Azure Log Analytics is a superb product to store and query logs. When an organization streams the sign-in logs and audit logs from Azure Active Directory to an Azure Log Analytics workspace, however, the Azure Log Analytics bill might rake up.
In the blogpost I’ll provide a way to effectively calculate the Azure Log Analytics bill when you stream your Azure AD logs to it, based on metrics.
Azure Log Analytics’ Pricing Model
Azure Log Analytics’ pricing model consists of two components:
The pricing model for Log Analytics is per ingested GB per month. However, the first 5 GB per month is free. Data ingestion beyond 5 GB is priced at $ 2.30 per GB per month. Ingesting Azure AD with Log Analytics will mostly result in free workspace usage, except for large busy Azure AD tenants.
For large organizations, daily capacity can be reserved with 15% – 25% discounts, depending on the capacity required. Daily capacity starts at 100 GB / day ingress traffic for $ 196 per day.
Azure Log Analytics ingestion includes 31 days of data retention. When you want to retain data for a longer period of time, data is priced at $ 0.10 per GB per month.
When you’ve enabled Azure Sentinel, data is retained for 90 days without additional cost.
To calculate your Azure Log Analytics bill when you stream your Azure AD logs to it, we’ll need to know the number of monthly sign-ins in scope, the number of monthly audit events in scope and the retention time.
Sign-ins and audit events
Based on calculations with our customers, you can state that each user generates 50 to 200 sign-in events per day and that for each user in an organization 5 to 20 changes are required per day that result in an audit event. For smaller organizations, the numbers of events are at the lower end of these spectrums, because the complexity is lower. For large organizations, the numbers are at the high end of the spectrum.
Luckily, based on the default 30 day retention in Azure AD itself, the number of sign-ins and audit events can be spotted easily.
The data retention is an additional cost beyond the default 31 day retention period.
Now, sign-ins pack a lot more information than audit events. To stream a sign-in event to Azure Log Analytics takes a packet of about 4 KB. An audit event packs 2 KB.
Small organizations ( < 350 users)
As the first 5 GBs are included per month, this solution would be free for smaller organizations. In fact, for every organization up to 350 users, streaming Azure AD logs to Log Analytics would be free with the default retention period of 31 days.
Medium organization (2,000 users)
Let’s look at an organization of 2,000 users. Now, ingress traffic would accumulate to roughly 25 GB per month. For 20 GBs, we would pay for ingress traffic: $ 46 per month.
When adjusting the retention period to 2 years (an additional 23 months) for an organization of 2,000 users, streaming 5 GBs of data to Log Analytics, the bill would add up to $ 46 for the data retention.
$ 1,104 per year for an integrated log retention solution for all Azure AD logs with a 2 year retention period? Not bad.
Large organization (100,000 users)
Looking at organizations of 100,000 users, the numbers are slightly different. An organization this size, probably sees 150 sign-ins and 15 audit events per user per day.
The sign-ins equates to 1.67 TB of monthly ingress traffic and a $ 3,936 per month bill for Azure Log Analytics, when using the default 31-day data retention period. Adding 2 year retention to that mix results in an additional $ 3,947 per month.
Adding audit logs to the mix at 4 KB each, they come in at 90 GB of monthly ingress data. As we’ve used the free 5 GB per month for sign-ins, we pay for each event, totaling $ 207 per month. Adding 2 years retention rakes up an additional $ 207 per month.
$ 8,297 per month for an integrated log retention solution for all Azure AD logs with a 2 year retention period? Not bad either for that scale…
Azure Log Analytics is a cost-efficient way to have an integrated log retention solution for all Azure AD logs. For organizations with fewer than 350 users and moderate complexity, the solution is free for scenarios where the default retention period suffices, like sending alerts when an emergency access account is used:
In the above graph, a bandwidth is displayed. the bandwidth is between 50 – 200 daily sign-ins per user in Azure AD. Costs are based on Azure Log Analytics list pricing in the East US Azure datacenter and displayed in USD.
For larger organizations, the monthly bill of course adds up, but the price per user goes down significantly. Add Azure Sentinel to the mix and that default 90 day retention period shaves another 9% off the costs for data retention.