|
| 1 | +--- |
| 2 | +title: Azure Automanage Best Practices to Azure Policy migration planning |
| 3 | +description: This article provides process and technical guidance for customers interested in moving from Automanage Best Practices to Azure Policy. |
| 4 | +ms.date: 08/21/2024 |
| 5 | +ms.topic: how-to |
| 6 | +author: MutemwaRMasheke |
| 7 | +ms.author: mmasheke |
| 8 | +--- |
| 9 | + |
| 10 | +# Overview |
| 11 | + |
| 12 | +> [!CAUTION] |
| 13 | +> On September 30, 2027, the Automanage Best Practices product will be retired. Migrate to Azure Policy before that date. [Migrate here](https://ms.portal.azure.com/). |
| 14 | +
|
| 15 | +Azure Policy is a more robust cloud resource governance, enforcement and compliance offering with full parity with the Automanage Best Practices service. When possible, you should plan to move your content and machines to the new service. This |
| 16 | +article provides guidance on developing a migration strategy from Azure Automation to machine |
| 17 | +configuration. Azure Policy implements a robust array of features including: |
| 18 | + |
| 19 | +- *Granular Control and Flexibility:* Azure Policy allows for highly granular control over resources. You can create custom policies tailored to your specific regulatory and organizational compliance needs, ensuring that every aspect of your infrastructure meets the required standards. This level of customization may not be as easily achievable with the predefined configurations in Automanage. |
| 20 | + |
| 21 | +- *Comprehensive Compliance Management:* Azure Policy offers comprehensive compliance management by continuously assessing and auditing your resources. It provides detailed reports and dashboards to track compliance status, helping you to quickly detect and rectify non-compliance issues across your environment. |
| 22 | + |
| 23 | +- *Scalability:* Azure Policy is built to manage large-scale environments efficiently. It allows you to apply policies at different scopes (for example, Management Group, Subscription, Resource Group levels), making it easier to enforce compliance across multiple resources and regions systematically. |
| 24 | + |
| 25 | +- *Integration with Azure Security Center:* Azure Policy integrates seamlessly with Azure Security Center, enhancing your ability to manage security policies and ensuring your servers adhere to best practices. This integration provides more insights and recommendations, further strengthening your security posture. |
| 26 | + |
| 27 | +Before you begin, it's a good idea to read the conceptual overview information at the page |
| 28 | +[Azure Policy][01]. |
| 29 | + |
| 30 | +## Understand migration |
| 31 | + |
| 32 | +The best approach to migration is to identify how to map services in an Automanage configuration profile to respective Azure Policy content first, and then offboard your subscriptions from Automanage. This section outlines the expected steps for migration. Automanage’s capabilities involved creating a deploy-and-forget experience for Azure customers to onboard new and existing virtual machines to a recommended set of Azure Services to ensure compliance with Azure’s best practices. These capabilities were achieved by the creation of a configuration profile, a reusable template of management, monitoring, |
| 33 | +security and resiliency services that customers could opt into. The profile is then assigned to a set of VMs that are onboarded to those services and receive reports on the state of their machines. |
| 34 | + |
| 35 | + |
| 36 | +This functionality is available in Azure Policy as an initiative with a variety of configurable parameters, Azure services, regional availability, compliance states, and remediation actions. Configuration Profiles are the main onboarding vehicle for Automanage customers. Just like Azure Policy Initiatives, Automanage configuration profiles are applicable to VMs at the |
| 37 | +subscription and resource group level and enables further specification of the zone of |
| 38 | +applicability. The following Automanage feature parities are available in Azure Policy: |
| 39 | + |
| 40 | +### Azure Monitoring Agent |
| 41 | + |
| 42 | +Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of |
| 43 | +Azure and hybrid virtual machines and delivers it to Azure Monitor for use by features, |
| 44 | +insights, and other services, such as Microsoft Sentinel and Microsoft Defender for Cloud. |
| 45 | +Azure Monitor Agent replaces all of Azure Monitor's legacy monitoring agents. This |
| 46 | +extension is deployable using the following Azure Policies: |
| 47 | + |
| 48 | +- Configure Linux virtual machines to run Azure Monitor Agent with user-assigned |
| 49 | +managed identity-based authentication |
| 50 | +- Configure Windows Machines to be associated with a Data Collection Rule or a |
| 51 | +Data Collection Endpoint |
| 52 | +- Configure Windows virtual machines to run Azure Monitor Agent with user-assigned |
| 53 | +managed identity-based authentication |
| 54 | +- Configure Linux Machines to be associated with a Data Collection Rule or a Data |
| 55 | +Collection Endpoint |
| 56 | +- Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent |
| 57 | +settings |
| 58 | +- Deploy Dependency agent to be enabled on Windows virtual machines with Azure |
| 59 | +Monitoring Agent settings |
| 60 | + |
| 61 | +### Azure Backup |
| 62 | + |
| 63 | +Azure Backup provides independent and isolated backups to guard against unintended |
| 64 | +destruction of the data on your VMs. Backups are stored in a Recovery Services vault with |
| 65 | +built-in management of recovery points. To back up Azure VMs, Azure Backup installs an |
| 66 | +extension on the VM agent running on the machine. Azure Backup can be configured using |
| 67 | +the following policies: |
| 68 | + |
| 69 | +- Configure backup on virtual machines with a given tag to an existing recovery |
| 70 | +services vault in the same location |
| 71 | +- Azure Backup should be enabled for Virtual Machines |
| 72 | + |
| 73 | +To configure backup time and duration, you can create a custom Azure policy based on the |
| 74 | +properties of the Azure backup policy resource or by a REST API call. Learn more [here][02]. |
| 75 | + |
| 76 | +### Azure Antimalware |
| 77 | + |
| 78 | +Microsoft Antimalware for Azure is a free real-time protection that helps identify and |
| 79 | +remove viruses, spyware, and other malicious software. It generates alerts when known |
| 80 | +malicious or unwanted software tries to install itself or run on your Azure systems. The |
| 81 | +Azure Guest Agent (or the Fabric Agent) launches the Antimalware Extension, applying the |
| 82 | +Antimalware configuration settings supplied as input. This step enables the Antimalware |
| 83 | +service with either default or custom configuration settings. |
| 84 | +The following Azure Antimalware policies are deployable in Azure Policy: |
| 85 | + |
| 86 | +- Microsoft Antimalware for Azure should be configured to automatically update |
| 87 | +protection signatures |
| 88 | +- Microsoft IaaSAntimalware extension should be deployed on Windows servers |
| 89 | +- Deploy default Microsoft IaaSAntimalware extension for Windows Server |
| 90 | + |
| 91 | +To configure excluded files, locations, file extensions and processes, enable real-time |
| 92 | +protection and schedule scan and scan type, day and time, you can create a custom Azure |
| 93 | +policy based on the properties of the Azure IaaSAntimalware policy resource or by an ARM |
| 94 | +Template. Learn more [here][03]. |
| 95 | + |
| 96 | +### Azure Insights and Analytics |
| 97 | + |
| 98 | +Azure Insights is a suite of tools within Azure Monitor designed to enhance the |
| 99 | +performance, reliability, and quality of your applications. It offers features like application |
| 100 | +performance management (APM), monitoring alerts, metrics analysis, diagnostic settings, |
| 101 | +logs, and more. With Azure Insights, you can gain valuable insights into your application’s |
| 102 | +behavior, troubleshoot issues, and optimize performance. The following policies provide |
| 103 | +the same capabilities as Automanage: |
| 104 | + |
| 105 | +- Assign Built-In User-Assigned Managed Identity to Virtual Machines |
| 106 | +- Configure Linux virtual machines to run Azure Monitor Agent with user-assigned |
| 107 | +managed identity-based authentication |
| 108 | +- Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication |
| 109 | +- Deploy Dependency agent to be enabled on Windows virtual machines with |
| 110 | +Azure Monitoring Agent settings |
| 111 | +- Deploy Dependency agent for Linux virtual machines with Azure Monitoring |
| 112 | +Agent settings |
| 113 | +- Configure Linux Machines to be associated with a Data Collection Rule or a Data |
| 114 | +Collection Endpoint |
| 115 | +- Configure Windows Machines to be associated with a Data Collection Rule or a |
| 116 | +Data Collection Endpoint |
| 117 | + |
| 118 | +All the previous options are configurable by deploying the Enable Azure Monitor for VMs with Azure |
| 119 | +Monitoring Agent (AMA) Policy initiative. |
| 120 | + |
| 121 | +### Change Tracking and Inventory |
| 122 | + |
| 123 | +Change Tracking and Inventory is a feature within Azure Automation that monitors changes |
| 124 | +in virtual machines across Azure, on-premises, and other cloud environments. It tracks |
| 125 | +modifications to installed software, files, registry keys, and services on both Windows and |
| 126 | +Linux systems. By using the Log Analytics agent, the Change Tracking service collects data and forwards it to |
| 127 | +Azure Monitor Logs for analysis. Additionally, it integrates with Microsoft Defender for |
| 128 | +Cloud File Integrity Monitoring (FIM) to enhance security and operational insights. The |
| 129 | +following policies enable change tracking on VMs: |
| 130 | + |
| 131 | +- Assign Built-In User-Assigned Managed Identity to Virtual Machines |
| 132 | +- Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity |
| 133 | +- Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity |
| 134 | +- Configure ChangeTracking Extension for Windows virtual machines |
| 135 | +- Configure ChangeTracking Extension for Linux virtual machines |
| 136 | +- Configure Windows Virtual Machines to be associated with a Data Collection Rule |
| 137 | +for ChangeTracking and Inventory |
| 138 | + |
| 139 | +The above Azure policies are configurable in bulk using the following Policy initiatives: |
| 140 | + |
| 141 | +- [Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets |
| 142 | +- [Preview]: Enable ChangeTracking and Inventory for virtual machines |
| 143 | +- [Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines |
| 144 | + |
| 145 | +### Microsoft Defender for Cloud |
| 146 | + |
| 147 | +Microsoft Defender for Cloud provides unified security management and advanced threat |
| 148 | +protection across hybrid cloud workloads. MDC is configurable in Policy through the |
| 149 | +following policy initiatives: |
| 150 | + |
| 151 | +- Configure multiple Microsoft Defender for Endpoint integration settings with |
| 152 | +Microsoft Defender for Cloud |
| 153 | +- Microsoft cloud security benchmark |
| 154 | +- Configure Microsoft Defender for Cloud plans |
| 155 | + |
| 156 | +### Update Management |
| 157 | + |
| 158 | +Azure Update Management is a service included as part of your Azure Subscription that |
| 159 | +enables you to assess your update status across your environment and manage your |
| 160 | +Windows and Linux server patching from a single pane of glass, both for on-premises and |
| 161 | +Azure. It provides a unified solution to help you keep your systems up to date by overseeing |
| 162 | +update compliance, deploying critical updates, and offering flexible patching options. |
| 163 | +Azure Update Management is configurable in Azure Policy through the following policies: |
| 164 | + |
| 165 | +- Configure periodic checking for missing system updates on Azure Arc-enabled |
| 166 | +servers |
| 167 | +- Machines should be configured to periodically check for missing system updates |
| 168 | +- Schedule recurring updates using Azure Update Manager |
| 169 | +- [Preview]: Set prerequisite for Scheduling recurring updates on Azure virtual |
| 170 | +machines. |
| 171 | +- Configure periodic checking for missing system updates on Azure virtual machines |
| 172 | + |
| 173 | +### Azure Automation Account |
| 174 | + |
| 175 | +Azure Automation is a cloud-based service that provides consistent management across |
| 176 | +both your Azure and non-Azure environments. It allows you to automate repetitive tasks, |
| 177 | +enforce configuration consistency, and manage updates for virtual machines. By |
| 178 | +leveraging runbooks and shared assets, you can streamline operations and reduce |
| 179 | +operational costs. Azure Automation is configurable in Azure Policy through the following |
| 180 | +policies: |
| 181 | + |
| 182 | +- Automation Account should have Managed Identity |
| 183 | +- Configure private endpoint connections on Azure Automation accounts |
| 184 | +- Automation accounts should disable public network access |
| 185 | +- Configure Azure Automation accounts with private DNS zones |
| 186 | +- Azure Automation accounts should use customer-managed keys to encrypt data at |
| 187 | +rest |
| 188 | +- Azure Automation account should have local authentication method disabled |
| 189 | +- Automation account variables should be encrypted |
| 190 | +- Configure Azure Automation account to disable local authentication |
| 191 | +- Configure Azure Automation accounts to disable public network access |
| 192 | +- Private endpoint connections on Automation Accounts should be enabled |
| 193 | + |
| 194 | +### Boot Diagnostics |
| 195 | + |
| 196 | +Azure Boot Diagnostics is a debugging feature for Azure virtual machines (VM) that allows |
| 197 | +diagnosis of VM boot failures. It enables a user to observe the state of their VM as it is |
| 198 | +booting up by collecting serial log information and screenshots. Enabling Boot Diagnostics |
| 199 | +feature allows Microsoft Azure cloud platform to inspect the virtual machine operating |
| 200 | +system (OS) for provisioning errors, helping to provide deeper information on the root |
| 201 | +causes of the startup failures. Boot diagnostics is enabled by default when we create a VM |
| 202 | +and is enforced by the _Boot Diagnostics should be enabled on virtual machines_ policy. |
| 203 | + |
| 204 | +### Windows Admin Center |
| 205 | + |
| 206 | +Azure Boot Diagnostics is a debugging feature for Azure virtual machines (VM) that allows |
| 207 | +diagnosis of VM boot failures by collecting serial log information and screenshots during |
| 208 | +the boot process. It's configurable either through an ARM template or a custom Azure Policy. Learn more [here][04]. |
| 209 | + |
| 210 | +### Log Analytics Workspace |
| 211 | + |
| 212 | +Azure Log Analytics is a service that monitors your cloud and on-premises resources and |
| 213 | +applications. It allows you to collect and analyze data generated by resources in your |
| 214 | +cloud and on-premises environments. With Azure Log Analytics, you can search, analyze, |
| 215 | +and visualize data to identify trends, troubleshoot issues, and monitor your systems. On August 31, 2024, both Automation Update Management and the Log Analytics agent it uses |
| 216 | +will be retired. Migrate to Azure Update Manager before that. Refer to guidance on |
| 217 | +migrating to Azure Update Manager [here][05]. We advise you to migrate [now][06] as this feature will |
| 218 | +no longer be supported in Automanage. |
| 219 | + |
| 220 | +## Pricing |
| 221 | + |
| 222 | +As you migrate, it's worthwhile to note that Automanage Best Practices is a cost-free service. As such, you won't receive a bill from the Automanage service. |
| 223 | +However, if you used Automanage to enable paid services like Azure Insights, there may be usage charges incurred that are billed directly by those services. |
| 224 | +Read more about Automanage and pricing [here][09]. |
| 225 | + |
| 226 | +## Next steps |
| 227 | + |
| 228 | +Now that you have an overview of Azure Policy and some of the key concepts, here are the suggested |
| 229 | +next steps: |
| 230 | + |
| 231 | +- [Review the policy definition structure][07]. |
| 232 | +- [Assign a policy definition using the portal][08]. |
| 233 | + |
| 234 | +<!-- Reference link definitions --> |
| 235 | +[01]: ../overview.md |
| 236 | +[02]: ../../../backup/backup-azure-arm-userestapi-createorupdatepolicy.md |
| 237 | +[03]: ../../../virtual-machines/extensions/iaas-antimalware-windows.md |
| 238 | +[04]: https://learn.microsoft.com/windows-server/manage/windows-admin-center/azure/manage-vm |
| 239 | +[05]: ../../../update-manager/migration-overview.md |
| 240 | +[06]: https://ms.portal.azure.com/ |
| 241 | +[07]: ../concepts/definition-structure-basics.md |
| 242 | +[08]: ../assign-policy-portal.md |
| 243 | +[09]: https://azure.microsoft.com/pricing/details/azure-automanage/ |
| 244 | + |
| 245 | + |
0 commit comments