What is Azure Arc ?
Azure arc allows the management of Windows and linux servers present in the local network or a cloud operator. This management is identical to the management of native virtual machines. When connecting a hybrid machine to Azure, it is considered as an Azure resource. It is assigned a resource ID. In addition, it is part of a resource group within an Azure subscription. This allows it to be assigned tags.
However, it is necessary to install Azure Connected Machine on each machine that is to be connected to Azure. This agent does not provide monitoring and therefore does not replace the Log Analytics agent.
Different scenarios are supported by Azure Arc. With this functionnality, you can assign Azure Policy guest configurations with the same experience as an Azure virtual machine. Log data collected with the Log Analytics agent, this data is stored in the Log Analytics workspace
The following prerequisites are required. It is necessary to check in the Microsoft documentation for a potential update.
- Windows Server 2012 R2 and later
- Ubuntu 16.04 et 18.04
- CentOS Linux 7
- SLES (SUSE Linux Enterprise Server) 15
- Red Hat Enterprise Linux (RHEL) 7
- Amazon Linux 7
The following URLs must be allowed in your firewall
Install agent on Windows Server
From the Azure portal, enter Arc on the search bar and click on Azure Arc.
Click on Manage servers.
Click on Add for add new server.
click on Generate script. This script is used for add server on Azure Arc.
Select the Azure subscription and the ressource group. The region has automatically configured. Select the desired Operating system and click on Next.
Configure Tags if you want and click on Review + generate.
Click on Download for download the script.
From the domain controller, open Active Directory Users and Computers console. On the properties of the server who agent will be installed, select
From Windows Server, open powershell prompt and run the script.
From the server, open a web brownser and enter the URL : https://microsoft.com/devicelogin. Enter the code present on Powershell prompt.
Click on Next and select the Azure account. If provider is not registered, you can use this URL : https://docs.microsoft.com/fr-fr/azure/azure-resource-manager/templates/error-register-resource-provider#code-try-7
The server appear on Azure ARC.
Create Azure Policy
From the Azure Arc console, click on the server previously added.
The propoerties of the server appear, click on Policies.
You can assign Policy or initiative. Initiative consist of a collection of policy definitions. Thus a set of strategies are grouped together in a single element.
Click on the button for select Initiative definition.
Select the desired initiative. I have selected Audit Windows VMs in which the Administrators group does not contain only the specified members.
Check that the Policy enforcement is configured to Enabled and click on Next.
Enter the parameters (Member) for me.
You can configure Remeiation and create Remediation task. Click on Create for create initiative.
After few minutes, the result appear. We can see that there is servers non-compliant.
Click on Non-Compliant then on Non-compliant ressources. You can view all servers that is non-compliant.