0.5 Lab Setup: Azure Subscription and Sentinel Workspace

45 minutes · Module 0 · Free

Lab Setup: Azure Subscription and Sentinel Workspace

Microsoft Sentinel runs on Azure. You need an Azure subscription linked to your M365 tenant, a Log Analytics workspace, and Sentinel enabled on that workspace. This subsection walks through all three.

Getting an Azure subscription

If you used the M365 Developer Program (Option 1): The developer program does not include Azure. You need a separate Azure subscription. Use the Azure Free Account (below).

If you used M365 E5 Trial or Paid License (Options 2-3): Same — Azure is separate from M365.

Azure Free Account: Navigate to azure.microsoft.com/en-us/free. Sign in with the SAME Microsoft account you used for your M365 tenant. The Azure free account includes $200 credit for 30 days and 12 months of select free services. Sentinel itself is not free — it charges per GB of data ingested — but the free credit covers lab usage easily.

Sign in with the same account as your M365 tenant

If you use a different Microsoft account for Azure than for M365, the two environments are not linked. Sentinel will not be able to see your M365 data. Use the same account (or the same Entra ID tenant) for both.

Azure for Students: If you have a .edu email address, azure.microsoft.com/en-us/free/students provides $100 credit without a credit card. Sufficient for lab exercises.

Creating a Log Analytics workspace

Sentinel needs a Log Analytics workspace to store its data. Think of the workspace as the database where all your security logs live.

Step 1: Navigate to portal.azure.com. Sign in with your tenant admin account.

Step 2: In the search bar at the top, type “Log Analytics workspaces” and select it.

Step 3: Click “+ Create.”

Step 4: Fill in the details:

Subscription: Select your Azure subscription
Resource group: Click “Create new” → name it rg-sentinel-lab → OK
Name: law-sentinel-lab (or any name — this is your workspace identifier)
Region: Select the region closest to you. For UK users, “UK South.” For US users, “East US.” This affects data residency and query latency.

Step 5: Click “Review + Create” → “Create.” The workspace deploys in about 60 seconds.

Workspace naming and region matter

The workspace name must be globally unique across all Azure tenants. If "law-sentinel-lab" is taken, add your initials or a number. The region determines where your data is stored — for compliance and performance, choose the region closest to your physical location. In production, this is a critical decision covered in Module 7.2. For lab purposes, any region works.

Enabling Microsoft Sentinel

Step 1: In the Azure portal search bar, type “Microsoft Sentinel” and select it.

Step 2: Click “+ Create.”

Step 3: Select the Log Analytics workspace you just created (law-sentinel-lab).

Step 4: Click “Add.” Sentinel is now enabled on your workspace.

The Sentinel overview page appears. It will be mostly empty — no incidents, no data connectors, no analytics rules. That is expected. You will populate it starting in Module 7.

Connecting your M365 data to Sentinel

For the course exercises to work, Sentinel needs data from your M365 tenant. We will connect the Microsoft Defender XDR connector now and add other connectors in Module 8.

Step 1: In Sentinel, navigate to Configuration → Data connectors.

Step 2: Search for “Microsoft Defender XDR” and select it.

Step 3: Click “Open connector page.”

Step 4: Under “Connect incidents and alerts,” check the box and click “Connect.” This sends Defender XDR incidents and alerts to your Sentinel workspace.

Step 5: Under “Connect events,” select the tables you want to ingest. For the course, enable:

DeviceProcessEvents
DeviceNetworkEvents
DeviceFileEvents
DeviceLogonEvents
DeviceInfo
DeviceEvents
EmailEvents
EmailAttachmentInfo
EmailUrlInfo
EmailPostDeliveryEvents
IdentityLogonEvents
IdentityQueryEvents
CloudAppEvents

Click “Apply Changes.”

Table ingestion costs money

Every GB of data ingested into Sentinel costs approximately $5.22 for the first 5 GB/day (Analytics tier, pay-as-you-go). In a lab environment with 6 test users and minimal activity, you will ingest far less than 1 GB/day — well within the Azure free credit. But if you connect a production tenant, costs increase rapidly. Module 7 covers cost management in depth.

Step 6: Also connect the Entra ID connector. Navigate to Data connectors → search “Microsoft Entra ID” → Open connector page → Under “Diagnostic settings,” click “Launch Azure Policy” or configure manually to send Sign-in logs and Audit logs to your workspace.

Verification

After connecting, data takes 5-30 minutes to start flowing. Verify by navigating to Sentinel → Logs and running:

1
2
3
4
search *
| where TimeGenerated > ago(1h)
| summarize count() by Type
| sort by count_ desc

You should see at least a few table names with event counts. If the query returns no results after 30 minutes, recheck your data connector configuration — the most common issue is the Defender XDR connector not having the event tables selected.

Lab cost summary

Component	Cost for lab use	Notes
M365 E5 (Developer Program)	Free	If you qualify
M365 E5 (Trial)	Free for 30 days	Credit card required
M365 E5 (Paid)	$57/month	One license sufficient
Azure Free Account	$200 credit for 30 days	Covers several months of lab Sentinel usage
Sentinel ingestion	~$0.50-$2/month in lab	6 users generate minimal data
Total (qualifying Developer Program)	$0-$2/month
Total (paid license + Azure)	~$59/month

Verification checklist

Before moving to subsection 0.6, confirm:

You can access portal.azure.com with your tenant admin account
A Log Analytics workspace exists (law-sentinel-lab or your name)
Microsoft Sentinel is enabled on the workspace
The Microsoft Defender XDR data connector is connected with event tables selected
The Entra ID connector is configured for sign-in and audit logs
The search query above returns results (after 30 minutes of connection time)

← 0.5 Lab Environment, Resources, and Support 0.6 Lab Setup: Sample Data and Validation →