Azure Services: Optimize the Costs of Resources You’re Not Using

Introduction: “Many organizations have Microsoft or Azure subscriptions with advanced capabilities such as Defender for Cloud, Microsoft Sentinel, or Azure Automation... but they never activate them. The result? Sunk costs and underutilized security.”

Context A regional financial entity contracted an Azure subscription with advanced security coverage (Microsoft Defender for Cloud, Microsoft Sentinel, Defender for Servers) as part of a Microsoft 365 E5 and Azure Security Center bundle. After a review of its cybersecurity posture and Azure costs, the team found that more than 70% of the included services were deactivated or improperly configured, yet were still partially billed for associated instances.

Critical Underutilized Services

• Microsoft Defender for Cloud

  • Partially active, but with no alerts or recommendations reviewed.

  • Only monitored 3 out of 14 subscriptions and did not generate Secure Scores.

  • Security policies not applied to hybrid environments or Arc-integrated on-premises machines.

• Microsoft Sentinel (Cloud-Native SIEM)

  • Activated but with no connected sources (neither Microsoft 365, Azure AD, nor firewall logs).

  • Unused as an orchestrator (SOAR) despite its capacity to automate responses.

  • Minimum cost billed for inactive data storage.

• Azure Automation

  • Available in all tenants but never used to shut down machines by schedule, clean up orphaned resources, or execute maintenance scripts.

• Defender for Identity and Defender for Endpoint P2

  • Included in Microsoft 365 E5, but never deployed, even as a pilot.

Invisible Costs and Value Waste

• Monthly expenses in Sentinel for basic ingestion... with no actual use.

• Superficial security: many virtual machines without Defender agents.

• Lack of visibility into threats or lateral movement (no anomaly detection or event correlation).

Implemented Solution

• Guided activation of Defender for Cloud across all environments.

• Integration of Sentinel with key sources: Microsoft 365, Azure AD, firewalls, endpoints.

• Use of Azure Automation templates for VM shutdown and cleanup of untagged resources.

• Monthly posture score evaluation and prioritized improvement actions.

• Power BI Dashboards showing projected savings for each activated security action.

Results

• Early detection of critical vulnerabilities in VMs and SQL Servers.

• 30% monthly savings on misused resources (unnecessary VMs, duplicate logs, etc.).

• Increased visibility for the SOC without purchasing additional external solutions.

• Automation of previously manual tasks (nightly shutdown, compliance auditing).

• Full utilization of Microsoft E5 licenses without increasing the budget.

Lessons Learned

• Having access to advanced tools is useless if they are not activated or configured.

• Sentinel without connectors is like an alarm without sensors.

• Governance and visibility must be activated intentionally; don't assume that "it comes pre-configured."

• There is hidden ROI in every unused service: it is security, visibility, and control that you are already paying for.