Microsoft Solutions Partner · 11,000+ engagements

Azure Monitor + Application Insights Observability Guide (2026)

The unified Microsoft observability plane — metrics, logs, traces, APM, Kubernetes, VMs, and network. OpenTelemetry-native, SLO-driven, cost-optimized, delivered by a senior-architect-led 29-year Microsoft Solutions Partner.

Book an observability briefing Call 888-381-9725

What is Azure Monitor and how do enterprises deploy it with Application Insights, Log Analytics, and Container Insights as a unified observability plane? Azure Monitor is the unified Microsoft observability platform covering metrics, logs, traces, and alerts across every Azure resource. Application Insights is the application performance monitoring component for distributed tracing and APM, Log Analytics is the KQL-queryable structured log store, Container Insights covers AKS workloads, and VM Insights plus Network Insights cover the infrastructure and network layers. Enterprises deploy the platform through a five-phase Assess, Modernize, Govern, Operate, Enable program that migrates application instrumentation to the Azure Monitor OpenTelemetry distro, rationalizes Log Analytics workspaces and table-level data plan tiers for cost optimization, designs SLO and SLI alerting against multi-window multi-burn-rate patterns, and integrates with Microsoft Sentinel and Microsoft Defender XDR for unified operations and security signal correlation.

Azure Monitor is the unified Microsoft observability plane — metrics, logs, traces, alerts, dashboards, and workbooks. Application Insights ships APM and distributed tracing; Log Analytics ships the KQL-queryable structured log store; Container Insights and VM Insights and Network Insights cover the infrastructure layers. The Azure Monitor OpenTelemetry distro is the recommended path for new application instrumentation and the migration target from the classic Application Insights SDK. EPC Group delivers the full observability platform under a fixed-fee five-phase accelerator between $150K and $500K.

Key Facts

Azure Monitor unifies metrics, logs, traces, and alerts across every Azure resource through a single platform
Application Insights is the workspace-based APM component for distributed tracing, Live Metrics, Smart Detection, and Application Map
Log Analytics workspaces support three table-level data plans — Analytics, Basic, Auxiliary — plus archive up to twelve years
Kusto Query Language is the unified query surface across Azure Monitor, Microsoft Sentinel, and Microsoft Defender XDR
Azure Monitor OpenTelemetry distro is the recommended instrumentation path — vendor-neutral, OTLP-compatible, GA for .NET, Java, Node.js, Python
Container Insights ships managed Prometheus + managed Grafana for AKS plus AKS control-plane log capture
VM Insights ships through the Azure Monitor Agent and data collection rules — single agent for metrics and logs across VMs and Arc-enrolled servers
29-year Microsoft Solutions Partner, 70+ Fortune 500 clients, 216+ M&A tenant consolidations
EPC Group five-phase Observability Accelerator delivers full activation in 10 to 16 weeks, fixed-fee $150K to $500K

The nine Azure Monitor components — what each delivers and where it fits

Azure Monitor is one platform surface composed of nine principal components plus the OpenTelemetry distro layer. Understanding what each delivers, where it fits in the observability signal pipeline, and how the pieces compose against an application architecture is the foundation of any defensible observability deployment.

Azure Monitor Metrics

Role: The numeric time-series store underneath every Azure resource — sub-minute granularity, pre-aggregated, the foundational signal class for dashboards and threshold alerts.

Platform metrics auto-collected from every Azure resource with no agent or instrumentation required
Custom metrics emitted through the Azure Monitor REST API, the Application Insights SDK, or the OpenTelemetry collector exporter
Sub-minute aggregation supporting one-second to five-minute granularity for the most demanding alerting use cases
Metric alerts evaluated server-side at the metrics store with no log-query cost overhead — the cheapest alert pattern in the platform
Multi-resource and multi-dimension metric alerts spanning subscription, region, and resource group scope in a single rule definition

Azure Monitor Logs + Log Analytics

Role: The structured log and event store across Azure resources, virtual machines, containers, applications, and any custom telemetry source — queried through Kusto Query Language (KQL).

Log Analytics workspaces are the storage substrate — every Azure log source writes to a workspace and every observability query reads from one
Kusto Query Language is the unified query surface across Azure Monitor, Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Fabric Real-Time Intelligence
Tier-by-table data plan selection — Analytics, Basic, or Auxiliary — with table-level retention from thirty days up to twelve years archive
Workspace-scoped or resource-scoped RBAC giving table-level access control for regulated multi-tenant scenarios
Cross-workspace queries supporting multi-workspace architectures without forcing centralization of all data into a single workspace

Azure Monitor Alerts + Action Groups

Role: The notification, escalation, and automated-response surface — three alert classes (metric, log, activity log) plus action groups that fan out to email, SMS, voice, webhook, ITSM, Logic Apps, Functions, and Runbooks.

Metric alerts evaluating against the metrics store with smart-detection multi-condition support and dynamic thresholds (ML-derived baselines)
Log alerts evaluating KQL queries against Log Analytics — flexible across any telemetry shape but more expensive than metric alerts
Activity log alerts covering subscription-level operations — resource creation, role assignment, service health events
Action groups defining notification channels and downstream automation paths — email, SMS, voice, webhook, Logic Apps, Functions, Automation Runbooks, ITSM connectors (ServiceNow, BMC, Cherwell)
Alert processing rules enabling tenant-level suppression, action group overrides, and time-based notification gating for change windows

Azure Monitor Workbooks + Dashboards

Role: The interactive visualization surface — parameterized KQL workbooks, ARM-templated dashboards, and shared visual reporting across the operational and executive audience.

Workbooks combine KQL queries, parameters, markdown, and rich visualizations into shareable, ARM-deployable artifacts checked into source control
Pre-built gallery covering Application Insights, VM Insights, Container Insights, Network Insights, and dozens of resource-type templates
Azure dashboards composed from metrics charts, workbook tiles, and resource health for at-a-glance operational rollups
Power BI integration through the Azure Monitor connector for stakeholder-facing reporting outside the Azure Portal
Workbook-as-code through ARM templates, Bicep modules, and Azure DevOps pipelines for repeatable observability deployments

Application Insights APM

Role: The application performance monitoring plane — distributed tracing, request and dependency telemetry, exception and code-level instrumentation, and the unified APM signal class for application engineering teams.

Auto-instrumentation for .NET, Java, Node.js, and Python with zero code changes through the codeless agent attach pattern
Manual instrumentation through the Application Insights SDK or the recommended Azure Monitor OpenTelemetry distro
Live Metrics streaming sub-second telemetry through the Azure Portal for production smoke-test windows during deployment
Distributed tracing across microservices with the W3C Trace Context propagation standard and Application Map visualization
Smart Detection ML-powered anomaly detection covering failure rate, response time, and dependency health without manual threshold setting
Workspace-based Application Insights — every component writes telemetry into the underlying Log Analytics workspace for unified KQL query

Container Insights for AKS

Role: The Kubernetes observability plane — node, pod, container, and namespace performance metrics, container stdout and stderr logs, and the integrated AKS dashboarding surface inside the Azure Portal.

Managed Prometheus and managed Grafana as the recommended metric and dashboard surface for AKS workloads
Kube-state-metrics scrape coverage across nodes, pods, deployments, daemonsets, statefulsets, jobs, and persistent volumes
Container stdout and stderr log capture into Log Analytics with namespace-scoped collection rules for cost-controlled ingestion
AKS diagnostic settings shipping cluster autoscaler, kube-audit, kube-apiserver, kube-controller-manager, and kube-scheduler logs
Single Azure Portal pane spanning node health, controller health, container logs, and live Prometheus query side-by-side with KQL

VM Insights

Role: The virtual machine observability plane — guest OS performance metrics, process inventory, and the dependency map that visualizes process-to-process network communication.

Azure Monitor Agent (AMA) replaces the legacy Log Analytics agent and Telegraf agent with a single agent for both metrics and logs
Data Collection Rules (DCRs) define what AMA collects from each machine, supporting subscription-, resource-group-, or tag-scoped policy assignment
Performance metric scrape coverage including CPU, memory, disk IOPS, disk latency, and network throughput per process
Dependency map exposes process-to-process and machine-to-machine communication patterns — invaluable for migration discovery and security hardening
Coverage extends to Azure Arc-enrolled machines on-premises, in AWS, and in GCP at parity to native Azure VMs

Network Insights

Role: The network resource observability plane — Application Gateway, Front Door, Load Balancer, Express Route, VPN Gateway, NSG flow logs, and connection monitor probes inside a single visualization.

Pre-built workbook gallery covering every Azure networking resource type with topology, performance, and health rollups
NSG flow logs ingested through traffic analytics for east-west and north-south traffic pattern visualization
Connection monitor probes measuring latency, packet loss, and reachability between Azure resources, on-premises endpoints, and external destinations
Application Gateway and Front Door access log ingestion supporting WAF rule analytics and request pattern investigation
Express Route circuit metrics, peering health, and BGP session status surfaced inside the Network Insights dashboard

OpenTelemetry Distro for Azure

Role: The vendor-neutral instrumentation standard supported natively by Azure Monitor — the Azure Monitor OpenTelemetry distro replaces the legacy Application Insights SDK as the recommended path for new application development.

Azure Monitor OpenTelemetry distro available in GA for .NET, Java, Node.js, and Python with auto-instrumentation parity to the classic SDK
OpenTelemetry Protocol (OTLP) ingestion supported through the Azure Monitor exporter, enabling collector-based architectures
OpenTelemetry collector recipes for AKS, virtual machines, and serverless platforms shipped through the Azure Monitor documentation
Migration path from Application Insights classic SDK to OpenTelemetry distro with documented telemetry-name and attribute-name mapping
Cross-vendor portability — the same OpenTelemetry instrumentation can ship telemetry to Azure Monitor, Datadog, Honeycomb, or any OTLP-compatible backend

Six enterprise observability patterns EPC Group ships on every engagement

The platform components are the building blocks; the patterns are the architectural decisions that turn building blocks into a working observability operation. EPC Group ships six recurring patterns across every Fortune 500 engagement — the ones that repeatedly produce the order-of-magnitude alert-noise reduction and cost optimization wins that justify the accelerator economics.

Mission-critical APM — full-fidelity distributed tracing for the revenue-bearing application

The first enterprise pattern is the mission-critical Application Insights deployment for the revenue-bearing customer-facing application. EPC Group ships the Azure Monitor OpenTelemetry distro across .NET, Java, Node.js, and Python services as the unified instrumentation layer, configures end-to-end distributed tracing with W3C Trace Context propagation across every microservice boundary, enables Live Metrics for deployment smoke-test windows, and stands up Smart Detection for failure-rate and response-time anomaly alerting. Application Map becomes the single architectural-truth diagram that engineering, SRE, and product management share when investigating customer-impacting incidents. Synthetic transactions via Application Insights Standard Tests probe critical user journeys from multiple geographies on a one-minute cadence, providing the external availability signal independent of real user telemetry. For the mission-critical workload the data plan stays on Analytics tier for fast KQL access and ninety-day retention with archive on top.

Kubernetes observability — Container Insights, ASO, AKS managed Prometheus and Grafana

The second pattern is full-stack AKS observability spanning the cluster control plane, node pool, workload, and application layers. EPC Group enables Container Insights with namespace-scoped collection rules to control log ingestion cost, deploys Azure Service Operator (ASO) as the Kubernetes-native control surface for Azure resources provisioned inside cluster workloads, stands up managed Prometheus as the AKS metrics scrape surface, and connects managed Grafana for engineering team dashboards. AKS diagnostic settings ship the control-plane logs (kube-audit, kube-apiserver, kube-controller-manager, kube-scheduler, cluster-autoscaler) into Log Analytics for KQL investigation. The Application Insights OpenTelemetry distro deployed in each application pod produces distributed traces that join the Container Insights pod telemetry inside the unified Azure Portal pane. The result is a single observability surface spanning infrastructure, platform, and application layers — the architectural pattern referenced in our /azure-kubernetes-service-aks-enterprise-2026 hub.

Cost-optimized log retention — Analytics, Basic, and Auxiliary tier strategy with archive

The third pattern is the cost-optimized data plan selection that distinguishes a defensible Log Analytics budget from a runaway ingest bill. Azure Monitor supports three table-level data plans plus archive — Analytics tier for hot KQL-queryable data, Basic tier for compliance-and-search workloads at a fraction of the Analytics tier ingest cost (with eight-day interactive retention and limited KQL surface), Auxiliary tier for the highest-volume lowest-touch telemetry like firewall and CDN logs (the cheapest ingest at sharply reduced query support), and archive for long-tail retention up to twelve years at storage cost. EPC Group classifies every table by query frequency, alert criticality, and regulatory retention requirement, then assigns the data plan that minimizes total cost of ownership without breaking the operational use case. The standard pattern saves twenty-five to forty-five percent on a six-figure annual Log Analytics line item without losing a single regulatory-required record.

SLO and SLI alerting — multi-window multi-burn-rate alert design

The fourth pattern is the modern Service Level Objective and Service Level Indicator alerting model that replaces single-threshold response-time alerts with the multi-window multi-burn-rate pattern Google popularized in the SRE Workbook. EPC Group ships KQL log alerts measuring SLI metrics — availability, latency at the ninety-fifth and ninety-ninth percentile, error rate — against documented SLOs, configures fast-burn alerts (alerting in minutes on a thirty-day error budget consuming at fourteen-times rate) alongside slow-burn alerts (alerting in hours on a thirty-day error budget consuming at six-times rate), and tunes alert action groups to escalation paths matched to burn rate. The result is the dramatic alert-fatigue reduction that distinguishes a mature SRE operation — high-criticality pages only when the error budget is actually under threat, not on every transient spike.

Audit trail for regulated industries — immutable retention, table-level RBAC, Sentinel correlation

The fifth pattern is the regulated-industry audit trail design that healthcare, financial services, government, and life sciences customers require. EPC Group configures Log Analytics workspace immutable retention through the data export pattern (Azure Storage with legal hold), applies table-level RBAC so application telemetry tables are accessible to engineering while audit tables (SecurityEvent, SigninLogs, AuditLogs) remain restricted to security operations, ships activity logs and Azure AD audit logs into the workspace, and integrates Microsoft Sentinel for SIEM correlation against the same telemetry — see our /microsoft-sentinel-siem-enterprise-2026 hub for the SIEM side. The compliance translation layer maps Log Analytics retention and access controls to HIPAA HITRUST, PCI-DSS 4.0, FedRAMP Moderate or High, CMMC Level 2, FFIEC, and GxP requirements with auditor-ready evidence packaging.

Multi-tenant MSP observability — Azure Lighthouse cross-tenant workspace federation

The sixth pattern is the managed-service-provider multi-tenant pattern in which a single SOC and SRE team observes dozens or hundreds of customer Azure tenants from a single console. EPC Group leverages Azure Lighthouse for cross-tenant delegated resource management, stands up a workspace-per-customer model with cross-workspace KQL queries unified through Azure Resource Graph, and federates Microsoft Sentinel and Defender XDR signal into the MSP SOC tenant. The pattern preserves customer-tenant data sovereignty (each customer keeps their own Log Analytics workspace) while giving the MSP a single-console operational and security view. The architecture is the foundation of the EPC Group managed Microsoft services practice referenced in our /services/managed-microsoft-services portfolio.

Workspace architecture

Log Analytics workspace strategy — single, regional, or business-unit split

The Log Analytics workspace topology decision is the single most consequential architectural choice in any enterprise Azure observability deployment. Workspace placement governs data residency, RBAC granularity, ingest cost attribution, and cross-workspace query complexity. Three canonical patterns cover the majority of enterprise requirements.

Single-workspace architecture

A single Log Analytics workspace serving the entire Azure tenant is the simplest architecture and the right default for small and mid-sized environments. Every Azure resource diagnostic setting points to the same workspace, every KQL query operates against a unified telemetry surface, and Application Insights workspace-based components attach to the same workspace, so application and infrastructure telemetry sit side-by-side. The model breaks down at scale — geographic data residency requirements, the regulated data and non-regulated data separation problem, and the noisy-neighbor cost-attribution problem when one business unit floods the workspace with low-value logs all push toward multi-workspace.

Right for environments under approximately five-thousand Azure resources with no geographic data residency split
Simplest KQL query surface — no cross-workspace joins required
Easiest workspace-based Application Insights configuration — one workspace ID across all application components
Cost attribution requires resource tagging discipline since all telemetry consolidates into one bill line

Multi-workspace by region — data residency split

A workspace per region (EU, UK, US, APAC) is the design pattern that satisfies GDPR-style data residency requirements while preserving cross-region operational visibility through cross-workspace KQL queries. EPC Group ships this pattern across European and global enterprises where regulatory boundaries force telemetry to remain in-region, with a federated dashboard layer (Power BI or workbook-based) that aggregates across the regional workspaces for executive reporting.

Workspace placement honors the data residency obligation of every regulated record category
Cross-workspace KQL queries enable operational visibility despite physical workspace separation
Federated dashboards through workbooks or Power BI bridge the regional split for executive reporting
Cost-attribution becomes cleaner — each region carries its own bill line aligned to regional P&L

Multi-workspace by business unit or environment

A workspace per business unit, per environment (production vs non-production), or per regulated vs non-regulated data is the design pattern that solves the noisy-neighbor cost problem and the regulated-data isolation problem. EPC Group typically applies this at Fortune 500 scale where a single workspace would carry multiple terabytes per day of ingestion across dozens of distinct application portfolios and the cost-attribution and access-control problems force separation.

Production and non-production workspace separation enables aggressive non-production retention reduction
Regulated vs non-regulated workspace separation simplifies the audit-trail control matrix and the table-level RBAC story
Business-unit workspace separation produces clean per-BU cost line items and per-BU operational ownership
Cross-workspace KQL queries through workspace() and the union operator enable a unified operational view despite separation

Table-level economics

Table-tier strategy — Analytics, Basic, Auxiliary, archive

Per-table data plan tier selection is the single highest-leverage cost lever in the Log Analytics platform. EPC Group classifies every table by query frequency, alert criticality, and regulatory retention requirement, then assigns the data plan that minimizes total cost of ownership without breaking the operational use case. Retention in archive extends up to twelve years for the highest-regulated industries.

Analytics tier

Full KQL surface, interactive retention up to ninety days included, archive extending up to twelve years. The default tier for operational and security telemetry.

Use for: Application telemetry, security events, audit logs, performance counters — anything queried interactively and powering alerts.

Basic tier

Reduced ingest cost (roughly one-fifth of Analytics), eight-day interactive retention, KQL surface limited to where, project, extend, parse, and a subset of operators.

Use for: High-volume compliance logs, network flow data, CDN logs — telemetry needed for search-by-key and occasional investigation but not for interactive analytics.

Auxiliary tier

Cheapest ingest in the platform, designed for the highest-volume lowest-touch telemetry classes — firewall verbose logs, DNS query logs, web server access logs.

Use for: Verbose telemetry where the regulatory requirement is to retain but the operational requirement is rare keyword search.

Archive (any tier)

Long-tail retention up to twelve years at storage cost. Restore-to-Analytics on demand for investigations or compliance queries.

Use for: Healthcare HIPAA seven-year retention, financial services SEC seventeen-a-four seven-year retention, GxP twenty-one-year retention for life sciences.

OpenTelemetry distro, auto-instrumentation, Live Metrics, Smart Detection

Four Application Insights capabilities deserve dedicated discussion because they are the difference between a basic APM deployment and a production-grade observability operation engineering teams actually use. EPC Group ships all four as defaults on every engagement.

Azure Monitor OpenTelemetry distro

The Azure Monitor OpenTelemetry distro is the recommended instrumentation path for every new application development effort and the documented migration target from the classic Application Insights SDK. The distro is GA for .NET, Java, Node.js, and Python, ships auto-instrumentation parity to the classic SDK, supports OTLP-protocol ingestion through the Azure Monitor exporter, and preserves Live Metrics, Smart Detection, Application Map, and dependency tracking against OpenTelemetry-emitted telemetry. The strategic value is portability — the same OpenTelemetry instrumentation can dual-export to Azure Monitor plus Datadog plus Honeycomb during transitions, eliminating the lock-in concern that has historically slowed enterprise APM standardization.

Auto-instrumentation — codeless agent attach

Auto-instrumentation through the codeless agent attach pattern delivers full APM signal for Java, .NET, Node.js, and Python applications without source code changes — invaluable for the legacy application portfolio that engineering teams cannot rewrite. The agent attaches at process startup through environment variable configuration on App Service, AKS, Virtual Machines, and Container Apps, producing the same request, dependency, exception, and trace telemetry as instrumented applications. For the modernization-blocked legacy estate, auto-instrumentation is the bridge that brings observability parity without the rewrite economics.

Live Metrics — sub-second telemetry for deployment windows

Live Metrics streams sub-second application performance telemetry through the Azure Portal during the deployment smoke-test window when teams need real-time confirmation that a new release has not introduced regressions. Request rate, response time, failure rate, dependency call rate, server CPU, and server memory update on a sub-second cadence. The pattern is invaluable for the high-stakes production deployment window where the standard sixty-second metric ingestion latency is too slow to support the deployment decision.

Smart Detection — ML-derived anomaly alerting

Smart Detection is the ML-powered anomaly detection layer that ships out-of-the-box with every Application Insights component. Detection rules cover failure-rate anomaly, response-time degradation, dependency duration anomaly, trace severity anomaly, exception volume anomaly, memory leak detection, and security authentication anomaly. The strength is the absence of threshold configuration — the ML baseline learns from the application's actual behavior and alerts on statistically significant deviations, replacing the dozens of brittle threshold alerts engineering teams typically maintain. EPC Group enables Smart Detection across every Application Insights component as a default and tunes the notification routing per team on-call rotation.

Observability + SIEM + CNAPP

Azure Monitor + Microsoft Sentinel + Microsoft Defender for Cloud — the unified Microsoft signal plane

Azure Monitor and Microsoft Sentinel share the Log Analytics workspace substrate. Microsoft Defender for Cloud integrates bi-directionally through native data connectors. A single Kusto Query Language query can join application performance telemetry against security alerts and workload-protection findings, producing the unified investigation surface that no third-party combination achieves at the same fidelity for the Microsoft estate.

Shared workspace substrate

Azure Monitor and Microsoft Sentinel run on the same Log Analytics workspace, so the integration is foundational rather than additive. KQL queries cross the operational and security tables freely in a single statement.

Defender for Cloud data connector

Microsoft Defender for Cloud findings ship into the Sentinel workspace through the native data connector, putting workload-protection signal alongside application telemetry inside the same Kusto query surface. See our /microsoft-defender-for-cloud-cnapp-enterprise-2026 hub.

Defender XDR closure

The bi-directional Defender XDR loop closes the surface — endpoint, identity, cloud apps, and Office 365 signal correlates against the observability signal so a single incident timeline captures the user, the application, and the workload simultaneously.

For the dedicated SIEM hub including KQL libraries and SOAR playbook patterns, see Microsoft Sentinel SIEM Enterprise Guide (2026).

Governance and compliance — observability controls mapped to your regulatory reality

Log Analytics workspace retention, table-level RBAC, immutable data export, customer-managed keys, and private link configuration are the foundational controls that bring an observability deployment into compliance with HIPAA HITRUST, PCI-DSS 4.0, FedRAMP Moderate and High, CMMC Level 2, FFIEC, SOX, and GxP. EPC Group is FedRAMP-aligned across its consulting delivery and translates Microsoft product controls — Azure Monitor is FedRAMP-authorized at High impact in Azure Government — into an auditor-ready control matrix referencing the customer's specific framework portfolio.

HIPAA

SOC 2

FedRAMP

FINRA

CMMC

GxP

The EPC Group Observability Accelerator — five phases, fixed fee

The accelerator anchors on The EPC Group Lifecycle — Assess, Modernize, Govern, Operate, Enable. Fixed-scope between $150,000 and $500,000 depending on workspace count, application portfolio breadth, multi-cloud Arc footprint, and managed-service tail. Senior-architect led, no offshore handoff.

Phase 1 — Assess

Observability posture and signal-gap inventory in three weeks

Phase one is a fixed-fee assessment inventorying every Log Analytics workspace in the tenant, every Application Insights component, every Azure resource diagnostic setting, every data collection rule, every alert rule, and the per-workspace ingestion volume and retention configuration. EPC Group ships a costed remediation roadmap, signal-gap analysis against the customer SLO and SLI requirements, workspace consolidation or split recommendations, and a board-ready decision package.

Workspace inventory with per-workspace ingestion volume, retention configuration, and table-tier classification
Application Insights component inventory mapped to workspace-based vs classic mode and migration recommendations
Diagnostic setting and data collection rule coverage gap analysis across every in-scope Azure resource
Alert rule inventory with metric-vs-log classification, action group mapping, and noise-rate baselining

Phase 2 — Modernize

OpenTelemetry distro rollout, workspace consolidation, table-tier optimization

Phase two is the active modernization sprint. EPC Group migrates Application Insights components from the classic SDK to the Azure Monitor OpenTelemetry distro, consolidates or splits Log Analytics workspaces per the assessment recommendation, configures table-level data plan tier selection to optimize the ingest bill, and replaces the legacy Log Analytics agent and Telegraf agent with the unified Azure Monitor Agent through data collection rules.

Application Insights OpenTelemetry distro deployed across .NET, Java, Node.js, and Python application surfaces
Log Analytics workspace topology rationalized — single, regional, or BU-based per assessment recommendation
Table-level data plan tier selection — Analytics, Basic, Auxiliary, archive — applied per table classification
Azure Monitor Agent rollout replacing legacy agents with DCR-driven configuration for every VM and Arc-enrolled server

Phase 3 — Govern

SLO and SLI alerting design plus multi-window multi-burn-rate rollout

Phase three is the alert quality redesign that distinguishes a mature SRE operation. EPC Group designs and documents SLOs and SLIs for every customer-facing service, ships the multi-window multi-burn-rate KQL alert pattern that replaces threshold-only response-time alerts, stands up Smart Detection across Application Insights components for ML-derived anomaly detection, and rationalizes the existing alert rule estate down by typically sixty to eighty percent through noise-rate analysis.

Documented SLO catalog for every customer-facing service with SLI definitions and error budget allocation
Multi-window multi-burn-rate KQL log alerts replacing single-threshold latency and error-rate alerts
Smart Detection rules enabled for every Application Insights component with team-specific notification routing
Action group rationalization — one action group per on-call rotation with documented escalation policy

Phase 4 — Operate

Workbook library, dashboards, and 24/7 managed observability

Phase four is the visualization and operational handover. EPC Group ships a workbook library covering Application Map, Container Insights, VM Insights, Network Insights, SLO and error-budget rollups, and Log Analytics ingestion cost dashboards as ARM-templated workbooks checked into source control. Managed observability services are stood up for customers electing the managed-service tail, with twenty-four-by-seven monitoring of alert queue, workspace health, ingestion-cost anomaly, and per-table data-plan-fitness review.

Workbook library deployed through ARM templates and Bicep modules into every in-scope workspace
Azure dashboards composed from workbook tiles and metric charts for the operational and executive audience
Power BI Azure Monitor connector configured for stakeholder reporting outside the Azure Portal
Optional managed observability — 24/7 alert triage, workspace health, ingestion-cost anomaly, table-fitness review

Phase 5 — Enable

KQL training, workbook authoring enablement, and observability champion network

Phase five is the enablement layer that makes the observability platform stick after EPC Group leaves. KQL training is delivered to engineering, SRE, and SecOps teams, workbook authoring enablement is delivered to platform engineering, and an observability champion network is stood up across business units with a documented escalation path back to the EPC Group senior architect bench for the difficult problems.

KQL training delivered in cohort format across engineering, SRE, and SecOps audiences
Workbook authoring enablement for platform engineering with sample-workbook templates
Observability champion network stood up per business unit with documented escalation path
Continuous-improvement cadence — quarterly workspace cost review, alert noise audit, SLO health check

Why EPC Group leads enterprise Azure observability deployments

Years Microsoft consulting

70+

Fortune 500 clients

216+

M&A tenant consolidations

1.83 million

Users migrated

Microsoft Solutions Partner — six designations

Microsoft Solutions Partner with Infrastructure, Data & AI, Modern Work, Security, Digital & App Innovation, and Business Applications designations. Senior architects average two decades of Microsoft platform delivery experience across observability, data, and security workloads.

Four-time Microsoft Press author

Founder Errin O’Connor has nearly three decades of Microsoft consulting leadership and is a four-time Microsoft Press author across Power BI, SharePoint, Azure, and large-scale migrations.

Fixed-fee observability accelerators

Every Azure Monitor and Application Insights engagement is fixed-fee with a costed roadmap and a named senior architect on-record from kickoff through go-live. No T&M overruns, no offshore handoff, no junior-analyst-led production cutover.

Compliance-native

EPC Group is compliance-native across HIPAA, SOC 2, FedRAMP-aligned, FINRA, CMMC, and GxP. Observability deployments ship with auditor-ready retention and access control matrices, not generic Log Analytics screenshots.

Frequently asked questions — Azure Monitor and Application Insights

How does Azure Monitor compare to Datadog for enterprise observability?

Datadog is the dominant pure-play observability platform and the strongest competitive reference point for Azure Monitor. Datadog leads on cross-cloud breadth, on the maturity of its agent fleet, on the polish of the unified UX, and on the depth of its APM auto-instrumentation library. Azure Monitor catches up on auto-instrumentation breadth through the OpenTelemetry distro and surpasses Datadog on bundled value for Microsoft 365 E5 and Azure-heavy customers — the per-host APM pricing is materially below Datadog list once Application Insights data ingest is right-sized. Azure Monitor also wins on native Sentinel and Defender XDR correlation, on Azure Resource Graph integration for the resource topology surface, and on the OpenTelemetry-vendor-neutral instrumentation strategy that prevents long-term lock-in. For Azure-anchored enterprises Azure Monitor is the path of least resistance; for mixed AWS-anchored or GCP-anchored estates with mature Datadog deployment, the multi-cloud Datadog footprint is often the right architecture with Azure Monitor handling the Azure-resource-specific signal not surfaced through the Datadog Azure integration.

How does Azure Monitor compare to New Relic APM?

New Relic leads on APM-first ergonomics, on the consumption-pricing model that simplifies budgeting compared to per-host pricing, and on the unified telemetry data platform (NRDB) that scales linearly across logs, metrics, traces, and events. Azure Monitor wins on Azure-native depth — the workbook gallery, the Container Insights AKS integration, the VM Insights dependency map, and the Network Insights topology surface have no New Relic equivalent that operates against Azure-resource metadata at the same fidelity. Azure Monitor also wins on Sentinel and Defender XDR correlation and on the Microsoft 365 E5 bundled-value math. The recommended migration path from New Relic to Azure Monitor is the OpenTelemetry distro pattern — instrument once with the Azure Monitor OpenTelemetry distro and dual-export to both backends through the OpenTelemetry collector during the migration period, then cut over to Azure Monitor singly once the operational team is confident in the equivalent signal coverage.

How does Azure Monitor compare to Splunk Observability Cloud?

Splunk Observability Cloud (formerly SignalFx) is the Splunk-Cisco APM and metrics platform that competes alongside Splunk Enterprise as the log analytics platform. The strength of the Splunk story is the maturity of Splunk Enterprise Security and Splunk SOAR (now Cisco SOAR) as the SIEM and security automation surface, with Splunk Observability as the application performance and infrastructure metrics complement. Azure Monitor wins on bundled value, on Microsoft 365 E5 and Azure-anchored cost math, and on the unified KQL query surface that spans Azure Monitor logs, Microsoft Sentinel, and Microsoft Defender XDR — Splunk customers typically run multiple licensed Splunk products to reach the same surface. For Microsoft-anchored enterprises consolidating off Splunk, the recommended sequence is Azure Monitor for observability, Microsoft Sentinel for SIEM, and Defender XDR for endpoint correlation, with Splunk Enterprise reserved for legacy log sources where the migration economics do not justify replatforming.

How does Azure Monitor compare to Honeycomb for distributed tracing?

Honeycomb defined the high-cardinality distributed tracing UX that Application Insights, Datadog, and the rest of the industry have spent five years catching up to. The Honeycomb BubbleUp, the high-cardinality event-stream model, and the AI-assisted query authoring experience remain best-in-class for engineering teams whose primary workflow is exploring application behavior through trace data. Azure Monitor Application Insights catches up on the W3C Trace Context propagation standard, on the OpenTelemetry distro instrumentation, and on the Application Map architectural visualization, while bringing native integration with the Azure resource estate, with Sentinel for security correlation, and with the Microsoft 365 E5 bundled value math that Honeycomb cannot match. For pure application engineering teams with Honeycomb as a beloved tool, the recommended pattern is to instrument with the OpenTelemetry distro and dual-export to Honeycomb and Azure Monitor — Honeycomb for engineering exploration, Azure Monitor for operations and the Azure-resource-correlated signal. For teams without an existing Honeycomb deployment, Application Insights with the OpenTelemetry distro delivers the modern distributed tracing experience at the bundled Microsoft economics.

What are the highest-leverage cost optimization patterns for Azure Monitor and Log Analytics?

The four highest-leverage cost levers EPC Group works across every enterprise observability engagement are: first, table-level data plan tier selection — moving high-volume low-touch tables to Basic or Auxiliary tier typically saves twenty-five to forty-five percent on a six-figure annual Log Analytics bill without losing operational capability; second, Application Insights sampling — adaptive sampling at the ingestion edge typically reduces telemetry volume by sixty to ninety percent with negligible loss of statistical fidelity; third, diagnostic setting rationalization — every Azure resource emits diagnostic logs at multiple verbosity levels, and unselected verbose categories ingest into the workspace by default in many resource types unless explicitly disabled; fourth, commitment tier purchase — moving from pay-as-you-go to the appropriate commitment tier produces a fifteen to thirty percent per-gigabyte discount on the predictable baseline ingest with overage at the spot rate. Together the four levers typically take a six-figure annual Log Analytics bill down by thirty to fifty percent.

What is the migration path from the Application Insights classic SDK to the OpenTelemetry distro?

The migration path from the Application Insights classic SDK to the Azure Monitor OpenTelemetry distro is the strategic instrumentation decision for every enterprise running Application Insights today. Microsoft has documented the migration path for .NET, Java, Node.js, and Python with a documented attribute-name and telemetry-name mapping, so customer KQL queries and workbooks continue to function during and after the migration. The recommended sequence is: first, deploy the OpenTelemetry distro alongside the classic SDK on a single low-risk service to validate signal parity in the workspace; second, sweep across the application portfolio replacing the classic SDK package reference with the OpenTelemetry distro package reference; third, retire the classic SDK package once every service has been migrated and validated. Live Metrics, Smart Detection, Application Map, and the dependency-tracking story all continue to operate against OpenTelemetry-emitted telemetry without functional regression. EPC Group treats the OpenTelemetry migration as a foundational accelerator phase since it locks in the vendor-neutral instrumentation strategy and unblocks future portability between observability backends if commercial circumstances change.

How does Azure Monitor integrate with Microsoft Sentinel?

Azure Monitor and Microsoft Sentinel run on the same Log Analytics workspace substrate, so the integration is foundational rather than additive. A workspace enabled for Sentinel exposes the SecurityAlert, SecurityIncident, SecurityRecommendation, and threat-intelligence tables alongside the operational telemetry that Azure Monitor ingests, and a single KQL query can join application performance signal against security signal — for example correlating a spike in failed authentication events with a spike in application error rate. The recommended architecture is a dedicated security workspace separate from the general-purpose operational workspace, with cross-workspace KQL queries bridging the boundary for incident investigation. For the full SIEM and SOAR design pattern see our /microsoft-sentinel-siem-enterprise-2026 hub including KQL detection libraries, Logic Apps playbook patterns, and the cross-workspace correlation queries that link operational observability to security incident response.

What is the EPC Group Observability Accelerator and what does it cost?

The EPC Group Observability Accelerator is a fixed-fee five-phase engagement (Assess, Modernize, Govern, Operate, Enable) that takes an enterprise from its current observability posture to a documented OpenTelemetry-based, SLO-driven, cost-optimized Azure Monitor and Application Insights deployment with a workbook library and optional managed observability tail. Fixed-scope between $150,000 and $500,000 depending on the workspace count, the application portfolio breadth, the multi-cloud Arc footprint, and the managed-service tail. Senior-architect led, no offshore handoff, no T&M overruns. Typical timeline is ten to sixteen weeks for the active engagement, with optional ongoing managed observability for customers who want twenty-four-by-seven alert triage, ingestion-cost anomaly detection, and table-fitness review on a continuous cadence. For the broader Microsoft cloud orchestration model in which observability sits as one plane alongside identity, security, data, and AI, see our /microsoft-cloud-orchestrator hub.

Continue exploring the EPC Group enterprise Microsoft library

Azure Monitor is the observability plane inside the broader Microsoft Cloud orchestration story. These hubs cover adjacent and complementary territory.

Microsoft Cloud Orchestrator

The end-to-end Microsoft cloud orchestration model under which observability sits as one signal plane alongside identity, security, data, and AI.

Azure consulting services

The Azure platform engineering practice that delivers the substrate Azure Monitor observes across subscriptions, landing zones, and resources.

Microsoft Sentinel SIEM (2026)

The SIEM half of the Microsoft Defender platform, sharing the Log Analytics workspace substrate with Azure Monitor for unified KQL query.

Azure Kubernetes Service (AKS) Enterprise Guide (2026)

AKS architecture, Azure Service Operator, managed Prometheus and Grafana — the platform that Container Insights observes end-to-end.

Azure Functions Serverless Enterprise Guide (2026)

Serverless platform engineering with Application Insights auto-instrumentation as the observability default for every Functions deployment.

Microsoft Defender for Cloud CNAPP (2026)

The CNAPP plane covering workload protection, with bi-directional integration into Sentinel and Azure Monitor for unified investigation.

Digital Transformation Microsoft Enterprise (2026)

The executive-level Microsoft transformation playbook in which observability is the operational backbone for every modernization initiative.

Managed Microsoft Services

Twenty-four-by-seven managed observability, Sentinel, and Microsoft platform operations with senior-architect escalation.

Modernize your Azure observability onto OpenTelemetry and Application Insights

Book an observability briefing with an EPC Group senior architect. Two-hour working session — workspace inventory, signal-gap analysis, OpenTelemetry migration scoping, accelerator pricing. Zero obligation, board-ready output.

Book the briefing Call 888-381-9725

‌
‌
‌

‌
‌