Azure Azure Arc

Azure Back to School 2024: Maximizing efficiency with Azure Automanage on Arc-enabled servers

Unknown's avatar
by wmatthyssen


Azure Back to School is an amazing community initiative created by by Dwayne Natwick and Derek Smith. Just like in previous years, throughout September, community members from around the world will share a mix of video content, live sessions, and blog posts on a variety of Azure topics. This initiative embodies the true spirit of community: sharing knowledge, helping others learn, and building new skills.

You can find all the videos and blog posts at https://azurebacktoschool.github.io/.

Stay updated by following the hashtag #AzureBacktoSchool on X or LinkedIn.

In my blog post, I’ll dive into how Azure Automanage simplifies management by making it easier to onboard Azure management services and streamline the operation of your Azure Arc-enabled servers.

You’ll learn how to activate and use this powerful service to enhance the management and operation of your Azure Arc-enabled servers, leading to smoother and more efficient server management.


Table of Contents


What is Azure Automanage?

As many of us know, Azure Arc expands Azure’s management capabilities to include on-premises, multi-cloud, and edge environments. It enables you to manage servers, Kubernetes clusters, and applications across different locations through a single pane of glass.

However, configuring these management services on Arc-enabled servers can be complex for IT administrators, especially in smaller environments where they oversee more than just virtual machines (VMs).

This is where Azure Automanage steps in. For Arc-enabled servers, Azure Automanage for Machines Best Practices streamlines the management of your Arc-enabled Windows and Linux servers by automating tasks like configuration, monitoring, and updates, ensuring your resources comply with recommended Azure practices.

Azure Automanage offers services like Machine Insights Monitoring, Update Management (V2), and Machine Configuration. It also automatically provisions the necessary Azure resources, such as a Log Analytics workspace (or allows you to point to an existing one), to support these services.

To configure Automanage with Azure Arc-enabled servers, you can choose one of the prebuilt Azure Automanage configuration profiles, like “Azure Best Practices: Production” or “Azure Best Practices: Dev/Test.”

These profiles come with predefined settings that manage various aspects of a virtual machine’s lifecycle. However, be aware that not all services and features in these profiles are fully compatible with Arc-enabled servers.

Alternatively, you can create your own custom configuration profile, which is my preferred approach.

You can find a detailed list of the participating services, along with their descriptions and configuration profiles, through this Microsoft Learn link.


As with all Azure resources, it’s important to keep the pricing in mind. While Azure Automanage is included for free with your Azure subscription, the individual services onboarded through Azure Automanage do incur separate charges. Therefore, you should review the pricing of each service you enable through Automanage to calculate an estimated total cost.


Azure prerequisites

  • An Azure subscription, preferably more than one if you plan to follow the Cloud Adoption Framework (CAF) enterprise-scale architecture. This includes a connectivity and/or management subscription, with at least one ARC subscription (landing zone) for deploying your Arc-related resources.
  • The “Microsoft.Automanage” resource provider should already be registered on this subscription.
  • An Azure Administrator account with the appropriate RBAC roles, such as Owner or Contributor at the subscription or resource group level, is required to create and assign Automanage profiles.
  • Some machines, whether physical or virtual, running at least Windows Server 2012 R2 or any Arc supported Linux distribution within your hybrid environment and have already been onboarded into Azure Arc.





Install Automanage Preview features

With the upcoming retirement of the Log Analytics Agent on August 31, 2024, certain features and integrations of Automanage will no longer function. Therefore, it’s recommended to enable preview features, such as Automanage Alerts Enabled and Automanage Azure Monitoring Agent Support, for any subscriptions using Automanage.

To install preview features for a specific subscription, sign in to the Azure Portal with your credentials. Use the global search bar, or another method within the portal, to find and select the subscription.

On the Subscription page, click Preview features under the Settings section.


Next, type “automanage” in the search bar and set the “State” to Not Registered to display all preview features related to Azure Automanage that are currently not registered for that subscription. Select the features you want to register and click Register.


Once a preview feature is registered in your subscription, you’ll see one of two states: Registered or Pending.

  • If the preview feature doesn’t require approval, its state will be Registered. Keep in mind that access to the features isn’t instant; it may take up to 12 hours for the changes to take effect.
  • If it does require approval, the state will be Pending. In this case, you’ll need to request approval from the Azure service offering the feature, typically by submitting a Azure support ticket*. After your registration is approved, the state of the preview feature will change to Registered.

*Some services may require different methods, such as email, to obtain approval for pending requests. Be sure to check the announcements regarding the preview feature for specific instructions on how to gain access.




Create a custom RBAC role for Automanage

If necessary, or if you need a higher level of security and control in your environment following the principle of least privilege, you can create a custom role for more precise management.

For example, if you want to limit permissions to managing Automanage configuration profiles without impacting other resources, you can define a custom RBAC role with permissions specifically tailored to:

  • Microsoft.Automanage/configurationProfileAssignments: Permission to create, update or delete Configuration Profile Assignments.
  • Microsoft.Automanage/configurationProfileAssignments/reports: Permission to read, create or update any Configuration Profile Assignment Reports.
  • Microsoft.Automanage/configurationProfileAssignments/effectiveProfiles: Permission to read any Assignment’s Effective Configuration Profile Result.
  • Microsoft.Automanage/configurationProfiles: Persmission to delete, read, create or update any Automanage ConfigurationProfiles.
  • Microsoft.Automanage/configurationProfiles/versions: Permission to delete, read, create or update any Automanage ConfigurationProfiles Versions

To create a custom RBAC role and assign it to a security group, go to your subscription, select Access control (IAM), and under the Add tab, choose Add custom role.


Next, specify a custom role name and description, then click Next. After that, select the Microsoft.Automanage permissions you want to include in the custom role, add them by clicking the Add button, and then click Next.



On the Assignable scopes page, you can either click Next or add an additional subscription if needed.


On the JSON page, you can either download the JSON file or edit it as needed. When you’re ready, simply click Next to proceed.


Then click Create to finalize your custom role. Once the role is successfully created, click OK to close the notification.



Now you can assign this new role to a specific security group to apply its permissions to that group.



Create a custom configuration profile for your Azure-Arc enabled servers


To create a custom configuration profile, type “auto” in the global search bar and select Automanage. On the Automanage page, choose Configuration profiles.



Click Create to set up a custom profile.


First, specify a name (following your Azure naming convention), select the subscription, choose the resource group (preferably the management resource group in the subscription), and set the region to match where your Azure Arc servers are configured for your custom profile.


Then, select the services you want to enable or disable. As mentioned earlier, keep in mind that not all services, like Azure Backup, are compatible with Azure Arc.


Currently, due to recent changes, likely related to the retirement of the Log Analytics agent and some Azure Automation features, creating a new configuration profile results in the following error: **”The operation was not allowed because the subscription is not in a state to support it. Subscription state: -1.”

Once this issue is resolved, you will likely be able to create a custom configuration profile through the Azure Portal, or by using Bicep or ARM templates.


**I’ve also raised a new Discussion on the Azure Tech Community regarding this issue: https://techcommunity.microsoft.com/t5/azure-infrastructure/enabling-azure-automanage-or-creating-a-custom-configuration/m-p/4251861/highlight/true#M268


Configure and use Automanage with Azure Arc-enabled servers

To configure Azure Automanage for a specific group of Azure Arc-enabled servers, type “auto” in the global search bar and select Automanage. Then, on the Automanage page, choose Manage.



Next, select the appropriate subscription and click Enable on existing machine.


Then, select the custom profile you created earlier (once this feature is functioning again) and click Next: Machines >.


On the Machines page, set the resource type to Server – Azure Arc to filter for Azure Arc-enabled servers. Then, select the specific Arc-enabled servers you want to manage using your custom Azure Automanage profile.


On the last page, click Create to enable Automanage on the selected servers.


At this time, attempting to enable Automanage on the selected Azure Arc-enabled servers will result in the same error encountered when configuring a custom profile: “The operation was not allowed because the subscription is not in a state to support it. Subscription state: -1.”

This error indicates that the Azure subscription is in an invalid or unsupported state for the operation, likely due to the retirement of the Log Analytics agent and the associated resources used in some of the services available within Azure Automanage.

Conclusion

That wraps up this blog post. I’m thrilled to be part of the Azure Back to School event and hope you find the content valuable and insightful.

I hope the steps outlined in this blog post for configuring Automanage with your Azure Arc-enabled servers help enhance the management and security of these resources in your environment.

If you have any questions or suggestions about this blog post, feel free to reach out to me on X (@wmatthyssen) or leave a comment. I’ll be happy to help!

Enjoy your reading and viewing!

Tags
Unknown's avatar

About wmatthyssen

Wim is an Azure Technical Advisor and Trainer with over fifteen years of Microsoft technology experience. As a Microsoft Certified Trainer (MCT), his strength is assisting companies in the transformation of their businesses to the Cloud by implementing the latest features, services, and solutions. Currently, his main focus is on the Microsoft Hybrid Cloud Platform, and especially on Microsoft Azure and the Azure hybrid services.   Wim is also a Microsoft MVP in the Azure category and a founding board member of the MC2MC user group. As a passionate community member, he regularly writes blogs and speaks about his daily experiences with Azure and other Microsoft technologies.

wmatthyssen.wordpress.com

1 comment on “Azure Back to School 2024: Maximizing efficiency with Azure Automanage on Arc-enabled servers

  1. Pingback: Jingle All the Way to Savings: Automate Azure Bastion with Azure Automation! – Wim Matthyssen

Comments are closed.