Share via

Emergency Break Glass sign-in using storage account rathr than Log Analytics workspace

AnnaG 166 Reputation points
2022-07-31T16:20:07.687+00:00

would like to put break glass emergency accounts in place in Azure. Everything I look at uses Log Analytics or Sentinel.
Our customer already send logs for audit and sign-ins to a storage account. For this reason I want to sent the logs to a Log Analytics Workspace as well
but I do not think this can be avoided right? I need to generate a query and this requires Log Analytics but doesn't it mean more costs because I have the same logs in two different locations? Good for Microsoft, not so good for the customer?

Can you please let me know if this is correct? If I need to also send to another Log Analytics Workspace and have no choice, I will set this up. Just wanted to make 100% sure there was no other way.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andrew Blumhardt 10,066 Reputation points Microsoft Employee
    2022-07-31T17:17:11.62+00:00

    I am not clear on the association between a break glass account and Log Analytics? You can use logs to monitor and alert on account usage. https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access

    Azure Monitor workspaces (log analytics) are billed based on the volume of data ingested. This includes 31 days of retention. Most diagnostic logs are fairly inexpensive to collect. It really depends on the volume of data. These logs are readily accessible and are fairly easy to add alerts if needed. https://azure.microsoft.com/en-in/pricing/details/monitor

    Azure Activity logs are free n Log Analytics, AAD audit logs are not.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.