top of page
Search

How to Remove Microsoft Sentinel (Security Insights) from a Log Analytics Workspace

  • Writer: Shannon
    Shannon
  • 1 day ago
  • 4 min read

Over the course of my career, I've picked up various Visual Studio Subscriptions that enable me to build and maintain a small Azure footprint to the tune of $150/month. My Microsoft Certified Trainer subscription is one of those subscriptions! I use this subscription for Azure Monitor, Log Analytics, and Azure Update Manager, as Microsoft is deprecating WSUS. When I initially built out my Log Analytics workspace, I enabled Microsoft Sentinel on the back end (along with other solutions), didn't realize it (as I had the whole build process templated out), so when I turned on Azure Update Manager a few months back, my tiny little subscription would wind up disabled about 17 days into the month. Once I discovered the culprit and my learnings, I figured I'd blog about this because chances are, I'm not the only one in this predicament.


When you enable Microsoft Sentinel, what you are really doing is attaching the SecurityInsights solution to an existing Log Analytics workspace. That solution brings in analytic rules, dashboards, and automation hooks that make Sentinel tick (it also increases the overall monthly Sentinel costs). Sometimes you want to remove Sentinel while keeping the workspace and its logs intact (and in this instance, I most definitely did).


The good news as I found out: you do not need to redeploy the workspace. Instead, you remove the SecurityInsights solution that Sentinel installs. This post walks you through how to do that from the portal, CLI, and PowerShell.


Removing Sentinel from the Portal

  1. Open the Azure Portal.

  2. Navigate to Microsoft Sentinel.

  3. Select the workspace where Sentinel is enabled.

  4. Go to Settings and choose Remove Microsoft Sentinel from this workspace.


This removes the SecurityInsights solution but leaves the workspace untouched. The harder thing is I couldn't simply disable in the portal...I had to hit the REST API directly with PowerShell (I can't even screen grab what I saw or the errors as I immediately went to PowerShell...whoops!). Given that I've done a ton with PowerShell and blogs in recent weeks, I figured I'd also whip up the AzCLI commands as well. This way I'm helping out a broader audience!


Removing Sentinel with Azure CLI

For those who prefer the AzCLI, the process is straightforward:

# Assign values to variables
ResourceGroupName=nameOfResourceGroup
LogAnalyticsWorkspace=nameOfLogAnalyticsWorkspace

az monitor log-analytics solution delete \
  --resource-group $ResourceGroupName \
  --workspace-name $LogAnalyticsWorkspace \
  --name SecurityInsights

Replace nameOfResourceGroup and nameOfLogAnalyticsWorkspace with your actual values. As always, if it's easier to grab directly from GitHub, head here.


Removing Sentinel with PowerShell

In PowerShell, the SecurityInsights solution is modeled as a resource of type Microsoft.OperationsManagement/solutions. The resource name follows this format:

SolutionName(WorkspaceName)

For Sentinel, the solution name is always SecurityInsights.


Here is a reusable script with parameters, synopsis, and error handling (just in case you also face gnarlier sides of running Azure):

<#
.SYNOPSIS
Removes the Microsoft Sentinel (SecurityInsights) solution from a Log Analytics workspace.

.DESCRIPTION
This script detaches Microsoft Sentinel by removing the SecurityInsights solution.
The Log Analytics workspace remains intact along with other solutions and data.

.PARAMETER ResourceGroupName
The name of the resource group containing the Log Analytics workspace.

.PARAMETER WorkspaceName
The name of the Log Analytics workspace where Sentinel is enabled.

.EXAMPLE
.\Remove-Sentinel.ps1 -ResourceGroupName "RG-Security" -WorkspaceName "LA-Workspace"

.NOTES
Author: Shannon Eldridge-Kuehn
Date:   2025-08-24
#>

[CmdletBinding()]
param (
    [Parameter(Mandatory = $true)]
    [string]$ResourceGroupName,

    [Parameter(Mandatory = $true)]
    [string]$WorkspaceName
)

# Construct the solution name format
$solutionName = "SecurityInsights($WorkspaceName)"

Write-Output "Removing SecurityInsights solution $solutionName from workspace $WorkspaceName in resource group $ResourceGroupName..."

try {
    Remove-AzResource -ResourceGroupName $ResourceGroupName `
                      -ResourceType "Microsoft.OperationsManagement/solutions" `
                      -ResourceName $solutionName `
                      -Force -ErrorAction Stop

    Write-Output "Successfully removed SecurityInsights from the workspace."
}
catch {
    Write-Error "Failed to remove SecurityInsights. Details: $_"
}

Save this script so you can run it against your resource group and workspace name to remove the solution. Once again...as always, if it's easier to grab directly from GitHub, head here.


Verifying Removal

To confirm that Sentinel is detached:

  • Run the following command to check that SecurityInsights($WorkspaceName) no longer appears:

Get-AzResource -ResourceGroupName $ResourceGroupName | `
	Where-Object { 
	$_.ResourceType -eq "Microsoft.OperationsManagement/solutions"
}

  • Additionally, in the Azure Portal, your workspace should no longer show up under Microsoft Sentinel.

  • As with all my posts, if it's easier to grab this code directly from GitHub, head here.


Cleaning Up Leftover Sentinel Artifacts

Removing the SecurityInsights solution detaches Sentinel, but it does not always remove dependent resources that you may have created while using it. These artifacts can continue to live in your subscription:


  • Analytic Rules

    Navigate to Microsoft Sentinel → Configuration → Analytics and delete any custom rules you no longer need.

  • Playbooks (Logic Apps)

    If you configured automated responses, those Logic Apps remain in the resource group. Remove them manually if they are no longer required.

  • Workbooks and Dashboards

    Custom Sentinel workbooks and dashboards must be cleaned up separately under Azure Monitor or Sentinel Workbooks.

  • Hunting Queries

    Any saved hunting queries will still exist under the workspace and can be deleted from the Hunting blade.

  • Automation Rules

    Go to Microsoft Sentinel → Automation and remove rules that are no longer applicable.


Performing this cleanup ensures the workspace is completely free of Sentinel-related resources, which is especially important if you are preparing the environment for a clean redeployment or handoff.


Key Takeaways

  • You do not need to redeploy your Log Analytics workspace to turn off Sentinel (thankfully!).

  • Sentinel is enabled and disabled by attaching or removing the SecurityInsights solution.

  • You can remove it via Portal, CLI, or PowerShell depending on your workflow (in my case, I resorted to PowerShell, since I couldn't remove it from the portal directly).

  • Always verify that the solution is gone before assuming Sentinel has been fully detached.

  • Clean up leftover rules, playbooks, and dashboards if you want a truly clean workspace.

Comments

© 2020 Shannon B. Kuehn

  • LinkedIn
  • Twitter
bottom of page