
Data beyond interactive retention moves to the archive tier at lower cost

Workspace Architecture

Use a single workspace per region for most organizations. Multi-workspace designs add complexity to cross-workspace queries and Sentinel analytics. Use resource-context RBAC and per-table retention to control access and costs within a single workspace instead of splitting into multiple workspaces.