Merge pull request #85050 from Vikram1988/migrateGA

Important changes to Azure Migrate docs

Author: ktoliver

articles/migrate/media/tutorial-assess-vmware/assign-perms.png

@@ -56,8 +56,8 @@ Geography | You can create Azure Migrate projects in a number of geographies. Al
 | **Support**                | **Details**               
 | :-------------------       | :------------------- |
 | **Host deployment**       | The Hyper-V host can be standalone or deployed in a cluster. |
-| **Permissions**           | You need administrator permissions on the Hyper-V host. |
-| **Host operating system** | Windows Server 2016 or Windows Server 2012 R2.<br/> You can't assess VMs located on Hyper-V hosts running Windows Server 2019. |
+| **Permissions**           | You need administrator permissions on the Hyper-V host. <br/> Alternatively, if you don't want to assign Administrator permissions, create a local or domain user account and add the user to these groups- Remote Management Users, Hyper-V Administrators and Performance Monitor Users. |
+| **Host operating system** | Windows Server 2019, Windows Server 2016 or Windows Server 2012 R2.<br/> You can't assess VMs located on Hyper-V hosts running Windows Server 2012. |
 | **PowerShell Remoting**   | Must be enabled on each host. |
 | **Hyper-V Replica**       | If you use Hyper-V Replica (or you have multiple VMs with the same VM identifiers), and discover both the original and replicated VMs using Azure Migrate, the assessment generated by Azure Migrate might not be accurate. |
 
@@ -67,13 +67,8 @@ Geography | You can create Azure Migrate projects in a number of geographies. Al
 | **Support**                  | **Details**               
 | :----------------------------- | :------------------- |
 | **Operating system** | All [Windows](https://support.microsoft.com/help/2721672/microsoft-server-software-support-for-microsoft-azure-virtual-machines) and [Linux](https://docs.microsoft.com/azure/virtual-machines/linux/endorsed-distros) operating systems that are supported by Azure. |
-| **Permissions**           | You need administrator permissions on each Hyper-V VM you want to assess. |
 | **Integration Services**       | [Hyper-V Integration Services](https://docs.microsoft.com/virtualization/hyper-v-on-windows/reference/integration-services) must be running on VMs that you assess, in order to capture operating system information. |
-| **UEFI boot**                  | VMs with UEFI boot aren't supported for migration. |
-| **Encrypted disks/volumes**    | VMs with encrypted disks/volumes aren't supported for migration. |
-| **RDM/passthrough disks**      | If VMs have RDM or passthrough disks, these disks won't be replicated to Azure. |
-| **NFS**                        | NFS volumes mounted as volumes on the VMs won't be replicated. |
-| **Target disk**                | Azure Migrate assessments recommend migration to Azure VMs with managed disks only. |
+
 
 
 ## Assessment-appliance requirements
@@ -98,8 +93,8 @@ To assess VMs, the Azure Migrate appliance needs internet connectivity.
 **URL** | **Details**  
 --- | ---
 *.portal.azure.com | Navigation to the Azure portal
-*.windows.net | Sign in to your Azure subscription
-*.microsoftonline.com | Creation of Azure Active Directory applications for appliance to service communications.
+*.windows.net <br/> *.msftauth.net <br/> *.msauth.net <br/> *.microsoft.com <br/> *.live.com  | Sign in to your Azure subscription
+*.microsoftonline.com <br/> *.microsoftonline-p.com | Creation of Azure Active Directory applications for appliance to service communications.
 management.azure.com | Creation of Azure Active Directory applications for appliance to service communications.
 dc.services.visualstudio.com | Logging and monitoring
 *.vault.azure.net | Manage secrets in Azure Key Vault when communicating between the appliance and service.
@@ -114,7 +109,7 @@ The following table summarizes port requirements for assessment.
 
 **Device** | **Connection**
 --- | ---
-**Appliance** | Inbound connections on TCP port 3389 to allow remote desktop connections to the appliance.<br/> Inbound connections on port 44368 to remotely access the appliance management app using the URL: ``` https://<appliance-ip-or-name>:44368 ```<br/> Outbound connections on port 443 to send discovery and performance metadata to Azure Migrate.
+**Appliance** | Inbound connections on TCP port 3389 to allow remote desktop connections to the appliance.<br/> Inbound connections on port 44368 to remotely access the appliance management app using the URL: ``` https://<appliance-ip-or-name>:44368 ```<br/> Outbound connections on ports 443, 5671 and 5672 to send discovery and performance metadata to Azure Migrate.
 **Hyper-V host/cluster** | Inbound connections on WinRM ports 5985 (HTTP) and 5986 (HTTPS) to pull configuration and performance metadata of the Hyper-V VMs using a Common Information Model (CIM) session.
 
 ## Migration-Hyper-V host requirements

articles/migrate/migrate-support-matrix-hyper-v.md

@@ -85,8 +85,8 @@ The Azure Migrate appliance needs connectivity to the internet.
 **URL** | **Details**  
 --- | --- |
 *.portal.azure.com  | Navigate to the Azure Migrate in the Azure portal.
-*.windows.net | Log into your Azure subscription.
-*.microsoftonline.com | Create Active Directory apps for the appliance to communicate with the Azure Migrate service.
+*.windows.net <br/> *.msftauth.net <br/> *.msauth.net <br/> *.microsoft.com <br/> *.live.com | Log into your Azure subscription.
+*.microsoftonline.com <br/> *.microsoftonline-p.com | Create Active Directory apps for the appliance to communicate with the Azure Migrate service.
 management.azure.com | Create Active Directory apps for the appliance to communicate with the Azure Migrate service.
 dc.services.visualstudio.com | Upload app logs used for internal monitoring.
 *.vault.azure.net | Manage secrets in the Azure Key Vault.
@@ -99,7 +99,7 @@ http://aka.ms/latestapplianceservices<br/><br/> https://download.microsoft.com/d
 
 **Device** | **Connection**
 --- | ---
-Appliance | Inbound connections on TCP port 3389 to allow remote desktop connections to the appliance.<br/><br/> Inbound connections on port 44368 to remotely access the appliance management app using the URL: ```https://<appliance-ip-or-name>:44368``` <br/><br/>Outbound connections on port 443 to send discovery and performance metadata to Azure Migrate.
+Appliance | Inbound connections on TCP port 3389 to allow remote desktop connections to the appliance.<br/><br/> Inbound connections on port 44368 to remotely access the appliance management app using the URL: ```https://<appliance-ip-or-name>:44368``` <br/><br/>Outbound connections on port 443, 5671 and 5672 to send discovery and performance metadata to Azure Migrate.
 vCenter server | Inbound connections on TCP port 443 to allow the appliance to collect configuration and performance metadata for assessments. <br/><br/> The appliance connects to vCenter on port 443 by default. If the vCenter server listens on a different port, you can modify the port when you set up discovery.
 
 
@@ -170,8 +170,8 @@ The Azure Migrate appliance needs internet connectivity to the internet.
 **URL** | **Details**  
 --- | ---
 *.portal.azure.com | Navigate to the Azure Migrate in the Azure portal.
-*.windows.net | Log into your Azure subscription.
-*.microsoftonline.com | Create Active Directory apps for the appliance to communicate with the Azure Migrate service.
+*.windows.net <br/> *.msftauth.net <br/> *.msauth.net <br/> *.microsoft.com <br/> *.live.com  | Log into your Azure subscription.
+*.microsoftonline.com <br/> *.microsoftonline-p.com | Create Active Directory apps for the appliance to communicate with the Azure Migrate service.
 management.azure.com | Create Active Directory apps for the appliance to communicate with the Azure Migrate service.
 dc.services.visualstudio.com | Upload app logs used for internal monitoring.
 *.vault.azure.net | Manage secrets in the Azure Key Vault.

articles/migrate/migrate-support-matrix-vmware.md

@@ -176,8 +176,39 @@ This starts discovery. It takes around 15 minutes for metadata of discovered VMs
 
 ### Scoping discovery
 
-Discovery can be scoped by limiting access of the vCenter account used for discovery. You can set the scope to vCenter Server datacenters, clusters, folder of clusters, hosts, folder of hosts, or individual VMs. 
+Discovery can be scoped by limiting access of the vCenter account used for discovery. You can set the scope to vCenter Server datacenters, clusters, folder of clusters, hosts, folder of hosts, or individual VMs.
 
+To set the scope, you need to perform the following steps:
+1.	Create a vCenter user account.
+2.	Define a new role with required privileges. (<em> required for agentless Server Migration </em>)
+3.	Assign permissions to the user account on vCenter objects.
+
+**Create a vCenter user account**
+1.	Login to vSphere Web Client as the vCenter Server administrator.
+2.	Click **Administration** > **SSO users and Groups** > **Users** tab.
+3.	Click the **New User** icon.
+4.	Fill in the required information to create a new user and click **OK**.
+
+**Define a new role with required privileges** (<em> required for agentless Server Migration </em>)
+1.	Login to the vSphere Web Client as the vCenter Server administrator.
+2.	Browse to **Administration** > **Role Manager**.
+3.	Select your vCenter Server from the drop-down menu.
+4.	Click on **Create role** action.
+5.	Type a name for the new role. (such as <em>Azure_Migrate</em>).
+6.	Assign these [permissions](https://docs.microsoft.com/azure/migrate/migrate-support-matrix-vmware#agentless-migration-vcenter-server-permissions) to the newly defined role.
+7.	Click **OK**.
+
+**Assign permissions on vCenter objects**
+
+There are 2 approaches to assign permissions on inventory objects in vCenter to the vCenter user account with a role assigned to it.
+- For Server Assessment, **Read-only** role must be applied to the vCenter user account for all the parent objects where the VMs to be discovered are hosted. All parent objects - host, folder of hosts, cluster, folder of clusters in the hierarchy up to the data center are to be included. These permissions are to be propagated to child objects in the hierarchy. 
+
+    Similarly for Server Migration, a user-defined role (can be named <em> Azure _Migrate</em>) with these [privileges](https://docs.microsoft.com/azure/migrate/migrate-support-matrix-vmware#agentless-migration-vcenter-server-permissions) assigned must be applied to the vCenter user account for all the parent objects where the VMs to be migrated are hosted.
+
+![Assign permissions](./media/tutorial-assess-vmware/assign-perms.png)
+
+- The alternative approach is to assign the user account and role at the datacenter level and propagate them to the child objects. Then give the account a **No access** role for every object (such as VMs) that you don’t want to discover/migrate. This configuration is cumbersome. It exposes accidental access controls, because every new child object is also automatically granted access that's inherited from the parent. Therefore, we recommend that you use the first approach.
+ 
 > [!NOTE]
 > Today, Server Assessment is not able to discover VMs if the vCenter account has access granted at vCenter VM folder level. If you are looking to scope your discovery by VM folders, you can do so by ensuring the vCenter account has read-only access assigned at a VM level.  Following are instructions on how you can do this:
 >

articles/migrate/tutorial-assess-vmware.md

@@ -137,8 +137,8 @@ Run the script as follows:
     Hash values are:
     Hash | Value
     --- | ---
-    **MD5 hash** | 0ef418f31915d01f896ac42a80dc414e
-    **SHA256 hash**	| 0ad60e7299925eff4d1ae9f1c7db485dc9316ef45b0964148a3c07c80761ade2
+    **MD5** | 0ef418f31915d01f896ac42a80dc414e
+    **SHA256** | 0ad60e7299925eff4d1ae9f1c7db485dc9316ef45b0964148a3c07c80761ade2
 
 
 4.	After validating the script integrity, run the script on each Hyper-V host with this PowerShell command: