Merge pull request #96419 from snehaamicrosoft/azuremigrateIgnite

ktoliver · web-flow · commit c08bb60d4e6b · 2019-11-19T09:13:24.000-08:00
vCenter Server account privileges
diff --git a/articles/migrate/media/tutorial-prepare-vmware/vcenter-server-permissions.png b/articles/migrate/media/tutorial-prepare-vmware/vcenter-server-permissions.png
diff --git a/articles/migrate/migrate-support-matrix-vmware.md b/articles/migrate/migrate-support-matrix-vmware.md
@@ -1,6 +1,6 @@
 ---
 title: Support for VMware assessment and migration in Azure Migrate
-description: Learn about support for VMware VM assessment/migration in Azure Migrate. 
+description: Learn about support for VMware VM assessment/migration in Azure Migrate.
 author: rayne-wiselman
 manager: carmonm
 ms.service: azure-migrate
@@ -73,7 +73,13 @@ This table summarizes assessment support and limitations for VMware virtualizati
 
 ## Assessment-vCenter Server permissions
 
-For assessment, you need a read-only account for the vCenter Server.
+Azure Migrate needs to access the vCenter Server to discover VMs for assessment and agentless migration.
+
+- If you plan to discover applications or visualize dependency in an agentless manner, create a vCenter Server account with read-only access along with privileges enabled for **Virtual machines** > **Guest Operations**.
+
+  ![vCenter Server account privileges](./media/tutorial-prepare-vmware/vcenter-server-permissions.png)
+
+- If you are not planning to do application discovery and agentless dependency visualization, set up a read-only account for the vCenter Server.
 
 ## Assessment-appliance requirements
 
@@ -318,7 +324,7 @@ Download and install in Azure Migrate | When you install the appliance and are p
 **Independent disks** | Supported.
 **Passthrough disks** | Supported.
 **NFS** | NFS volumes mounted as volumes on the VMs won't be replicated.
-iSCSI targets | VMs with iSCSI targets aren't supported for agentless migration.
+**iSCSI targets** | VMs with iSCSI targets aren't supported for agentless migration.
 **Multipath IO** | Not supported.
 **Storage vMotion** | Supported
 **Teamed NICs** | Not supported.
diff --git a/articles/migrate/tutorial-assess-vmware.md b/articles/migrate/tutorial-assess-vmware.md
@@ -5,7 +5,7 @@ author: rayne-wiselman
 manager: carmonm
 ms.service: azure-migrate
 ms.topic: tutorial
-ms.date: 11/18/2019
+ms.date: 11/19/2019
 ms.author: hamusa
 ---
 
@@ -168,7 +168,7 @@ The appliance needs to connect to vCenter Server to discover the configuration a
 
 ### Specify vCenter Server details
 1. In **Specify vCenter Server details**, specify the name (FQDN) or IP address of the vCenter Server. You can leave the default port, or specify a custom port on which your vCenter Server listens.
-2. In **User name** and **Password**, specify the read-only account credentials that the appliance will use to discover VMs on the vCenter server. Make sure that the account has the [required permissions for discovery](migrate-support-matrix-vmware.md#assessment-vcenter-server-permissions). You can scope the discovery by limiting access to the vCenter account accordingly; learn more about scoping discovery [here](tutorial-assess-vmware.md#scoping-discovery).
+2. In **User name** and **Password**, specify the vCenter Server account credentials that the appliance will use to discover VMs on the vCenter server. Make sure that the account has the [required permissions for discovery](migrate-support-matrix-vmware.md#assessment-vcenter-server-permissions). You can scope the discovery by limiting access to the vCenter account accordingly; learn more about scoping discovery [here](tutorial-assess-vmware.md#scoping-discovery).
 3. Click **Validate connection** to make sure that the appliance can connect to vCenter Server.
 
 ### Specify VM credentials
@@ -218,7 +218,7 @@ There are 2 approaches to assign permissions on inventory objects in vCenter to
 
     Similarly for Server Migration, a user-defined role (can be named <em> Azure _Migrate</em>) with these [privileges](https://docs.microsoft.com/azure/migrate/migrate-support-matrix-vmware#agentless-migration-vcenter-server-permissions) assigned must be applied to the vCenter user account for all the parent objects where the VMs to be migrated are hosted.
 
-![Assign permissions](./media/tutorial-assess-vmware/assign-perms.png)
+  ![Assign permissions](./media/tutorial-assess-vmware/assign-perms.png)
 
 - The alternative approach is to assign the user account and role at the datacenter level and propagate them to the child objects. Then give the account a **No access** role for every object (such as VMs) that you don’t want to discover/migrate. This configuration is cumbersome. It exposes accidental access controls, because every new child object is also automatically granted access that's inherited from the parent. Therefore, we recommend that you use the first approach.
 
diff --git a/articles/migrate/tutorial-prepare-vmware.md b/articles/migrate/tutorial-prepare-vmware.md
@@ -1,5 +1,5 @@
 ---
-title: Prepare VMware VMs for assessment/migration with Azure Migrate 
+title: Prepare VMware VMs for assessment/migration with Azure Migrate
 description: Learn how to prepare for assessment/migration of VMware VMs with Azure Migrate.
 author: rayne-wiselman
 ms.service: azure-migrate
@@ -13,7 +13,7 @@ ms.custom: mvc
 
 This article helps you to prepare for assessment and/or migration of on-premises VMware VMs to Azure using [Azure Migrate](migrate-services-overview.md).
 
-[Azure Migrate](migrate-overview.md) provides a hub of tools that help you to discover, assess, and migrate apps, infrastructure, and workloads to Microsoft Azure. The hub includes Azure Migrate tools, and third-party independent software vendor (ISV) offerings. 
+[Azure Migrate](migrate-overview.md) provides a hub of tools that help you to discover, assess, and migrate apps, infrastructure, and workloads to Microsoft Azure. The hub includes Azure Migrate tools, and third-party independent software vendor (ISV) offerings.
 
 
 This tutorial is the first in a series that shows you how to assess and migrate VMware VMs. In this tutorial, you learn how to:
@@ -33,9 +33,9 @@ If you don't have an Azure subscription, create a [free account](https://azure.m
 
 You need these permissions.
 
-**Task** | **Permissions** 
---- | --- | ---
-**Create an Azure Migrate project** | Your Azure account needs permissions to create a project. 
+**Task** | **Permissions**
+--- | ---
+**Create an Azure Migrate project** | Your Azure account needs permissions to create a project.
 **Register the Azure Migrate appliance** | Azure Migrate uses a lightweight Azure Migrate appliance to assess VMware VMs with Azure Migrate Server Assessment, and to run [agentless migration](server-migrate-overview.md) of VMware VMs with Azure Migrate Server Migration. This appliance discovers VMs, and sends VM metadata and performance data to Azure Migrate.<br/><br/>During registration, Azure Migrate creates two Azure Active Directory (Azure AD) apps that uniquely identify the appliance, and needs permissions to create these apps.<br/> - The first app communicates with Azure Migrate service endpoints.<br/> - The second app accesses an Azure Key Vault created during registration to store Azure AD app info and appliance configuration settings.
 **Create a Key Vault** | To migrate VMware VMs with Azure Migrate Server Migration, Azure Migrate creates a Key Vault to manage access keys to the replication storage account in your subscription. To create the vault, you need role assignment permissions on the resource group in which the Azure Migrate project resides.
 
@@ -57,7 +57,7 @@ To register the appliance, you assign permissions for Azure Migrate to create th
 
 > [!NOTE]
 > - The apps don't have any other access permissions on the subscription other than those described above.
-> - You only need these permissions when you register a new appliance. You can remove the permissions after the appliance is set up. 
+> - You only need these permissions when you register a new appliance. You can remove the permissions after the appliance is set up.
 
 
 #### Grant account permissions
@@ -71,7 +71,7 @@ The tenant/global admin can grant permissions as follows
 
 
 
-#### Assign Application Developer role 
+#### Assign Application Developer role
 
 The tenant/global admin can assign the Application Developer role to an account. [Learn more](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal).
 
@@ -85,7 +85,7 @@ To enable Azure Migrate to create a Key Vault, assign role assignment permission
     - To run server assessment, **Contributor** permissions are enough.
     - To run agentless server migration, you should have **Owner** (or **Contributor** and **User Access Administrator**) permissions.
 
-3. If you don't have the required permissions, request them from the resource group owner. 
+3. If you don't have the required permissions, request them from the resource group owner.
 
 
 
@@ -94,7 +94,7 @@ To enable Azure Migrate to create a Key Vault, assign role assignment permission
 To prepare for VMware VM assessment, you need to:
 
 - **Verify VMware settings**. Make sure that the vCenter Server and VMs you want to migrate meet requirements.
-- **Set up an assessment account**. Azure Migrate needs to access the vCenter Server to discover VMs for assessment. You need a read-only account for Azure Migrate access.
+- **Set up an assessment account**. Azure Migrate needs to access the vCenter Server to discover VMs for assessment.
 - **Verify appliance requirements**. Verify deployment requirements for the Azure Migrate appliance used for assessment.
 
 ### Verify VMware settings
@@ -105,7 +105,13 @@ To prepare for VMware VM assessment, you need to:
 
 ### Set up an account for assessment
 
-Azure Migrate needs to access the vCenter Server to discover VMs for assessment and agentless migration. For assessment only, set up a read-only account for the vCenter Server.
+Azure Migrate needs to access the vCenter Server to discover VMs for assessment and agentless migration.
+
+- If you plan to discover applications or visualize dependency in an agentless manner, create a vCenter Server account with read-only access along with privileges enabled for **Virtual machines** > **Guest Operations**.
+
+  ![vCenter Server account privileges](./media/tutorial-prepare-vmware/vcenter-server-permissions.png)
+
+- If you are not planning to do application discovery and agentless dependency visualization, set up a read-only account for the vCenter Server.
 
 ### Verify appliance settings for assessment
 
@@ -115,7 +121,7 @@ Check appliance requirements before you deploy the appliance.
 2. If you're using a URL-based firewall proxy, [review](migrate-support-matrix-vmware.md#assessment-url-access-requirements) the Azure URLs that the appliance will need to access. Make sure that the proxy resolves any CNAME records received while looking up the URLs.
 3. Review the [performance data](migrate-appliance.md#collected-performance-data-vmware)] and [metadata](migrate-appliance.md#collected-metadata-vmware) that the appliance collects during discovery and assessment.
 4. [Note](migrate-support-matrix-vmware.md#assessment-port-requirements) the ports accessed by the appliance.
-5. On vCenter Server, make sure that your account has permissions to create a VM using an OVA file. You deploy the Azure Migrate appliance as a VMware VM, using an OVA file. 
+5. On vCenter Server, make sure that your account has permissions to create a VM using an OVA file. You deploy the Azure Migrate appliance as a VMware VM, using an OVA file.
 
 If you're using a URL-based firewall.proxy, allow access to the required [Azure URLs](migrate-support-matrix-vmware.md#assessment-url-access-requirements).
 
@@ -137,7 +143,7 @@ Review the requirements for agentless migration of VMware VMs.
 
 Review the requirements for [agent-based migration](server-migrate-overview.md) of VMware VMs.
 
-1. [Review](migrate-support-matrix-vmware.md#agent-based-migration-vmware-server-requirements) VMware server requirements. 
+1. [Review](migrate-support-matrix-vmware.md#agent-based-migration-vmware-server-requirements) VMware server requirements.
 2. Set up an account with the [required permissions](migrate-support-matrix-vmware.md#agent-based-migration-vcenter-server-permissions). so that Azure Migrate can access the vCenter Server for agent-based migration using Azure Migrate Server Migration.
 3. [Review](migrate-support-matrix-vmware.md#agent-based-migration-vmware-vm-requirements) the requirements for VMware VMs that you want to migrate to Azure using agent-based migration, including installation of the Mobility service on each VM you want to migrate.
 4. Note [URL access](migrate-support-matrix-vmware.md#agent-based-migration-url-access-requirements).
@@ -146,14 +152,13 @@ Review the requirements for [agent-based migration](server-migrate-overview.md)
 ## Next steps
 
 In this tutorial, you:
- 
-> [!div class="checklist"] 
+
+> [!div class="checklist"]
 > * Set up Azure permissions.
 > * Prepared VMware for assessment and migration.
 
 
 Continue to the second tutorial to set up an Azure Migrate project, and assess VMware VMs for migration to Azure.
 
-> [!div class="nextstepaction"] 
-> [Assess VMware VMs](./tutorial-assess-vmware.md) 
-
+> [!div class="nextstepaction"]
+> [Assess VMware VMs](./tutorial-assess-vmware.md)
