Complete Azure Arc Setup for Non-Azure Devices

To set up Azure Arc on non-Azure devices, you'll need to start by creating a management group in the Azure portal. This will serve as the central hub for managing your hybrid environment.

Azure Arc requires an Azure subscription, so if you don't already have one, you'll need to create a new subscription or use an existing one. Make sure to take note of the subscription ID, as you'll need it later in the setup process.

Next, you'll need to install the Azure Connected Machine Agent on the non-Azure device. This agent enables the device to be managed by Azure Arc and allows you to apply Azure policies and configurations.

To get started with Azure Arc, you'll need to create an Azure subscription if you don't already have one. This will give you access to the Azure portal, where you can manage your Azure Arc resources.

The Azure Arc resource provider needs to be registered in your Azure subscription. You can do this by running the command `az provider register --namespace Microsoft.AzureArc --wait` in your Azure CLI.

Azure Arc requires a Kubernetes cluster to be set up. This can be an existing cluster or a new one created using Azure Arc. The cluster needs to meet certain requirements, such as having at least 3 nodes and being in a supported Kubernetes version.

You'll also need to create an Azure Arc enabled server or a Kubernetes cluster in Azure. This will allow you to manage your on-premises or edge environments from the Azure portal.

The Azure Arc resource provider needs to be registered in your Azure subscription.

Before you start setting up Azure Arc, there are a few things to consider. Azure Arc needs access to port 443 for some required URLs, local administration permissions for the installation, and connectivity.

To ensure a smooth setup, you'll need to prepare your environment. This includes verifying that your servers meet the prerequisites for Azure Arc. Supported Windows operating systems include Windows Server 2008 R2 SP1, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022.

For onboarding, you'll need to decide on the method of deployment. You can use the single server script, which requires authentication with Azure AD, or use a service principal for more scale deployments.

To start preparing for setup, you'll need to onboard your local servers on your corporate network. Azure Arc-enabled servers are the way to go, and you can use the Azure Arc agent for connecting machines within Azure Arc.

You can deploy the agent in multiple ways, including using a single server script, adding multiple servers with a service principal, or using Update Management. For this example, we'll be using the single server script method.

Before you begin, make sure you have the necessary permissions to install the agent on your servers. Azure Arc needs access to port 443 for some required URLs, as well as local administration permissions for the installation.

Here are the steps to follow:

Note that each resource group can contain up to 5000 Arc servers. Also, keep in mind that Azure Arc-enabled servers do not support installing the agent on machines running in Azure, Azure Stack Hub, or Azure Stack Edge, as they are already configured as Azure VMs.

Auto Provisioning makes it easier to install required agents and extensions for Azure Arc devices.

Defender for Cloud collects security data and events, and manual installation of the Log Analytics agent is possible. However, auto provisioning part of Defender for Cloud makes the process much simpler.

To set up auto provisioning for Azure Arc devices, follow these steps:

This process is currently in preview, so keep an eye on Microsoft Docs for updates.

To create an ESU license, logon to the Azure Portal and enter "arc" into the global search bar, then select "Azure Arc" from the search results.

You'll need to navigate to the "Management" section and choose "Extended Security Updates" on the Azure Arc page.

In the Licenses tab, select "Create" to start the process.

Complete all necessary fields, such as subscription, resource group, and license name, and consider scheduling the license activation for a later time.

In the SKU field, specify the SKU, which can be Windows Server 2012, 2012 R2 Standard Edition, or Datacenter Edition.

You'll also need to choose between physical cores and virtual cores, depending on how your server is licensed.

If you're licensing individual VMs without covering all underlying hardware cores, choose virtual cores.

Note that the licensing guidelines stipulate a minimum of 8 virtual cores per VM.

Before you can proceed, you must confirm Microsoft's SA or SPLA coverage.

You can purchase ESUs through Software Assurance via Volume Licensing Programs like Enterprise Agreement (EA), Enterprise Agreement Subscription (EAS), Enrollment for Education Solutions (EES), or Server and Cloud Enrollment (SCE).

Alternatively, if your Windows Server 2012/2012 R2 machines are licensed through SPLA or with a Server Subscription, Software Assurance isn't necessary for purchasing ESUs.

To install the Azure Connected Machine agent, you can use the scripted method, which involves logging in to the server, opening an elevated PowerShell command prompt, and executing the script. The script is only supported on 64-bit versions of Windows PowerShell.

The script can be downloaded and executed on the server by running the ./OnboardingScript.ps1 script. If the agent fails to start after setup is finished, check the logs for detailed error information in the %ProgramData%\AzureConnectedMachineAgent\log directory.

You can also install the agent on Linux using the preferred package format for the distribution, such as .RPM or .DEB, which is hosted in the Microsoft package repository. The shell script bundle Install_linux_azcmagent.sh performs the installation and can be run on the server with root access.

To configure the agent on Linux, you need to run the azcmagent connect command with the required parameters, including the resource group, tenant ID, subscription ID, location, and cloud. If your machine needs to communicate through a proxy server, you can include the --proxy parameter.

Here are the settings you need to configure the azcmagent command to use for the service principal:

After you install the agent and configure it to connect to Azure Arc-enabled servers, go to the Azure portal to verify that the server has successfully connected.

To enable Microsoft Defender for your Azure Arc setup, you'll first need to navigate to Defender for Cloud. From there, go to environment settings and select the subscription used during Azure Arc configuration.

Defender for Cloud plan must be enabled, which brings multiple security features, including Defender for Endpoint (EDR) threat protection onboarding. This plan is required for Windows servers, where you'll need to enable the resource type "Servers" (costing $15/server/month, and including MDE EDR license).

After enabling the Defender for Cloud plan, your device will be visible in the Defender for Cloud inventory, categorized as an Azure Arc machine. This is in contrast to Azure Virtual machines, which are categorized under "Virtual machines".

To integrate with Defender for Endpoint, open the integrations page and allow Microsoft Defender for Endpoint to access your data. Defender for Cloud Apps can be enabled from the same integration view.

The integration brings several features to your Azure Arc devices, including risk-based vulnerability management and assessment (TVM), attack surface reduction (ASR), and behavioral-based and cloud-powered protection.

Here are some key features of the Microsoft Defender integration:

Defender for Cloud automatically enables the Defender for Endpoint sensor on all supported machines connected to Defender for Cloud, with only the requirements for Defender for Endpoint needed and optional AV configuration.

Server onboarding is a crucial step in getting started with Azure Arc setup. You can start the Azure Arc Setup wizard in different ways on a Windows Server machine, including clicking on the system tray icon, opening the pop-up window in Server Manager, or selecting the wizard from the Windows Server Start menu.

To onboard a single server, you can use the onboarding script, which can be run from Windows PowerShell as Administrator. The script is located on a network share, and you can use a PowerShell one-liner to execute it, adjusting for your environment.

There are several ways to onboard servers to Azure using Azure Arc, including at scale onboarding, which is recommended for onboarding hundreds of servers. This method allows you to create a script with a service principle that can be run on many servers at the same time without interaction.

Here are some common ways to onboard servers to Azure Arc:

After onboarding, you can verify the connection with Azure Arc by viewing your machines in the Azure portal.

Onboarding Windows Server 2012 is a straightforward process that can be completed using the OnboardingScript.ps1 script.

First, you'll need to log in to the machine with an account that has administrator privileges. Open Windows PowerShell as Administrator and navigate to the network share to run the script.

To execute the script, use a PowerShell one-liner, adjusting the "servername" and "sharename" to match your environment.

The Azure Connected Machine Agent must be at least version 1.34 or higher to utilize ESUs. You can check the version by running "azcmagent version" directly on the server from Windows PowerShell or the Command Prompt.

The onboarding process can be automated for multiple servers using methods like Group Policy Objects (GPO).

If you're looking for alternative server onboarding methods, you have options beyond the standard process.

There are many ways to onboard servers to Azure with Azure Arc, but you can check out the Microsoft Learn documentation for more information.

Onboarding a single server to Azure Arc is relatively straightforward, but if you're dealing with hundreds of servers, you'll want to consider the onboarding at scale guidance. This method allows you to create a script with a service principle that can be run on multiple servers simultaneously.

To onboard servers at scale, you can use the Azure Arc onboarding service principal guidance.

Here are some alternative server onboarding methods: