Important: Avoid Unexpected Azure Charges from Recent Deployments

We’re reaching out to make you aware of a recent increase in unexpected Microsoft Azure charges tied to new resource deployments, particularly where log ingestion and new security services are involved. Below is an overview of what’s driving these costs and our recommendations to help you stay ahead of them.

What’s driving the unexpected charges

1. Log Analytics/Sentinel ingestion from Content Hub solutions: When Microsoft Sentinel solutions are deployed from the Content Hub, they can enable new data connectors and start sending additional tables into a Log Analytics workspace. Ingestion volume for those tables is billed to your workspace, which can quickly add cost if left at default settings.
2. Security Copilot rollout with Microsoft 365 E5: Microsoft announced that Security Copilot is being included with Microsoft 365 E5 in a phased rollout. Activation is occurring tenant by tenant over the coming months. During rollout, entitlements may not be fully active in all tenants immediately. Also note that Security Copilot capacity is governed by Security Compute Units (SCUs), and provisioned capacity is billed hourly, which can accrue charges even when prompts aren’t actively being used.

What we recommend

• Set budget & anomaly alerts in Azure Cost Management at the subscription or resource group level, so you’re notified about spikes before the month’s end.
• Review cost analysis for your Log Analytics workspaces and Sentinel resource groups; identify which tables/log categories are contributing most and tune accordingly (see “Optimizations” below).
• If testing Security Copilot, start with the minimum provisioned SCUs (or rely on your E5 included capacity once it’s active), set overage to zero during pilots, and monitor the usage dashboard hourly.

Log Analytics / Sentinel cost optimizations

• Limit high-volume, low-value logs (e.g., verbose diagnostic categories), and enable Basic Logs where appropriate.
• Use commitment tiers for production workspaces to align daily ingestion with discounted tiers; adjust up/down as your ingestion pattern changes.
• Separate non-security operational data into a non-Sentinel workspace; query cross workspace when needed.
• Consider dedicated clusters if you’re consistently ingesting at very high volumes (≥ ~500 GB/day).

Security Copilot guardrails

• Confirm entitlement status (E5 inclusion) for your tenant before provisioning extra capacity.
• Provision only what you need (e.g., 1–3 SCUs for initial exploration), and schedule changes at the top of the hour to avoid double-billing within the same hour block.
• Set overage limits conservatively (or to zero) during early adoption; review the usage dashboard weekly.

Billing cadence reminder

Azure usage is invoiced in arrears, so spikes from new resources may not show up on your invoice until later. To avoid surprises, rely on near-real-time alerts and Azure Cost Analysis rather than waiting for the invoice.

MicroAge provides Azure support to all our clients through CSP and will open, manage, and escalate cases with Microsoft on your behalf. When unexpected charges occur (for example, unintended log ingestion), we will make a best effort request for a goodwill credit from Microsoft.

Important note: In recent months, Microsoft has implemented more stringent criteria for these credit requests, resulting in fewer approvals.

Outcomes depend on the specifics of the case (telemetry, timing, entitlement status, and corrective actions). To improve the likelihood of success, MicroAge can help you document:

• The timeline of the event and when it was detected
• The resource IDs/workspace involved
• Current policies/diagnostic settings and changes made to remediate
• Screenshots from Cost Analysis and any budget/anomaly alerts triggered

Regardless of credit outcome, our focus is to contain the spend immediately and put preventive guardrails in place going forward.

How MicroAge can help

• Align your subscriptions to the Cloud Adoption Framework (CAF) and implement cost guardrails for budgets, tags, RBAC, policies, alerts, and cost optimization with our Azure Discovery & Optimization service.
• Tune Microsoft Sentinel ingestion for value and set the right commitment tier for predictable spend.
• Plan a secure, cost-optimized rollout of Security Copilot, SCU sizing, and usage monitoring.
• Accelerate migrations and deployments with our Azure Migration and Managed Cloud services.

If you’d like us to review your current setup or enable budget/anomaly alerts for you, please contact us at solutions@microage.com, and we’ll schedule a quick working session. This policy will be created for active MicroAge Azure Managed Service clients, and our team will respond to notifications to prevent any unexpected usage charges.