Secure your Azure Monitor deployment

This article provides instructions for deploying Azure Monitor securely and explains how Microsoft secures Azure Monitor.

Log ingestion and storage

Grant access to data in the workspace based on need

1. Set the workspace access control mode to Use resource or workspace permissions to allow resource owners to use resource-context to access their data without being granted explicit access to the workspace. This simplifies your workspace configuration and helps to ensure users only have access to the data they need.
   Instructions: Manage access to Log Analytics workspaces
2. Assign the appropriate built-in role to grant workspace permissions to administrators at the subscription, resource group, or workspace level depending on their scope of responsibilities.
   Instructions: Manage access to Log Analytics workspaces
3. Apply table-level RBAC for users who require access to a set of tables across multiple resources. Users with table permissions have access to all the data in the table regardless of their resource permissions.
   Instructions: Manage access to Log Analytics workspaces

Send data to your workspace using Transport Layer Security (TLS) 1.2 or higher

If you use agents, connectors, or the Logs ingestion API to send data to your workspace, use Transport Layer Security (TLS) 1.2 or higher to ensure the security of your data in transit. Older versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable and, while they still currently work to allow backwards compatibility, they are not recommended, and the industry is quickly moving to abandon support for these older protocols.

The PCI Security Standards Council has set a deadline of June 30, 2018 to disable older versions of TLS/SSL and upgrade to more secure protocols. Once Azure drops legacy support, if your agents can't communicate over at least TLS 1.3, you won't be able to send data to Azure Monitor Logs.

We recommend that you do NOT explicitly set your agent to only use TLS 1.3 unless necessary. Allowing the agent to automatically detect, negotiate, and take advantage of future security standards is preferable. Otherwise, you might miss the added security of the newer standards and possibly experience problems if TLS 1.3 is ever deprecated in favor of those newer standards.

Important

On 1 July 2025, in alignment with the Azure wide legacy TLS retirement, TLS 1.0/1.1 protocol versions will be retired for Azure Monitor Logs. To provide best-in-class encryption, Azure Monitor Logs uses Transport Layer Security (TLS) 1.2 and 1.3 as the encryption mechanisms of choice.

For any general questions around the legacy TLS problem, see Solving TLS problems and Azure Resource Manager TLS Support.

Set up log query auditing

1. Configure log query auditing to record the details of each query that's run in a workspace.
   Instructions: Audit queries in Azure Monitor Logs
2. Treat the log query audit data as security data and secure access to the LAQueryLogs table appropriately.
   Instructions: Configure access to data in the workspace based on need.
3. If you separate your operational and security data, send the audit logs for each workspace to the local workspace, or consolidate in a dedicated security workspace.
   Instructions: Configure access to data in the workspace based on need.
4. Use Log Analytics workspace insights to review log query audit data periodically.
   Instructions: Log Analytics workspace insights.
5. Create log search alert rules to notify you if unauthorized users are attempting to run queries.
   Instructions: Log search alert rules.

Ensure immutability of audit data

Azure Monitor is an append-only data platform, but it includes provisions to delete data for compliance purposes. To secure your audit data:

1. Set a lock on your Log Analytics workspace to block all activities that could delete data, including purge, table delete, and table- or workspace-level data retention changes. However, keep in mind that this lock can be removed.
   Instructions: Lock your resources to protect your infrastructure

2. If you need a fully tamper-proof solution, we recommend you export your data to an immutable storage solution:

   1. Determine the specific data types that should be exported. Not all log types have the same relevance for compliance, auditing, or security.
   2. Use data export to send data to an Azure storage account.
      Instructions: Log Analytics workspace data export in Azure Monitor
   3. Set immutability policies to protect against data tampering.
      Instructions: Configure immutability policies for blob versions

Filter or obfuscate sensitive data in your workspace

If your log data includes sensitive information:

1. Filter records that shouldn't be collected using the configuration for the particular data source.
2. Use a transformation if only particular columns in the data should be removed or obfuscated.
   Instructions: Transformations in Azure Monitor
3. If you have standards that require the original data to be unmodified, use the 'h' literal in KQL queries to obfuscate query results displayed in workbooks.
   Instructions: Obfuscated string literals

Purge sensitive data that was collected accidentally

1. Check periodically for private data that might accidentally be collected in your workspace.
2. Use data purge to remove unwanted data. Note that data in tables with the Auxiliary plan can't currently be purged.
   Instructions: Managing personal data in Azure Monitor Logs and Application Insights

Link your workspace to a dedicated cluster for enhanced security

Azure Monitor encrypts all data at rest and saved queries using Microsoft-managed keys (MMK). If you collect enough data for a dedicated cluster, link your workspace to a dedicated cluster for enhanced security features, including:

• Customer-managed keys for greater flexibility and key lifecycle control. If you use Microsoft Sentinel, then make sure that you're familiar with the considerations at Set up Microsoft Sentinel customer-managed key.
• Customer Lockbox for Microsoft Azure to review and approve or reject customer data access requests. Customer Lockbox is used when a Microsoft engineer needs to access customer data, whether in response to a customer-initiated support ticket or a problem identified by Microsoft. Lockbox can't currently be applied to tables with the Auxiliary plan.

Instructions: Create and manage a dedicated cluster in Azure Monitor Logs

Block workspace access from public networks using Azure private link

Microsoft secures connections to public endpoints with end-to-end encryption. If you require a private endpoint, use Azure private link to allow resources to connect to your Log Analytics workspace through authorized private networks. You can also use Private link to force workspace data ingestion through ExpressRoute or a VPN.

Instructions: Design your Azure Private Link setup

Alerts

Control log search alert rule permissions using managed identities

A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. Managed identities eliminate the need for developers to manage these credentials. Setting a managed identity for your log search alert rules gives you control and visibility into the exact permissions of your alert rule. At any time, you can view your rule’s query permissions and add or remove permissions directly from its managed identity.

Using a managed identity is required if your rule’s query is accessing Azure Data Explorer (ADX) or Azure Resource Graph (ARG).

Instructions: Create or edit a log search alert rule.

Assign the Monitoring Reader role to all users who don’t need configuration privileges

Enhance security by giving users the least privileges required for their role.

Instructions: Roles, permissions, and security in Azure Monitor.

Use secure webhook actions where possible

If your alert rule contains an action group that uses webhook actions, prefer using secure webhook actions for stronger authentication.

Instructions: Configure authentication for Secure webhook.

Use customer managed keys if you need your own encryption key to protect data and saved queries in your workspaces

Azure Monitor encrypts all data and saved queries at rest using Microsoft-managed keys (MMK). If you require your own encryption key and collect enough data for a dedicated cluster, use customer-managed keys for greater flexibility and key lifecycle control.

Instructions: Customer-managed keys.

If you use Microsoft Sentinel, seeSet up Microsoft Sentinel customer-managed key.

Virtual machine monitoring

Implement security monitoring of VMs using Azure security services

While Azure Monitor can collect security events from your VMs, it isn't intended to be used for security monitoring. Azure includes multiple services such as Microsoft Defender for Cloud and Microsoft Sentinel that together provide a complete security monitoring solution. See Security monitoring for a comparison of these services.

Connect VMs to Azure Monitor through a private endpoint using Azure private link

Microsoft secures connections to public endpoints with end-to-end encryption. If you require a private endpoint, use Azure private link to allow resources to connect to your Log Analytics workspace through authorized private networks. You can also use Private link to force workspace data ingestion through ExpressRoute or a VPN.

Instructions: Design your Azure Private Link setup

Container monitoring

Connect clusters to Container insights using managed identity authentication

Managed identity authentication is the default authentication method for new clusters. If you're using legacy authentication, migrate to managed identity to remove the certificate-based local authentication.

Instructions: Migrate to managed identity authentication

Send data from clusters to Azure Monitor through a private endpoint using Azure private link

Azure managed service for Prometheus stores its data in an Azure Monitor workspace, which uses a public endpoint by default. Microsoft secures connections to public endpoints with end-to-end encryption. If you require a private endpoint, use Azure private link to allow your cluster to connect to the workspace through authorized private networks. Private link can also be used to force workspace data ingestion through ExpressRoute or a VPN.

Instructions: See Enable private link for Kubernetes monitoring in Azure Monitor for details on configuring your cluster for private link. See Use private endpoints for Managed Prometheus and Azure Monitor workspace for details on querying your data using private link.

Monitor network traffic to and from clusters using traffic analytics

Traffic analytics analyzes Azure Network Watcher NSG flow logs to provide insights into traffic flow in your Azure cloud. Use this tool to ensure there's no data exfiltration for your cluster and to detect if any unnecessary public IPs are exposed.

Enable network observability

Network observability add-on for AKS provides observability across the multiple layers in the Kubernetes networking stack. Monitor and observe access between services in the cluster (east-west traffic).

Instructions: Set up Container Network Observability for Azure Kubernetes Service (AKS)

Secure your Log Analytics workspace

Container insights sends data to a Log Analytics workspace. Make sure to secure log ingestions and storage in your Log Analytics workspace.

Instructions: Log ingestion and storage.

How Microsoft secures Azure Monitor

The instructions in this article build on the Microsoft security responsibility model. As part of this model of shared responsibility, Microsoft provides these security measures to Azure Monitor customers:

• Azure infrastructure security
• Azure customer data protection
• Encryption of data in transit during data ingestion
• Encryption of data at rest with Microsoft managed keys
• Microsoft Entra authentication for data plane access
• Authentication of Azure Monitor Agent and Application Insights using managed identities
• Privileged access to data plane actions using Role-Based Access Control (Azure RBAC)
• Compliance with industry standards and regulations

Azure security guidance and best practices

Azure Monitor secure deployment instructions are based on and consistent with Azure's comprehensive cloud security guidelines and best practices, which include:

• Cloud Adoption Framework, which provides security guidance for teams that manage the technology infrastructure.
• Azure Well-Architected Framework, which provides architectural best practices for building secure applications.
• Microsoft cloud security benchmark (MCSB), which describes the available security features and recommended optimal configurations.
• Zero Trust security principles, which provides guidance for security teams to implement technical capabilities to support a Zero Trust modernization initiative.

Next step

• Learn more about getting started with Azure Monitor.