diff --git a/bicep/main.bicep b/bicep/main.bicep
index 2ea532e0c..e96af8944 100644
--- a/bicep/main.bicep
+++ b/bicep/main.bicep
@@ -145,8 +145,8 @@ module network './network.bicep' = if (custom_vnet) {
     bastion: bastion
     bastionSubnetAddressPrefix: bastionSubnetAddressPrefix
     availabilityZones: availabilityZones
-    workspaceName: aks_law.name
-    workspaceResourceGroupName: resourceGroup().name
+    workspaceName: createLaw ? aks_law.name : ''
+    workspaceResourceGroupName:  createLaw ? resourceGroup().name : ''
     networkSecurityGroups: CreateNetworkSecurityGroups
     CreateNsgFlowLogs: CreateNetworkSecurityGroups && CreateNetworkSecurityGroupFlowLogs
     ingressApplicationGatewayPublic: empty(privateIpApplicationGateway)
@@ -1278,7 +1278,7 @@ param retentionInDays int = 30
 
 var aks_law_name = 'log-${resourceName}'
 
-var createLaw = (omsagent || deployAppGw || azureFirewalls)
+var createLaw = (omsagent || deployAppGw || azureFirewalls || CreateNetworkSecurityGroups)
 
 resource aks_law 'Microsoft.OperationalInsights/workspaces@2021-06-01' = if (createLaw) {
   name: aks_law_name
diff --git a/bicep/network.bicep b/bicep/network.bicep
index 27eea12c2..ce74de074 100644
--- a/bicep/network.bicep
+++ b/bicep/network.bicep
@@ -336,7 +336,7 @@ resource bastionHost 'Microsoft.Network/bastionHosts@2021-05-01' = if(bastion) {
   }
 }
 
-resource log 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = {
+resource log 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = if(networkSecurityGroups && !empty(workspaceName)) {
   name: workspaceName
   scope: resourceGroup(workspaceResourceGroupName)
 }
@@ -362,9 +362,9 @@ module nsgAks 'nsg.bicep' = if(networkSecurityGroups) {
   params: {
     location: location
     resourceName: '${aks_subnet_name}-${resourceName}'
-    workspaceId: log.properties.customerId
-    workspaceRegion: log.location
-    workspaceResourceId: log.id
+    workspaceId: !empty(workspaceName) ? log.properties.customerId : ''
+    workspaceRegion:  !empty(workspaceName) ? log.location : ''
+    workspaceResourceId:  !empty(workspaceName) ? log.id : ''
     ruleInAllowInternetHttp: true
     ruleInAllowInternetHttps: true
     ruleInDenySsh: true
@@ -377,9 +377,9 @@ module nsgAcrPool 'nsg.bicep' = if(acrPrivatePool && networkSecurityGroups) {
   params: {
     location: location
     resourceName: '${acrpool_subnet_name}-${resourceName}'
-    workspaceId: log.properties.customerId
-    workspaceRegion: log.location
-    workspaceResourceId: log.id
+    workspaceId: !empty(workspaceName) ? log.properties.customerId : ''
+    workspaceRegion:  !empty(workspaceName) ? log.location : ''
+    workspaceResourceId:  !empty(workspaceName) ? log.id : ''
     FlowLogStorageAccountId: CreateNsgFlowLogs ? flowLogStor.id : ''
   }
   dependsOn: [
@@ -392,9 +392,9 @@ module nsgAppGw 'nsg.bicep' = if(ingressApplicationGateway && networkSecurityGro
   params: {
     location: location
     resourceName: '${appgw_subnet_name}-${resourceName}'
-    workspaceId: log.properties.customerId
-    workspaceRegion: log.location
-    workspaceResourceId: log.id
+    workspaceId: !empty(workspaceName) ? log.properties.customerId : ''
+    workspaceRegion:  !empty(workspaceName) ? log.location : ''
+    workspaceResourceId:  !empty(workspaceName) ? log.id : ''
     ruleInAllowInternetHttp: ingressApplicationGatewayPublic
     ruleInAllowInternetHttps: ingressApplicationGatewayPublic
     ruleInAllowGwManagement: true
@@ -413,9 +413,9 @@ module nsgBastion 'nsg.bicep' = if(bastion && networkSecurityGroups) {
   params: {
     location: location
     resourceName: '${bastion_subnet_name}-${resourceName}'
-    workspaceId: log.properties.customerId
-    workspaceRegion: log.location
-    workspaceResourceId: log.id
+    workspaceId: !empty(workspaceName) ? log.properties.customerId : ''
+    workspaceRegion:  !empty(workspaceName) ? log.location : ''
+    workspaceResourceId:  !empty(workspaceName) ? log.id : ''
     ruleInAllowBastionHostComms: true
     ruleInAllowInternetHttps: true
     ruleInAllowGwManagement: true
@@ -434,9 +434,9 @@ module nsgPrivateLinks 'nsg.bicep' = if(privateLinks && networkSecurityGroups) {
   params: {
     location: location
     resourceName: '${private_link_subnet_name}-${resourceName}'
-    workspaceId: log.properties.customerId
-    workspaceRegion: log.location
-    workspaceResourceId: log.id
+    workspaceId: !empty(workspaceName) ? log.properties.customerId : ''
+    workspaceRegion:  !empty(workspaceName) ? log.location : ''
+    workspaceResourceId:  !empty(workspaceName) ? log.id : ''
     FlowLogStorageAccountId: CreateNsgFlowLogs ? flowLogStor.id : ''
   }
   dependsOn: [