You have an Azure subscription that is linked to a Microsoft Entra tenant. You need to be able to store Microsoft Entra logs and query by using Kusto Query Language (KQL). The solution must minimize administrative effort. Where should you store Microsoft Entra logs?
Select only one answer.
A. Azure Event hub
B. Azure SQL database
C. Azure Storage account
D. Azure Log Analytics workspace
Answer (2)
The best option for storing Microsoft Entra logs and querying them with KQL is to use Azure Log Analytics workspace. This solution minimizes administrative effort and provides robust querying and log management features. It supports seamless integration and advanced functionalities for efficient log analysis.
;
Answer
D. Azure Log Analytics workspace
Explanation
To store Microsoft Entra logs and query them using Kusto Query Language (KQL) with minimal administrative effort, an Azure Log Analytics workspace is the best solution. Log Analytics workspaces are designed for log data collection, analysis, and querying using KQL, making them ideal for this scenario.
Why Log Analytics Workspace?
Native KQL support : Log Analytics workspaces support KQL for querying logs, which meets the requirement.
Log collection and storage : It can collect and store Microsoft Entra logs, providing a centralized location for log data.
Minimized administrative effort : Using a Log Analytics workspace minimizes administrative effort because it's specifically designed for log analytics and integrates well with Azure services.
Other Options
Azure Event Hub : While Event Hubs can stream log data, they require additional setup for querying with KQL.
Azure SQL Database : Not optimized for log analytics or KQL queries.
Azure Storage Account : Requires additional processing and querying setup.
Conclusion
An Azure Log Analytics workspace is the most suitable option for storing Microsoft Entra logs and querying them using KQL with minimal administrative effort. ;
