Azure Monitor pricing is dominated by Log Analytics, where the bill comes from ingestion (per GB) and retention (per GB-month beyond the 31-day free retention). Three commercial layers compound: Log Analytics tier choice (Pay-As-You-Go vs Commitment Tiers from 100 GB/day to 5 TB/day, 15–30% off list); log type choice per table (Analytics Logs full-feature vs Basic Logs at a fraction of the cost but with restricted query and retention); and Sentinel, which adds a SIEM-tier surcharge on top of the same ingested data. The four levers that cut observability spend 30–55%: drop the noise (most workspaces ingest 20–40% data that's never queried), move auxiliary tables to Basic Logs, hit the right Commitment Tier, and review Sentinel data connectors against actual detection rule usage.
How Azure Monitor and Log Analytics bill
Azure Monitor pricing is essentially Log Analytics pricing for most enterprises. The line items:
- Log Analytics ingestion: per-GB ingested into the workspace. Pay-As-You-Go ~$2.76/GB; Commitment Tiers from 100 GB/day (~15% off) to 5,000 GB/day (~30% off).
- Log Analytics retention: free for 31 days; per-GB-month thereafter (Analytics retention is more expensive; Archive retention is cheaper).
- Basic Logs ingestion: per-GB at ~25% of Analytics Logs cost, but query is pay-per-query and retention is shorter.
- Application Insights: same pricing as Log Analytics (since Workspace-based AI consolidates).
- Microsoft Sentinel: per-GB SIEM surcharge layered on top of Log Analytics ingestion; Commitment Tiers also available on Sentinel separately.
- Custom metrics, Container Insights, VM Insights: per-time-series or per-monitored-node meters that compound at scale.
The structural mistake we see: enterprises treat Log Analytics as a flat-rate observability bill and ignore the per-table ingestion mix. In a typical workspace, 5–8 noisy tables drive 60–80% of ingestion cost.
Pay-As-You-Go vs Commitment Tiers
Commitment Tiers commit to a daily GB volume in exchange for a per-GB discount. The break-even point: if your sustained daily ingestion exceeds the next tier's threshold, the tier is cheaper than PAYG even after counting the wasted commitment on light days.
| Tier | Daily commit | Approx discount vs PAYG | Right-size rule |
|---|---|---|---|
| PAYG | None | 0% | For workspaces <100 GB/day and unstable ingest. |
| 100 GB/day | 100 GB | ~15% | Step up once steady-state >100 GB/day for 30+ days. |
| 500 GB/day | 500 GB | ~22% | Sweet spot for many enterprise workspaces. |
| 1 TB / 2 TB / 5 TB | Per tier | ~25–30% | Verify against P50, not P95. Overcommitting wastes. |
The audit: pull 90 days of daily ingestion per workspace, compute P50 (not P95 — commitment overage above tier still bills at PAYG, so the floor matters), set commitment at the highest tier where P50 stays above the threshold.
Basic Logs vs Analytics Logs: the per-table decision
Microsoft introduced Basic Logs as a cheaper ingestion mode for high-volume, low-query tables (firewall logs, IIS access logs, container stdout). Basic Logs cost ~25% of Analytics Logs to ingest but: queries cost per-GB-scanned, retention is capped, and KQL feature set is restricted (no joins across tables, no summarisation operators).
The audit lever: for each high-volume table, ask "is this table queried interactively, or only via scheduled rules and detection logic?" Tables queried only by automated rules are usually fine on Basic Logs. Moving the top 5 noisiest tables from Analytics to Basic typically cuts the workspace bill by 25–40%.
Sentinel data connectors default to ingest-everything for "full visibility." The Microsoft security narrative emphasises breadth, but the actual SOC analyst rarely uses 100% of the connected sources. Two-thirds of typical Sentinel ingestion drives less than 10% of triggered detections. Audit each data connector against the detection rules that actually fire. Disconnect or reduce sources that don't feed a fired rule in 90 days.
Microsoft Sentinel: the SIEM surcharge
Sentinel layers per-GB SIEM analytics on top of Log Analytics ingestion. The combined effective rate for "Sentinel-monitored" data is roughly 2x non-Sentinel Log Analytics ingest. Sentinel has its own Commitment Tier structure separate from Log Analytics, so workspaces with substantial Sentinel-monitored ingestion should commit on both meters.
Sentinel cost levers: free data sources (Azure AD/Entra audit logs, Azure activity logs, Office 365 audit logs, AWS CloudTrail in some configurations — check current product terms); auxiliary log retention for sources required for compliance but rarely investigated; reducing on-premises connector volume by upstream filtering.
Custom metrics, Container and VM Insights
Two meters quietly compound on monitored estates: custom metrics (priced per time-series per month) and Insights products billed per-monitored-resource. Container Insights and VM Insights bill per node-hour and ingest substantial logs by default. Configure data collection rules to exclude verbose namespaces and tune the scrape interval; the default rates are designed for visibility, not efficiency.
Anonymised case study: $570K Log Analytics reduction
A healthcare client ran three Log Analytics workspaces aggregating 1.4 TB/day ingestion, with $1.3M/year Azure Monitor spend including Sentinel. The audit found: 38% of ingestion was Container Insights stdout from chatty namespaces; the workspaces were on PAYG with a steady-state floor of 1.1 TB/day; firewall logs and IIS access logs were on Analytics tier despite being queried only by scheduled detection rules; Sentinel was connected to nine data sources of which three had triggered zero rules in 120 days. Remediation: data collection rule filters dropped container noise by 35%; workspaces moved to a 1 TB/day Commitment Tier; firewall/IIS tables converted to Basic Logs; three Sentinel connectors disabled. Annual saving: $570K (44% of prior spend). The client now reviews ingestion per table monthly as part of its Azure cost management discipline.
The Microsoft Licensing Briefing — 3 minutes, every Friday
Independent analysis of Microsoft commercial moves, with implications for your EA and Azure commit. No vendor spin.
No spam. Unsubscribe any time.
Where to take this from here
Log Analytics is one of the fastest-growing line items on most Azure invoices. Sequence the work: ingest-noise audit first (data collection rules, container log filters); Commitment Tier alignment second; Basic Logs migration third; Sentinel connector review fourth. Pair with Azure cost management tools for the operational dashboard, Azure Firewall licensing if firewall logs dominate ingestion, and Azure MACC explainer for the commitment that absorbs observability spend. For renewal leverage, the EA tier collapse 2026 playbook. For end-to-end support, our Azure & MACC Advisory covers observability cost as part of total Azure cost discipline. Request a discovery call to benchmark.