MicrosoftDocs
diff --git a/‎articles/azure-monitor/scom-manage-instance/create-key-vault.md
Lines changed: 65 additions & 0 deletions b/‎articles/azure-monitor/scom-manage-instance/create-key-vault.md
Lines changed: 65 additions & 0 deletions
diff --git a/‎articles/azure-monitor/scom-manage-instance/create-separate-subnet-in-vnet.md
Lines changed: 42 additions & 0 deletions b/‎articles/azure-monitor/scom-manage-instance/create-separate-subnet-in-vnet.md
Lines changed: 42 additions & 0 deletions
diff --git a/‎articles/azure-monitor/scom-manage-instance/create-sql-managed-instance.md
Lines changed: 59 additions & 0 deletions b/‎articles/azure-monitor/scom-manage-instance/create-sql-managed-instance.md
Lines changed: 59 additions & 0 deletions
diff --git a/‎articles/azure-monitor/scom-manage-instance/create-user-assigned-identity.md
Lines changed: 115 additions & 0 deletions b/‎articles/azure-monitor/scom-manage-instance/create-user-assigned-identity.md
Lines changed: 115 additions & 0 deletions
@@ -0,0 +1,65 @@
+---
+ms.assetid: 
+title: Create an Azure key vault
+description: This article describes how to create a key vault to store domain credentials.
+author: PriskeyJeronika-MS
+ms.author: v-gjeronika
+manager: jsuri
+ms.date: 05/22/2024
+ms.service: azure-monitor
+ms.subservice: operations-manager-managed-instance
+ms.topic: how-to
+---
+
+# Create an Azure key vault
+
+This article describes how to create a key vault to store domain credentials.
+
+>[!NOTE]
+> To learn about the Azure Monitor SCOM Managed Instance architecture, see [Azure Monitor SCOM Managed Instance](overview.md).
+
+## Create a key vault to store secrets
+
+For security, you can store domain account credentials in key vault secrets. Later, you can use these secrets in SCOM Managed Instance creation.
+
+Azure Key Vault is a cloud service that provides a secure store for keys, secrets, and certificates. For more information, see [About Azure Key Vault](/azure/key-vault/general/overview).
+
+1. In the Azure portal, search for and select **Key vaults**.
+
+     :::image type="Key vaults in portal" source="media/create-key-vault/azure-portal-key-vaults-inline.png" alt-text="Screenshot that shows the icon for key vaults in the Azure portal." lightbox="media/create-key-vault/azure-portal-key-vaults-expanded.png":::
+
+   The **Key vaults** page opens.
+
+1. Select **Create**.
+
+     :::image type="Key vault" source="media/create-key-vault/key-vaults-inline.png" alt-text="Screenshot that shows the Create button for creating a key vault." lightbox="media/create-key-vault/key-vaults-expanded.png":::
+
+1. For **Basics**, do the following:
+    - **Project details**:
+        - **Subscription**: Select the subscription.
+        - **Resource group**: Select the resource group you want.
+    - **Instance details**:
+        - **Key vault name**: Enter the name of your key vault. There are no added restrictions, except for those that apply to names in other Azure services.
+        - **Region**: Choose the region that you're going to select for your other resources.
+        - **Pricing tier**: Select **Standard** or **Premium** as required.
+    - **Recovery options**:
+        - **Days to retain deleted vaults**: Enter a value from 7 to 90.
+        - **Purge protection**: We recommend enabling this feature to have a mandatory retention period.
+
+   :::image type="Create a key vault" source="media/create-key-vault/create-a-key-vault.png" alt-text="Screenshot that shows basic information for creating a key vault.":::
+1. Select **Next**. For now, no change is required in access configuration. Access configuration is done in the [step 5](create-user-assigned-identity.md).
+
+1. For **Networking**, do the following:
+    - Select **Enable public access**.
+    - Under **Public Access**, for **Allow access from**, select **All networks**.
+
+   :::image type="Networking tab" source="media/create-key-vault/networking-inline.png" alt-text="Screenshot that shows selections for enabling public access on the Networking tab." lightbox="media/create-key-vault/networking-expanded.png":::
+1. Select **Next**.
+1. For **Tags**, select the tags if required and select **Next**.
+1. For **Review + create**, review the selections and select **Create** to create the key vault.
+  
+    :::image type="Tab for reviewing selections before creating a key vault" source="media/create-key-vault/review.png" alt-text="Screenshot that shows the tab for reviewing selections before you create a key vault.":::
+
+## Next steps
+
+- [Create a user-assigned identity](create-user-assigned-identity.md)
@@ -0,0 +1,42 @@
+---
+ms.assetid: 
+title: Create a separate subnet in a VNet for SCOM Managed Instance
+description: This article describes how to create a separate subnet in a virtual network for Azure Monitor SCOM Managed Instance.
+author: PriskeyJeronika-MS
+ms.author: v-gjeronika
+manager: jsuri
+ms.date: 05/22/2024
+ms.service: azure-monitor
+ms.subservice: operations-manager-managed-instance
+ms.topic: how-to
+---
+
+# Create a separate subnet in a virtual network for Azure Monitor SCOM Managed Instance
+
+This article describes how to create a separate subnet in a virtual network for a managed instance of Azure Monitor SCOM Managed Instance and enable Azure NAT Gateway on a SCOM Managed Instance subnet.
+
+>[!NOTE]
+> To learn about the SCOM Managed Instance architecture, see [Azure Monitor SCOM Managed Instance](overview.md#architecture).
+
+## Create a separate subnet in a virtual network
+
+For more information on how to create a virtual network, see [Quickstart: Use the Azure portal to create a virtual network](/azure/virtual-network/quick-create-portal).
+
+After a SCOM Managed Instance subnet is created, we need a NAT gateway for outbound internet access from the SCOM Managed Instance subnet. Edit the subnet to add a NAT gateway. In Azure, add a NAT gateway to the subnet where the SCOM managed instance is created. A NAT gateway is needed for outbound internet access from the SCOM Managed Instance subnet. For more information, see [What is Virtual Network NAT?](/azure/virtual-network/nat-gateway/nat-overview).
+
+>[!NOTE]
+>The SCOM Managed Instance requires outbound Internet access for communication with dependent endpoints. We recommend to use a NAT Gateway for this purpose. However, if there is an already established outbound internet access through a firewall, you can skip the creation of a NAT Gateway.
+
+To create a NAT gateway for a SCOM Managed Instance subnet, follow these steps:
+
+1. Create a NAT gateway in the same region where the virtual network is present.
+1. Create a NAT gateway in the same subscription that you use for SCOM Managed Instance.
+1. Create a public IP.
+
+   :::image type="NAT gateway" source="media/create-separate-subnet-in-vnet/nat-gateway-inline.png" alt-text="Screenshot that shows public IP information for a NAT gateway." lightbox="media/create-separate-subnet-in-vnet/nat-gateway-expanded.png":::
+
+1. In the subnet section, select a virtual network and subnet for SCOM Managed Instance.
+
+## Next steps
+
+- [Create SQL Managed Instance](create-sql-managed-instance.md)
@@ -0,0 +1,59 @@
+---
+ms.assetid: 
+title: Create an Azure SQL managed instance
+description: This article describes how to create a SQL managed instance in a dedicated subnet of a virtual network.
+author: PriskeyJeronika-MS
+ms.author: v-gjeronika
+manager: jsuri
+ms.date: 05/22/2024
+ms.service: azure-monitor
+ms.subservice: operations-manager-managed-instance
+ms.topic: how-to
+---
+
+# Create an Azure SQL managed instance
+
+This article describes how to create a SQL managed instance in a dedicated subnet of a virtual network. Peer your Azure Monitor SCOM Managed Instance subnet and Azure SQL Managed Instance subnet.
+
+>[!NOTE]
+> To learn about the SCOM Managed Instance architecture, see [Azure Monitor SCOM Managed Instance](overview.md).
+
+## Create and configure a SQL managed instance
+
+Before you create a SCOM Managed Instance, create a SQL managed instance. For more information, see [Create a SQL managed instance](/azure/azure-sql/managed-instance/instance-create-quickstart?view=azuresql&preserve-view=true).
+
+>[!NOTE]
+>You can reuse your existing SQL managed instance if that matches the requirement. However, you need to configure it to work for SCOM Managed Instance.
+
+We recommend the following settings for creating a SQL managed instance:
+
+- **Resource Group**: Create a new resource group for SQL Managed Instance. A best practice is to create a new resource group for large Azure resources.
+- **Managed Instance name**: Choose a unique name. This name is used while you create a SCOM Managed Instance to refer to this SQL managed instance.
+- **Region**: Choose the region close to you. There's no strict requirement on region for the instance, but we recommend the closest region for latency purposes.
+- **Compute+Storage**: General Purpose (Gen5) with eight cores is the default. However, customers with less than 2000 workloads or customers who are validating SCOM Managed Instance in their test environments can use a SQL MI instance with four vCores.
+- **Authentication Method**: Select **SQL Authentication**. Enter the credentials that you want to use for accessing the SQL managed instance. These credentials don't refer to any that you've created so far.
+
+   >[!Note]
+   >Choosing SQL Authentication mode is temporary. Later in [Step 5](/system-center/scom/create-user-assigned-identity?view=sc-om-2022#set-the-microsoft-entra-admin-value-in-the-sql-managed-instance&preserve-view=true) it will be updated to use Microsoft Entra ID with MSI.
+
+- **VNet**: This SQL managed instance needs to have direct connectivity (line of sight) to the SCOM Managed Instance that you create in the future. Choose a virtual network that you'll eventually use for your SCOM Managed Instance. If you choose a different virtual network, ensure that it has connectivity to the SCOM Managed Instance virtual network by peering both the SCOM Managed Instance virtual network and the SQL Managed Instance virtual network.
+
+   The subnet that you provide to SQL Managed Instance has to be dedicated (delegated) to the SQL managed instance. The provided subnet can't be used to house any other resources.
+
+   By design, a managed instance needs a minimum of 32 IP addresses in a subnet. As a result, you can use a minimum subnet mask of /27 when you define your subnet IP ranges. For more information, see [Determine required subnet size and range for Azure SQL Managed Instance](/azure/azure-sql/managed-instance/vnet-subnet-determine-size?view=azuresql&preserve-view=true).
+- **Connection Type**: By default, the connection type is **Proxy**.
+- **Public Endpoint**: This setting can be either **Enabled** or **Disabled**. To use Power BI reporting, you need to enable the public endpoint.
+
+  If the SQL Managed Instance virtual network is different from the SCOM Managed Instance virtual network:
+
+  - Create an inbound NSG rule on the SQL Managed Instance subnet to allow traffic from the SCOM Managed Instance subnet to port 3342 and 1433 on the SQL Managed Instance subnet. For more information, see [Configure a public endpoint in Azure SQL Managed Instance](/azure/azure-sql/managed-instance/public-endpoint-configure?view=azuresql&preserve-view=true).
+  - Peer your SQL Managed Instance virtual network with the one in which SCOM Managed Instance is present.
+
+For the rest of the settings on the other tabs, you can leave them as default or change them according to your requirements.
+
+> [!NOTE]
+> Creation of a new SQL managed instance can take up to six hours.
+
+## Next steps
+
+- [Create a key vault ](create-key-vault.md)
@@ -0,0 +1,115 @@
+---
+ms.assetid: 
+title: Create a user-assigned identity for SCOM Managed Instance
+description: This article describes how to create a user-assigned identity, provide admin access to Azure SQL Managed Instance, and grant get and list access on a key vault.
+author: PriskeyJeronika-MS
+ms.author: v-gjeronika
+manager: jsuri
+ms.date: 05/22/2024
+ms.service: azure-monitor
+ms.subservice: operations-manager-managed-instance
+ms.topic: how-to
+---
+
+# Create a user-assigned identity for Azure Monitor SCOM Managed Instance
+
+This article describes how to create a user-assigned identity, provide admin access to Azure SQL Managed Instance, and grant **Get** and **List** access on a key vault.
+
+>[!NOTE]
+> To learn about the Azure Monitor SCOM Managed Instance architecture, see [Azure Monitor SCOM Managed Instance](overview.md).
+
+## Create a managed service identity
+
+The managed service identity (MSI) provides an identity for applications to use when they're connecting to resources that support Microsoft Entra ID authentication. For SCOM Managed Instance, a managed identity replaces the traditional four System Center Operations Manager service accounts. It's used to access the Azure SQL Managed Instance database. It's also used to access the key vault.
+
+> [!NOTE]
+> - Ensure that you're a contributor in the subscription where you create the MSI.
+> - The MSI must have admin permission on SQL Managed Instance and read permission on the key vault that you use to store the domain account credentials.
+
+1. Sign in to the [Azure portal](https://portal.azure.com). Search for and select **Managed Identities**.
+
+   :::image type="Managed Identity in Azure portal" source="media/create-user-assigned-identity/azure-portal-managed-identity.png" alt-text="Screenshot that shows the icon for managed identities in the Azure portal.":::
+1. On the **Managed Identities** page, select **Create**.
+
+   :::image type="Managed Identity" source="media/create-user-assigned-identity/managed-identities.png" alt-text="Screenshot that shows Managed Identity.":::
+
+   The **Create User Assigned Managed Identity** pane opens.
+1. Under **Basics**, do the following:
+    - **Project details**:
+        - **Subscription**: Select the Azure subscription in which you want to create the SCOM Managed Instance.
+        - **Resource group**: Select the resource group in which you want to create the SCOM Managed Instance.
+    - **Instance details**:
+        - **Region**: Select the region in which you want to create the SCOM Managed Instance.
+        - **Name**: Enter a name for the instance.
+
+    :::image type="Create user assigned managed identity" source="media/create-user-assigned-identity/create-user-assigned-managed-identity.png" alt-text="Screenshot that shows project and instance details for a user-assigned managed identity.":::
+1. Select **Next: Tags**.
+1. On the **Tags** tab, enter the **Name** value and select the resource.
+
+   Tags help you categorize resources and view consolidated billing by applying the same tags to multiple resources and resource groups. For more information, see [Use tags to organize your Azure resources and management hierarchy](/azure/azure-resource-manager/management/tag-resources?wt.mc_id=azuremachinelearning_inproduct_portal_utilities-tags-tab&tabs=json).
+1. Select **Next: Review + create**.
+1. On the **Review + create** tab, review all the information that you provided and select **Create**.
+
+   :::image type="Managed identity review" source="media/create-user-assigned-identity/managed-identity-review.png" alt-text="Screenshot that shows the tab for reviewing a managed identity before creation.":::
+
+Your deployment is now created on Azure. You can access the resource and view its details.
+
+### Set the Microsoft Entra admin value in the SQL managed instance
+
+To set the Microsoft Entra admin value in the SQL managed instance that you created in [step 3](create-sql-managed-instance.md), follow these steps:
+
+>[!NOTE]
+>You must have Global Administrator or Privileged Role Administrator permissions for the subscription to perform the following operations.
+
+>[!Important]
+>Using Groups as Microsoft Entra admin is currently not supported.
+
+1. Open the SQL managed instance. Under **Settings**, select **Microsoft Entra admin**.
+
+   :::image type="Microsoft Entra admin" source="media/create-user-assigned-identity/microsoft-entra-admin.png" alt-text="Screenshot of the pane for Microsoft Entra admin information.":::
+
+1. Select the error-box message to provide **Read** permissions to the SQL managed instance on Microsoft Entra ID. **Grant permissions** pane opens to grant the permissions.
+
+   :::image type="Grant permissions" source="media/create-user-assigned-identity/grant-permissions.png" alt-text="Screenshot of grant permissions.":::
+
+1. Select **Grant Permissions** to initiate the operation and once it is completed, you can find a notification for successfully updating the Microsoft Entra read permissions.
+
+   :::image type="read permissions" source="media/create-user-assigned-identity/read-permissions.png" alt-text="Screenshot of read permissions.":::
+
+1. Select **Set admin**, and search for your MSI. This MSI is the same one that you provided during the SCOM Managed Instance creation flow. You find the admin added to the SQL managed instance.
+
+   :::image type="Microsoft Entra admin" source="media/create-user-assigned-identity/microsoft-entra-inline.png" alt-text="Screenshot of MSI information for Microsoft Entra." lightbox="media/create-user-assigned-identity/microsoft-entra-expanded.png":::
+
+1. If you get an error after you add a managed identity account, it indicates that read permissions aren't yet provided to your identity. Be sure to provide the necessary permissions before you create your SCOM Managed Instance or else your SCOM Managed Instance creation fails.
+
+   :::image type="SQL Microsoft Entra admin" source="media/create-user-assigned-identity/sql-microsoft-entra-inline.png" alt-text="Screenshot that shows successful  Microsoft Entra authentication." lightbox="media/create-user-assigned-identity/sql-microsoft-entra-expanded.png":::
+
+For more information about permissions, see [Directory Readers role in Microsoft Entra ID for Azure SQL](/azure/azure-sql/database/authentication-aad-directory-readers-role?view=azuresql&preserve-view=true).
+
+## Grant permission on the key vault
+
+To grant permission on the key vault that you created in [step 4](create-key-vault.md), follow these steps:
+
+1. Go to the key vault resource that you created in [step 4](create-key-vault.md) and select **Access policies**.
+
+1. On the **Access policies** page, select **Create**.
+
+    :::image type="Access Policies" source="media/create-user-assigned-identity/access-policies.png" alt-text="Screenshot that shows the Access policies page.":::
+
+1. On the **Permissions** tab, select the **Get** and **List** options.
+
+    :::image type="Create Access policy" source="media/create-user-assigned-identity/create-access-policy.png" alt-text="Screenshot that shows the Create access policy page.":::
+
+1. Select **Next**.
+
+1. On the **Principal** tab, enter the name of the MSI you created.
+
+1. Select **Next**. Select the same MSI that you used in the SQL Managed Instance admin configuration.
+
+    :::image type="Principal tab" source="media/create-user-assigned-identity/principal.png" alt-text="Screenshot that shows the Principal tab.":::
+
+1. Select **Next** > **Create**.
+
+## Next steps
+
+- [Create a gMSA account](create-gmsa-account.md)