I need some help and assistance in configuring my current Azure Entra ID Premium P2 tenant to allow Azure Sentinel to ingest logs and query using KQL with no additional or monthly cost.
I can see the below article mentioning there is no data charged when ingesting these alerts and logs to Sentinel:
| Microsoft Sentinel data connector |
Free data type |
| Azure Activity Logs |
AzureActivity |
| Azure Activity Logs |
AzureActivity |
| Microsoft Entra ID Protection |
SecurityAlert (IPC) |
| Office 365 |
OfficeActivity (SharePoint) |
|
OfficeActivity (Exchange) |
|
OfficeActivity (Teams) |
| Microsoft Defender for Cloud |
SecurityAlert (Defender for Cloud) |
| Microsoft Defender for IoT |
SecurityAlert (Defender for IoT) |
| Microsoft Defender XDR |
SecurityIncident |
|
SecurityAlert |
| Microsoft Defender for Endpoint |
SecurityAlert (MDATP) |
| Microsoft Defender for Identity |
SecurityAlert (AATP) |
| Microsoft Defender for Cloud Apps |
SecurityAlert (Defender for Cloud Apps) |
https://video2.skills-academy.com/en-us/azure/sentinel/billing?tabs=simplified%2Ccommitment-tiers#free-data-sources
However, I am not sure where to start to configure the Azure Sentinel part.
I assume this https://azure.microsoft.com/en-au/pricing/details/microsoft-sentinel/ pricing is only applicable when I am ingesting some data sources, other than the above.
Thank you in advance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)