This chapter covers Microsoft Sentinel multi-workspace architecture, a critical topic for the SC-200 exam. You will learn how to deploy, manage, and query multiple Log Analytics workspaces within a single Sentinel environment to support large enterprises with distributed data residency, compliance, and organizational boundaries. Approximately 10-15% of exam questions touch on multi-workspace concepts, including cross-workspace queries, centralized analytics, and incident management. Mastering this chapter will help you design scalable Sentinel deployments and answer scenario-based questions confidently.
Jump to a section
Imagine a global corporation with headquarters in New York, a regional office in London, and a data center in Singapore. Each location has its own security team that monitors local alarms and cameras. The New York team sees only the New York building, London sees only London, and Singapore sees only the data center. A coordinated attack might start with a phishing email to a London employee, then move to the Singapore data center, and finally exfiltrate data through a compromised New York server. No single local team can see the full attack chain. To solve this, the company creates a central Global Security Operations Center (GSOC). Each local security system sends a copy of its alarm logs and camera feeds to the GSOC in real time. The GSOC analysts use a unified dashboard to view all locations simultaneously. They can run queries across all data to correlate events—like seeing a login from London followed by a data transfer from Singapore. The local teams retain their own systems for immediate response, and the GSOC can also send alerts back to local teams. This is exactly how multi-workspace Sentinel architecture works: each workspace is like a local office, and cross-workspace queries, analytics rules, and UEBA allow the SOC to see the enterprise-wide threat landscape.
What is Multi-Workspace Sentinel Architecture?
Microsoft Sentinel is a cloud-native SIEM that typically runs on a single Log Analytics workspace. However, many organizations need multiple workspaces due to: - Data residency requirements: Certain countries require data to stay within their borders (e.g., EU, UK, Australia). - Regulatory compliance: Industries like finance or healthcare may require strict separation of data. - Organizational boundaries: Different business units or subsidiaries with independent security teams. - Cost management: Splitting data to control ingestion costs per workspace. - Operational autonomy: Local SOC teams managing their own incidents.
Multi-workspace Sentinel allows you to connect multiple workspaces under a single pane of glass using cross-workspace queries, analytics rules, and workbooks.
How Multi-Workspace Architecture Works Internally
Each Sentinel workspace is independent with its own data, analytics rules, and incidents. The key enabling technologies are:
1. Cross-workspace queries via KQL union operator: You can write a query that spans multiple workspaces by specifying their identifiers. For example:
union workspace("workspace1").SecurityEvent, workspace("workspace2").SecurityEvent
| where TimeGenerated > ago(1d)
| summarize count() by AccountThis allows a single query to pull data from up to 10 workspaces in a single query (default limit). The query is executed across all workspaces simultaneously, and results are merged.
Centralized analytics rules: You can create analytics rules that use cross-workspace queries. When a rule is triggered, it can create an incident in the workspace where the rule is defined. That workspace becomes the 'central' workspace for incident management. However, the rule can query data from other workspaces.
Cross-workspace UEBA: User and Entity Behavior Analytics (UEBA) profiles can be enriched with data from multiple workspaces. This is critical for detecting lateral movement across organizational boundaries.
Cross-workspace workbooks: Workbooks can include cross-workspace queries to provide a unified dashboard.
Incident management: Incidents created by cross-workspace analytics rules are stored in the workspace where the rule is defined. You can use automation rules to forward incidents to a central workspace or to notify other workspaces.
Key Components, Values, Defaults, and Timers
Maximum workspaces per query: The union operator with workspace() can reference up to 10 workspaces. To query more than 10, you need to use multiple union statements or a workspace list stored in a function.
Cross-workspace query latency: Data from remote workspaces may have an additional latency of 30-60 seconds compared to local data due to network and processing delays.
Cost implications: Cross-workspace queries incur data egress charges if workspaces are in different Azure regions. Data transfer within the same region is free. This is a key consideration for cost management.
Permission requirements: To query a workspace, the user must have at least Reader permissions on that workspace. For analytics rules, the rule's identity (Managed Identity or service principal) must have read access to all queried workspaces.
Data retention: Each workspace retains data according to its own retention policy. Cross-workspace queries respect the retention of each source workspace.
Configuration and Verification Commands
To set up cross-workspace queries, you need the workspace IDs. You can find them in the Azure portal under each Log Analytics workspace > Properties. Alternatively, use Azure CLI:
az monitor log-analytics workspace list --query "[].{name:name, id:customerId, resourceId:id}"To verify cross-workspace query permissions, run a test query in the central workspace:
union workspace("workspace1").Usage, workspace("workspace2").Usage
| take 10If you get results, permissions are correct.
How Multi-Workspace Interacts with Related Technologies
Azure Lighthouse: Allows a service provider to manage multiple Sentinel workspaces across different tenants. This is essential for MSSPs.
Azure Policy: Can enforce deployment of Sentinel and data connectors across multiple workspaces.
Automation rules and playbooks: Can be configured to run across workspaces, e.g., a playbook that queries multiple workspaces and creates a unified incident.
Microsoft 365 Defender: Integrates with Sentinel and can send alerts to a single workspace, but if you have multiple workspaces, you need to decide which workspace receives the alerts. This is often a design decision.
Common Architectures
Centralized: A single workspace for all data. Simplest but may violate data residency.
Decentralized: Each region/unit has its own workspace, with no cross-workspace queries. Each SOC team works independently.
Hybrid (most common): Multiple workspaces with a central workspace for cross-correlation and global visibility. The central workspace may have analytics rules that query all others.
Exam Focus: What SC-200 Tests
The SC-200 exam expects you to:
Understand the scenarios requiring multiple workspaces.
Know how to write cross-workspace KQL queries using workspace().
Understand the limitations (10 workspaces per query, data egress costs).
Know how to configure centralized analytics rules that span workspaces.
Be aware of Azure Lighthouse for cross-tenant scenarios.
Recognize that UEBA can be cross-workspace.
Common Wrong Answers
"You can only query 5 workspaces": Wrong. The limit is 10.
"Cross-workspace queries are free": Wrong. Data egress between regions costs.
"You need a separate Sentinel instance per workspace": Correct, but you can manage them centrally.
"Incidents are automatically replicated across workspaces": Wrong. Incidents stay in the workspace where the rule is defined.
Edge Cases the Exam Loves
Data residency: If a customer needs data to stay in Europe, you cannot use a central workspace in the US. You must use a European workspace as central.
MSSP scenario: The service provider uses Azure Lighthouse to manage multiple customer workspaces from a single portal.
Cross-tenant queries: Requires Azure Lighthouse or explicit permissions.
How to Eliminate Wrong Answers
If the question mentions "data residency", the answer likely involves multiple workspaces with local retention.
If the question asks about "centralized incident management", look for a central workspace with analytics rules that query other workspaces.
If the question mentions "cost" and "multiple regions", consider data egress charges.
Summary
Multi-workspace Sentinel architecture is essential for enterprises with complex compliance, organizational, or geographic requirements. The exam tests your ability to design and query such environments. Master cross-workspace KQL, understand the 10-workspace limit, and know when to use Azure Lighthouse.
Assess Requirements for Multiple Workspaces
Begin by identifying business drivers: data residency (e.g., GDPR requires EU data stay in EU), organizational boundaries (different subsidiaries), or compliance (e.g., PCI DSS). Document the number of workspaces needed and their regions. Consider cost implications: each workspace incurs its own ingestion and retention costs. Also note that Sentinel is priced per workspace, so multiple workspaces increase base costs. This step is crucial because the architecture will determine query performance and administrative overhead.
Deploy Sentinel Workspaces in Required Regions
Create a Log Analytics workspace in each required region (e.g., East US, West Europe). Enable Microsoft Sentinel on each workspace. Ensure that each workspace has the appropriate data connectors installed (e.g., Azure Activity, Microsoft 365 Defender). For data residency, configure retention policies per workspace to meet local regulations. Use Azure Policy to enforce consistent deployment of Sentinel and connectors across workspaces. This step is straightforward but must be done correctly to avoid later rework.
Configure Permissions for Cross-Workspace Access
To allow a central workspace to query data from other workspaces, the central workspace's analytics rule identity (Managed Identity or service principal) must have at least Reader role on each remote workspace. Also, users executing cross-workspace queries need Reader on all workspaces they query. Use Azure Lighthouse for cross-tenant scenarios. This step is often overlooked, leading to query failures. Verify permissions by running a simple cross-workspace query.
Create Centralized Analytics Rules with Cross-Workspace Queries
In the central workspace, create analytics rules that use the `union workspace()` operator to query multiple workspaces. For example, to detect a user logging in from multiple regions within 5 minutes: `union workspace('ws-eu').SigninLogs, workspace('ws-us').SigninLogs | where TimeGenerated > ago(5m) | summarize count() by UserPrincipalName | where count_ > 1`. The rule can be scheduled to run every 5 minutes. Incidents will be created in the central workspace. Be aware of the 10-workspace limit per query; if more workspaces are needed, break queries into multiple rules or use a function that iterates.
Set Up Cross-Workspace Workbooks and UEBA
Create workbooks that use cross-workspace queries to provide a unified dashboard. For UEBA, enable UEBA on each workspace, but note that UEBA profiles are per-workspace. To get a cross-workspace view, you can query UEBA tables from multiple workspaces. For example: `union workspace('ws-eu').BehaviorAnalytics, workspace('ws-us').BehaviorAnalytics | where TimeGenerated > ago(7d)`. This gives a unified view of user behavior. However, UEBA enrichment (e.g., user metadata) is per workspace, so you may miss some context if a user exists in multiple workspaces.
Implement Incident Management and Automation
Since incidents are created in the workspace where the rule is defined, you may want to forward incidents to a central workspace for unified management. Use automation rules with playbooks to copy incidents to a central workspace, or use Azure Logic Apps to create incidents in a central workspace based on alerts from multiple workspaces. Alternatively, use Azure Lighthouse to manage incidents across workspaces from a single portal. This step ensures that SOC analysts have a single view of all incidents.
Enterprise Scenario 1: Global Financial Institution with Data Residency Requirements
A multinational bank has offices in the US, EU, and Asia. Regulatory requirements mandate that all security data generated in the EU must remain within EU borders. The bank deploys Sentinel workspaces in West Europe (for EU data), East US (for US data), and Southeast Asia (for APAC data). Each local SOC team manages its own workspace for day-to-day operations. However, the global SOC needs to detect cross-region attacks, such as a user logging in from the US and then accessing a sensitive system in the EU minutes later. To achieve this, the central SOC workspace (East US) contains analytics rules that query the EU and APAC workspaces using cross-workspace queries. The central workspace also has a workbook that shows global threat trends. The bank uses Azure Policy to enforce that all workspaces have the same data connectors and retention settings. One challenge is data egress costs: querying the EU workspace from the US incurs egress charges. The bank mitigates this by scheduling queries during off-peak hours and limiting the frequency of cross-region queries. Another issue is latency: cross-region queries take longer, so the bank sets analytics rules to run every 10 minutes instead of 5 to avoid overlapping queries.
Enterprise Scenario 2: MSSP Managing Multiple Customers
A managed security service provider (MSSP) monitors security for 50 customers. Each customer has its own Sentinel workspace in the customer's own Azure tenant. The MSSP uses Azure Lighthouse to manage all customer workspaces from a single portal. The MSSP deploys a central workspace in its own tenant that contains analytics rules for cross-customer correlation, such as detecting a known malicious IP that appears across multiple customers. However, the MSSP cannot query customer workspaces from its central workspace due to tenant boundaries unless Azure Lighthouse is configured. With Azure Lighthouse, the MSSP's users have Reader access to each customer workspace. The MSSP also creates cross-workspace workbooks that show all customers' alert trends. One common pitfall is that analytics rules in the central workspace cannot create incidents in customer workspaces; incidents are created in the MSSP's workspace. To address this, the MSSP uses automation rules to send alerts to each customer's workspace via webhook or Logic App.
Enterprise Scenario 3: Large Enterprise with Organizational Boundaries
A conglomerate has multiple independent subsidiaries (e.g., automotive, healthcare, finance). Each subsidiary has its own security team and wants to manage its own Sentinel workspace. However, the parent company wants a global view of threats. They deploy a central workspace for the parent company. Each subsidiary's workspace sends selected high-fidelity alerts to the central workspace using continuous export or automation rules. The central workspace does not query the subsidiary workspaces directly due to cost and complexity; instead, it relies on forwarded alerts. This architecture reduces cross-workspace query costs and respects subsidiary autonomy. The parent company uses a workbook that aggregates alerts from all subsidiaries. One challenge is that the central workspace cannot perform deep investigations on subsidiary data without querying the subsidiary workspace. The parent company addresses this by granting its SOC analysts Reader access to subsidiary workspaces for on-demand queries.
What Goes Wrong When Misconfigured
Incorrect permissions: Cross-workspace queries fail silently or return partial results. Always verify permissions with a test query.
Exceeding 10-workspace limit: Queries fail with an error. Use multiple queries or a function to work around this.
Data egress cost surprise: Cross-region queries can incur significant costs. Plan to minimize cross-region data movement.
Incident visibility: Incidents created in a central workspace may not be visible to local teams unless automation is set up.
UEBA fragmentation: UEBA profiles are per-workspace, so a user active in multiple workspaces has separate profiles. This can miss cross-workspace anomalies.
What SC-200 Tests on Multi-Workspace Architecture
The SC-200 exam objective 2.1 covers "Design and configure a Microsoft Sentinel workspace" which includes multi-workspace considerations. Specific subtopics tested:
- Identify scenarios requiring multiple workspaces (data residency, compliance, organizational boundaries).
- Configure cross-workspace queries using KQL workspace() function.
- Understand limitations (10 workspaces per query, data egress costs).
- Implement centralized analytics rules that span multiple workspaces.
- Use Azure Lighthouse for cross-tenant management.
- Explain how UEBA works across workspaces.
Most Common Wrong Answers and Why Candidates Choose Them
"You can query up to 5 workspaces in a single query" – This is wrong because the actual limit is 10. Candidates confuse this with other limits like 5 data connectors per workspace.
"Cross-workspace queries are free if workspaces are in the same subscription" – Wrong. Data egress is based on region, not subscription. Even same subscription, different regions incur costs.
"Incidents are automatically synchronized across workspaces" – Wrong. Incidents stay in the workspace where the analytics rule is defined. Candidates assume that since data is queried across workspaces, incidents would be visible across all, but that is not the case.
"You need to create a separate Sentinel instance for each workspace" – This is actually correct, but candidates might think you can have one Sentinel managing multiple workspaces without separate instances. Each workspace requires Sentinel enabled separately.
"UEBA works seamlessly across workspaces without configuration" – Wrong. UEBA is per workspace. To get cross-workspace UEBA, you must query multiple workspaces and merge results.
Specific Numbers and Terms That Appear Verbatim
10 workspaces: The maximum number of workspaces that can be queried in a single union statement using workspace(). This exact number appears in exam questions.
Azure Lighthouse: The term used for cross-tenant management. Questions may describe a scenario with multiple tenants and ask what to use.
Data egress charges: The cost associated with cross-region queries. The exam may ask about cost optimization.
workspace() function: The KQL function used to reference another workspace. Must know syntax: workspace("workspaceID").TableName.
Reader role: Minimum permission required to query a workspace.
Edge Cases and Exceptions
Cross-tenant queries without Azure Lighthouse: Not possible directly. You must use Azure Lighthouse or a service principal with permissions in both tenants.
Workspaces in different clouds (e.g., Azure Government vs. Commercial): Not supported for cross-workspace queries.
Analytics rules using cross-workspace queries: The rule's query must not exceed 10 workspaces. If more are needed, use multiple rules or a function.
Data retention: Cross-workspace queries respect the retention of each source workspace. If a workspace has 30-day retention, data older than 30 days is not available.
How to Eliminate Wrong Answers Using the Underlying Mechanism
If the question asks about "data residency", the correct answer will involve multiple workspaces in different regions, not a single workspace.
If the question asks about "cost", consider data egress between regions. Answers that mention "free" are usually wrong.
If the question asks about "incident management", remember incidents are created where the rule runs. Answers that suggest automatic replication are wrong.
If the question asks about "querying multiple tenants", look for Azure Lighthouse.
If the question asks about "UEBA across workspaces", the answer will involve querying multiple workspaces or using a central workspace with cross-workspace queries.
Multi-workspace architecture is used for data residency, compliance, and organizational boundaries.
Cross-workspace KQL queries use the `workspace()` function and can reference up to 10 workspaces per query.
Data egress charges apply when querying workspaces in different Azure regions.
Analytics rules with cross-workspace queries create incidents only in the workspace where the rule is defined.
Azure Lighthouse enables cross-tenant management of multiple Sentinel workspaces.
UEBA is per workspace; cross-workspace UEBA requires manual querying of multiple workspaces.
Permissions: At least Reader role on each workspace is needed to query it.
These come up on the exam all the time. Here's how to tell them apart.
Single Workspace Architecture
Simplest to manage; all data in one place.
No cross-workspace query overhead or costs.
UEBA and analytics rules work seamlessly.
Cannot meet data residency requirements across regions.
Single point of failure; if workspace is compromised, all data is at risk.
Multi-Workspace Architecture
Supports data residency and compliance by region.
Allows organizational boundaries and independent SOC teams.
Requires cross-workspace queries which have a 10-workspace limit.
Incidents are not automatically shared; needs automation.
Higher administrative overhead and potential data egress costs.
Mistake
You can query an unlimited number of workspaces in a single KQL query.
Correct
The maximum is 10 workspaces per `union` statement using `workspace()`. To query more, you must use multiple queries or a function.
Mistake
Cross-workspace queries are free as long as workspaces are in the same subscription.
Correct
Data egress charges apply when workspaces are in different Azure regions, regardless of subscription. Same region queries are free.
Mistake
Incidents created from a cross-workspace analytics rule are automatically visible in all workspaces involved.
Correct
Incidents are stored only in the workspace where the analytics rule is defined. They are not replicated to other workspaces automatically.
Mistake
UEBA automatically aggregates user behavior across all workspaces.
Correct
UEBA profiles are per workspace. To get cross-workspace UEBA, you must manually query multiple workspaces and merge results.
Mistake
You can use a single Sentinel instance to manage multiple workspaces without separate deployments.
Correct
Each workspace requires Sentinel to be enabled separately. However, you can manage multiple workspaces from a single Azure portal view using Azure Lighthouse or cross-workspace queries.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
You can query up to 10 workspaces in a single `union` statement using the `workspace()` function. If you need to query more, you can use multiple `union` statements or create a function that iterates over a list of workspaces. The exam tests this exact limit, so remember 10.
Yes, if the workspaces are in different Azure regions, data egress charges apply. Queries between workspaces in the same region are free. The exam may present scenarios where cost is a concern, and you should choose the architecture that minimizes cross-region queries.
Yes, you can create analytics rules with cross-workspace queries. The rule runs in the workspace where it is defined and can query other workspaces. The incident will be created in that same workspace. Ensure the rule's identity has read permissions on all queried workspaces.
Use Azure Lighthouse. This allows a service provider (or central IT) to manage workspaces in multiple tenants from a single Azure portal. Without Lighthouse, cross-tenant queries are not possible. The exam expects you to know Lighthouse for MSSP scenarios.
The query will fail with an error. You must redesign the query to use multiple statements or break it into separate rules. The exam may present this as a troubleshooting question.
UEBA profiles are per workspace. To get a cross-workspace view of user behavior, you need to query the `BehaviorAnalytics` table from multiple workspaces using a `union` statement. However, enrichment data (like user metadata) is per workspace, so you may miss some context.
There is no built-in incident forwarding. However, you can use automation rules with playbooks (Logic Apps) to create incidents in another workspace based on alerts. Alternatively, use Azure Lighthouse to view incidents across workspaces from a single portal.
You've just covered Multi-Workspace Sentinel Architecture — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?