Defender onboarding workspace default vs. custom confusion

AdamBudzinskiAZA-0329 91 Reputation points



Need some advice. I’ve inherited a tenant with multiple subscriptions, basically a mess. I’m on the other side new to the Defender for Cloud portfolio. I’ve seen some subscriptions have been randomly onboarded to Defender for Servers, Storage etc. no real, clear pattern.


I’m also seeing a bunch of log analytics workspaces that match the following naming pattern DefaultWorkspace-{subscription-id}-WEU in a resource group with the following pattern defaultresourcegroup-weu Reading here this looks like the default setup for Defender for Cloud.

User's image

Yet, more surprisingly, there are custom workspaces as well created on a per subscription basis, and that would be explained here:

User's image

I have now, two questions:


  1. Can I onboard any new subscriptions to a custom workspace DIRECTLY by creating it beforehand instead of letting the custom workspace / rsg be created since from what it looks like, already existing subscriptions have been re-configured to report server telemetry to the custom ones in the respective subscriptions.
  2. Lastly, the yellow marked text. Does that mean, if I have say 4 subscriptions, I can’t use a single log analytics workspace that would be home for the telemetry from all the 4 subscriptions ? Or as written is it really a MUST condition, so that I have a custom log analytics per subscription ?  

Thank you!

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,272 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Andrew Blumhardt 9,771 Reputation points Microsoft Employee

    The workspace is only used by Defender for Servers and Defender for Databases. You might be able to specify a different workspace when activating Defender for Servers. You can always redirect to a new workspace after activation. The unused default workspaces can be deleted after you redirect. You can consolidate them all into one. In fact, it is recommended to use your Sentinel workspace for centralization if you have one. This can lower Windows Security Event collection costs by passing on the Defender for Servers P2, 500MB daily discount.