Removing Azure Sentinel and keep log ingestion to log analytic workspace

Question

Removing Azure Sentinel and keep log ingestion to log analytic workspace

Hung Nguyen 0

Im trying to find a direct answer but currently we have a Log Analytic Workspace with Pay as you go Sentinel and we are looking to turn off Sentinel to cut down our billing. If I turn off the sentinel through the sentinel settings page. Will that also stop the Log Analytic Workspace from receiving the logs? as we have an export to storage accounts that our other SIEM reads.

Suchitra Suregaunkar 8,955 Reputation points Microsoft External Staff Moderator

2026-03-04T19:19:22.4166667+00:00

Hello @Hung Nguyen

I hope the details shared above helped in addressing your concern.

If the suggested resolution resolved the issue, kindly consider marking the answer as "Accepted" and "Upvote" it. This helps other community members who may encounter a similar issue in the future.

If you’re still experiencing the problem or need further clarification, please feel free to share additional information so we can continue investigating and assist you further.

Thanks,

Suchitra.

1 answer

Your answer

Suchitra Suregaunkar 8,955 Reputation points Microsoft External Staff Moderator

2026-03-04T19:19:22.4166667+00:00

Hello @Hung Nguyen

I hope the details shared above helped in addressing your concern.

If the suggested resolution resolved the issue, kindly consider marking the answer as "Accepted" and "Upvote" it. This helps other community members who may encounter a similar issue in the future.

If you’re still experiencing the problem or need further clarification, please feel free to share additional information so we can continue investigating and assist you further.

Thanks,

Suchitra.

Answer 1

Hello @Hung Nguyen

Thank you for posting your query on Microsoft Q&A platform.You can safely remove Microsoft Sentinel from the Log Analytics workspace without stopping log ingestion or data export.

Removing Microsoft Sentinel does not stop the Log Analytics workspace from receiving logs. All logs collected through Azure Monitor (VMs via AMA, diagnostic settings, platform logs, custom logs, etc.) will continue to flow into the workspace as usual.

If you have Log Analytics Data Export rules configured to send data to a Storage Account, those exports will also continue to work normally. Data export is an Azure Monitor / Log Analytics feature, not dependent on Microsoft Sentinel.

What does change after removing Microsoft Sentinel:

Microsoft Sentinel resources are removed (analytics rules, incidents, hunting queries, automation, and Sentinel‑specific tables).
Sentinel data connectors are disconnected.
Microsoft Sentinel billing stops.
Log Analytics ingestion charges still apply for data collected by Azure Monitor.

What does not change:

The Log Analytics workspace itself is not deleted.
Log ingestion into the workspace continues.
Data export to Storage Accounts continues.
Other SIEM tools can keep reading logs from the Storage Account.

This is the supported approach when the goal is to reduce Sentinel costs while continuing log collection and exports.

References:

Implications of removing Microsoft Sentinel from a workspace https://learn.microsoft.com/azure/sentinel/offboard-implications
Log Analytics workspace overview (Azure Monitor) https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-workspace-overview
Log Analytics data export (Azure Monitor) https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export

Thanks,

Suchitra.

Share via

Removing Azure Sentinel and keep log ingestion to log analytic workspace

1 answer

Your answer