diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/Readme.md b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/Readme.md index 1096a5a3c..a5387c0f2 100644 --- a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/Readme.md +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/Readme.md @@ -11,11 +11,11 @@ - [Challenge 1 - Azure Arc prerequisites & onboarding](#challenge-1---azure-arc-prerequisites--onboarding) - [Challenge 2 - Azure Monitor integration](#challenge-2---azure-monitor-integration) - [Challenge 3 - Access Azure resources using Managed Identities from your on-premises servers](#challenge-3---access-azure-resources-using-managed-identities-from-your-on-premises-servers) - - [Challenge 4 - Microsoft Defender for Cloud integration with Azure Arc](#challenge-4---microsoft-defender-for-cloud-integration-with-azure-arc) - - [Challenge 5 - Best Practices assessment for Windows Server](#challenge-5---best-practices-assessment-for-windows-server) - - [Challenge 6 - Activate ESU for Windows Server 2012 R2 via Arc (optional)](#challenge-6---activate-esu-for-windows-server-2012-r2-via-arc---optional) - - [Challenge 7 - Azure Automanage Machine Configuration (optional)](#challenge-7---azure-automanage-machine-configuration---optional) - + - [Challenge 4 - Best Practices assessment for Windows Server](#challenge-4---best-practices-assessment-for-windows-server) + - [Challenge 5 - Activate ESU for Windows Server 2012 R2 via Arc (optional)](#challenge-5---activate-esu-for-windows-server-2012-r2-via-arc---optional) + - [Challenge 6 - Azure Automanage Machine Configuration (optional)](#challenge-6---azure-automanage-machine-configuration---optional) + - [Challenge 7 - Administrating arc-enabled VMs at scale with Azure Policy (optional)](#Challenge-7---Administrating-arc-enabled-VMs-at-scale-with-Azure-Policy---optional) + - [**Contributors**](#contributors) ## MicroHack introduction @@ -68,11 +68,22 @@ After completing this MicroHack you will: This MicroHack has a few but important prerequisites to be understood before starting this lab! -* Your own Azure subscription with Owner RBAC rights at the subscription level - * [Azure Evaluation free account](https://azure.microsoft.com/en-us/free/search/?OCID=AIDcmmzzaokddl_SEM_0fa7acb99db91c1fb85fcfd489e5ca6e:G:s&ef_id=0fa7acb99db91c1fb85fcfd489e5ca6e:G:s&msclkid=0fa7acb99db91c1fb85fcfd489e5ca6e) -* You need to have 3 virtual machines ready and updated. One with a Linux operating system (tested with Ubuntu Server 24.04), one with Windows Server 2025 and one with Windows Server 2012 R2 (optional). You can use machines in Azure for this following this guide: [Azure Arc Jumpstart Servers](https://azurearcjumpstart.io/azure_arc_jumpstart/azure_arc_servers/azure/) - > **Note** - > When using the Jumpstart the virtual machines will already be onboarded to Azure Arc and therefore "Challenge 1 - Azure Arc prerequisites & onboarding" is not needed. +If you participate in the MicroHack as part of an official Microsoft or partner-led event: +* A microsoft account provided as part of the MicroHack, typically some variation of "MH-User" + a number +* A resource group with the name "mh-arc-onprem-" + your user ID, which contains three VMs with disabled azure agents, simulating an on-premise environment +* A resource group with the name "mh-arc-cloud-" + your user ID, which will be used to create adjacent resources + +![image](img/microhack_architecture_resource_groups.png) + +If you run the MircoHack independent from an official event: + * Your own Azure subscription with Owner RBAC rights at the subscription level + * [Azure Evaluation free account](https://azure.microsoft.com/en-us/free/search/?OCID=AIDcmmzzaokddl_SEM_0fa7acb99db91c1fb85fcfd489e5ca6e:G:s&ef_id=0fa7acb99db91c1fb85fcfd489e5ca6e:G:s&msclkid=0fa7acb99db91c1fb85fcfd489e5ca6e) + * You need to have 3 virtual machines ready and updated. One with a Linux operating system (tested with Ubuntu Server 24.04), one with Windows Server 2025 and one with Windows Server 2012 R2 (optional). You can use machines in Azure for this following this guide: [Azure Arc Jumpstart Servers](https://azurearcjumpstart.io/azure_arc_jumpstart/azure_arc_servers/azure/) + > **Note** + > When using the Jumpstart the virtual machines will already be onboarded to Azure Arc and therefore "Challenge 1 - Azure Arc prerequisites & onboarding" is not needed. + + +On your local machine: * [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) (Hint: Make sure to use the lastest version) * [Azure PowerShell Guest Configuration Cmdlets](https://learn.microsoft.com/en-us/azure/governance/machine-configuration/machine-configuration-create-setup#install-the-module-from-the-powershell-gallery) * It is not possible to run those commands from Azure Cloud Shell @@ -89,15 +100,15 @@ In challenge 1 you will prepare your Azure environemnt for onboarding of existin ### Actions * Create all necessary Azure resources - * Resource Group (Name: mh-arc-servers-rg) + * Resource Group (Name: mh-arc-servers-rg) - not relevant for MicroHack participants, as you have a RG provided for you * Service Principal (Name: mh-arc-servers-sp) -* Enable required Resource Providers +* Enable required Resource Providers - not relevant for MicroHack participants, as the resource provider is already activated * Prep existing server operating system on-prem * Onboard existing server to Azure Arc ### Success criteria -* You created an Azure resource group +* You created an Azure resource group - not relevant for MicroHack participants, as you have an RG provided for you * You created an service principal with the required role membership * Prepared successfully an existing Server OS * Onboarded server is visible in the Azure Arc plane in the Azure Portal @@ -117,17 +128,16 @@ In challenge 1 you will prepare your Azure environemnt for onboarding of existin ### Goal -In challenge 2 you will onboard your Windows and Linux virtual machines to Azure Monitor using the Azure Monitoring Agent (AMA) to leverage Azure Update Management, Change Tracking, Inventory and more. Be aware that Microsoft curently shifts from the retiring Log Analytics Agent to Azure Monitoring Agent. By that some of the features used in challange 2 are currently in preview. +In challenge 2 you will onboard your Windows and Linux virtual machines to Azure Monitor using the Azure Monitoring Agent (AMA) to leverage Azure Update Manager, Change Tracking, Inventory and more. Be aware that Microsoft curently shifts from the retiring Log Analytics Agent to Azure Monitoring Agent. By that some of the features used in challange 2 are currently in preview. ### Actions * Create all necessary Azure resources - * Log Analytics workspace (Name: mh-arc-servers-kv-law) + * Log Analytics workspace (Name: mh-arc-servers-kv-law - for MicroHack Particicpants please add your ID to the name) * Configure Data Collection Rules in Log Analytics to collect Windows event logs and Linux syslog -* Enable Azure Monitor for Azure Arc enabled servers with Azure Policy initiative -* Enable and configure Update Management +* Enable VM Insights and the Azure Monitoring Agent +* Enable and configure Update Manager * Enable Change Tracking and Inventory -* Enable VM Insights ### Success criteria @@ -144,11 +154,9 @@ In challenge 2 you will onboard your Windows and Linux virtual machines to Azure * [Create a Log Analytics workspace in the Azure portal](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/quick-create-workspace) * [Deployment options for Azure Monitor agent on Azure Arc-enabled servers](https://learn.microsoft.com/en-us/azure/azure-arc/servers/concept-log-analytics-extension-deployment) * [Data collection rules in Azure Monitor](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview) -* [Azure Policy built-in definitions for Azure Arc-enabled servers](https://docs.microsoft.com/en-us/azure/azure-arc/servers/policy-reference) -* [Azure Update Management Center](https://learn.microsoft.com/en-us/azure/update-center/overview) -* [Enable Change Tracking and Inventory using Azure Monitoring Agent (Preview)](https://learn.microsoft.com/en-us/azure/automation/change-tracking/enable-vms-monitoring-agent?tabs=singlevm) +* [Azure Update Manager](https://learn.microsoft.com/en-us/azure/update-manager/overview) * [Monitor a hybrid machine with VM insights](https://docs.microsoft.com/en-us/azure/azure-arc/servers/learn/tutorial-enable-vm-insights) - +* [Enable Change Tracking and Inventory](https://learn.microsoft.com/en-us/azure/automation/change-tracking/enable-vms-monitoring-agent?tabs=singlevm%2Cmultiplevms&pivots=single-portal) ### Solution - Spoilerwarning @@ -163,7 +171,7 @@ Managing secrets, credentials or certificates to secure communication between di ### Actions * Create an Azure Key Vault in your Azure resource group -* Create a secret in the Azure Key Vault and assign permissions to your virtual machine vm-linux-mh0 +* Create a secret in the Azure Key Vault and assign permissions to your arc managed virtual machine running linux * Access the secret via bash script ### Success Criteria @@ -181,34 +189,8 @@ Managing secrets, credentials or certificates to secure communication between di [Solution Steps](./walkthrough/challenge-3/solution.md) -## Challenge 4 - Microsoft Defender for Cloud integration with Azure Arc - -### Goal - -* In this challenge, we will integrate your Azure Arc connected machines with Azure Defender for Cloud. After completing the previous challenges, you should now have an Azure subscription with one or more Azure Arc-enabled servers. You should also have an available Log Analytics workspace and have deployed the Log Analytics agent to your server(s). - -### Actions - -* Enable Microsoft Defender for Cloud on your Azure Arc-enabled machines. - -### Success criteria - -* Open Microsoft Defender for Cloud and view the Secure Score for your Azure Arc-enabled machine(s). - -### Learning resources - -* [What is Microsoft Defender for Cloud?](https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction) -* [Quickstart: Connect your non-Azure machines to Microsoft Defender for Cloud](https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-machines?pivots=azure-arc) -* [Connect Azure Arc-enabled servers to Microsoft Defender for Cloud](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/manage/hybrid/server/best-practices/arc-security-center) -* [Protect non-Azure resources using Azure Arc and Microsoft Defender for Cloud](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/protect-non-azure-resources-using-azure-arc-and-microsoft/ba-p/2277215) -* [Deploy the Azure Monitor Agent to protect your servers with Microsoft Defender for Cloud](https://learn.microsoft.com/en-us/azure/defender-for-cloud/auto-deploy-azure-monitoring-agent) - - -### Solution - Spoilerwarning - -[Solution Steps](./walkthrough/challenge-4/solution.md) -## Challenge 5 - Best Practices assessment for Windows Server +## Challenge 4 - Best Practices assessment for Windows Server ### Goal @@ -235,7 +217,7 @@ In this challenge, you will configure and deploy the Best Practices Assessment f [Solution Steps](./walkthrough/challenge-5/solution.md) -## Challenge 6 - Activate ESU for Windows Server 2012 R2 via Arc - optional +## Challenge 5 - Activate ESU for Windows Server 2012 R2 via Arc - optional ### Goal @@ -260,7 +242,11 @@ In this challenge, you will activate Extended Security Updates (ESU) for Windows [Solution Steps](./walkthrough/challenge-6/solution.md) -## Challenge 7 - Azure Automanage Machine Configuration - optional +## Challenge 6 - Azure Automanage Machine Configuration - optional + +### Disclaimer + +This challenge is only available on x86 based processors. ### Goal @@ -290,6 +276,32 @@ This challenge is about interacting with the client operating system. We will ha [Solution Steps](./walkthrough/challenge-7/solution.md) +## Challenge 7 - Administrating arc-enabled VMs at scale with Azure Policy - optional + +### Goal + +In this challenge, we will re-install the Azure Monitoring agent on our machines, but instead of using the Azure portal to select individual machines, we will use Azure Policy to roll out the Agent. This approach enables scalable, automated administration of large fleets of Arc-enabled servers. + +### Actions + +* Disable Azure Monitoring Insights and the Azure Monitoring Agent through the Azure Portal +* Setup an Initivative that re-installs the AMA on the machines and associates it with a suitable DCR (either a new one or from Challenge 2) + +### Success criteria + +* The AMA is deployed to the machines through Azure Policy + +### Learning resources + +* [Azure Policy Overview](https://learn.microsoft.com/en-us/azure/governance/policy/overview) +* [Deploy if not exists effect in Azure Policy](https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists) +* [Azure Policy built-in definitions for Azure Arc-enabled servers](https://docs.microsoft.com/en-us/azure/azure-arc/servers/policy-reference) +* [Deploy and configure Azure Monitor Agent using Azure Policy](https://learn.microsoft.com/en-us/azure/azure-arc/servers/deploy-ama-policy) + +### Solution - Spoilerwarning + +[Solution Steps](./walkthrough/challenge-8/solution.md) + ## Finish Congratulations! You finished the MicroHack Azure Arc for Servers. We hope you had the chance to learn about the Hybrid capabilities of Azure. @@ -303,4 +315,5 @@ Thank you for investing the time and see you next time! * Christian Thönes [Github](https://github.com/cthoenes); [LinkedIn](https://www.linkedin.com/in/christian-t-510b7522/) * Nils Bankert [GitHub](https://github.com/nilsbankert); [LinkedIn](https://www.linkedin.com/in/nilsbankert/) * Alexander Ortha [GitHub](https://github.com/alexor-ms/); [LinkedIn](https://www.linkedin.com/in/alexanderortha/) -* Christoph Süßer (Schmidt) [GitHub](https://github.com/TheFitzZZ); [LinkedIn](https://www.linkedin.com/in/suesser/) \ No newline at end of file +* Christoph Süßer (Schmidt) [GitHub](https://github.com/TheFitzZZ); [LinkedIn](https://www.linkedin.com/in/suesser/) +* Adrian Bossert [GitHub](https://github.com/adrianms509); [LinkedIn](https://www.linkedin.com/in/adrian-bossert/) \ No newline at end of file diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/img/microhack_architecture_resource_groups.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/img/microhack_architecture_resource_groups.png new file mode 100644 index 000000000..e9bf0a427 Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/img/microhack_architecture_resource_groups.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/ChangeTracking/template-DCR-ChangeTracking.json b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/ChangeTracking/template-DCR-ChangeTracking.json deleted file mode 100644 index 93b022c99..000000000 --- a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/ChangeTracking/template-DCR-ChangeTracking.json +++ /dev/null @@ -1,347 +0,0 @@ -{ - "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "dataCollectionRuleName": { - "type": "string", - "metadata": { - "description": "Specifies the name of the data collection rule to create." - }, - "defaultValue": "DCR-ChangeTracking" - }, - "workspaceResourceId": { - "type": "string", - "metadata": { - "description": "Specifies the Azure resource ID of the Log Analytics workspace to use to store change tracking data." - } - } - }, - "variables": { - "subscriptionId": "[substring(parameters('workspaceResourceId'), 15, sub(indexOf(parameters('workspaceResourceId'), '/resourceGroups/'), 15))]", - "resourceGroupName": "[substring(parameters('workspaceResourceId'), add(indexOf(parameters('workspaceResourceId'), '/resourceGroups/'), 16), sub(sub(indexOf(parameters('workspaceResourceId'), '/providers/'), indexOf(parameters('workspaceResourceId'), '/resourceGroups/')),16))]", - "workspaceName": "[substring(parameters('workspaceResourceId'), add(lastIndexOf(parameters('workspaceResourceId'), '/'), 1), sub(length(parameters('workspaceResourceId')), add(lastIndexOf(parameters('workspaceResourceId'), '/'), 1)))]" - }, - "resources": [ - { - "type": "microsoft.resources/deployments", - "name": "get-workspace-region", - "apiVersion": "2020-08-01", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "workspaceLocation": { - "type": "string", - "value": "[reference(parameters('workspaceResourceId'), '2020-08-01', 'Full').location]" - } - } - } - } - }, - { - "type": "microsoft.resources/deployments", - "name": "CtDcr-Deployment", - "apiVersion": "2020-08-01", - "properties": { - "mode": "Incremental", - "parameters": { - "workspaceRegion": { - "value": "[reference('get-workspace-region').outputs.workspaceLocation.value]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "workspaceRegion": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Insights/dataCollectionRules", - "apiVersion": "2021-04-01", - "name": "[parameters('dataCollectionRuleName')]", - "location": "[[parameters('workspaceRegion')]", - "properties": { - "description": "Data collection rule for CT.", - "dataSources": { - "extensions": [ - { - "streams": [ - "Microsoft-ConfigurationChange", - "Microsoft-ConfigurationChangeV2", - "Microsoft-ConfigurationData" - ], - "extensionName": "ChangeTracking-Windows", - "extensionSettings": { - "enableFiles": true, - "enableSoftware": true, - "enableRegistry": true, - "enableServices": true, - "enableInventory": true, - "registrySettings": { - "registryCollectionFrequency": 3000, - "registryInfo": [ - { - "name": "Registry_1", - "groupTag": "Recommended", - "enabled": false, - "recurse": true, - "description": "", - "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup", - "valueName": "" - }, - { - "name": "Registry_2", - "groupTag": "Recommended", - "enabled": false, - "recurse": true, - "description": "", - "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Shutdown", - "valueName": "" - }, - { - "name": "Registry_3", - "groupTag": "Recommended", - "enabled": false, - "recurse": true, - "description": "", - "keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", - "valueName": "" - }, - { - "name": "Registry_4", - "groupTag": "Recommended", - "enabled": false, - "recurse": true, - "description": "", - "keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components", - "valueName": "" - }, - { - "name": "Registry_5", - "groupTag": "Recommended", - "enabled": false, - "recurse": true, - "description": "", - "keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\ShellEx\\ContextMenuHandlers", - "valueName": "" - }, - { - "name": "Registry_6", - "groupTag": "Recommended", - "enabled": false, - "recurse": true, - "description": "", - "keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Background\\ShellEx\\ContextMenuHandlers", - "valueName": "" - }, - { - "name": "Registry_7", - "groupTag": "Recommended", - "enabled": false, - "recurse": true, - "description": "", - "keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Shellex\\CopyHookHandlers", - "valueName": "" - }, - { - "name": "Registry_8", - "groupTag": "Recommended", - "enabled": false, - "recurse": true, - "description": "", - "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers", - "valueName": "" - }, - { - "name": "Registry_9", - "groupTag": "Recommended", - "enabled": false, - "recurse": true, - "description": "", - "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers", - "valueName": "" - }, - { - "name": "Registry_10", - "groupTag": "Recommended", - "enabled": false, - "recurse": true, - "description": "", - "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects", - "valueName": "" - }, - { - "name": "Registry_11", - "groupTag": "Recommended", - "enabled": false, - "recurse": true, - "description": "", - "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects", - "valueName": "" - }, - { - "name": "Registry_12", - "groupTag": "Recommended", - "enabled": false, - "recurse": true, - "description": "", - "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Extensions", - "valueName": "" - }, - { - "name": "Registry_13", - "groupTag": "Recommended", - "enabled": false, - "recurse": true, - "description": "", - "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Internet Explorer\\Extensions", - "valueName": "" - }, - { - "name": "Registry_14", - "groupTag": "Recommended", - "enabled": false, - "recurse": true, - "description": "", - "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32", - "valueName": "" - }, - { - "name": "Registry_15", - "groupTag": "Recommended", - "enabled": false, - "recurse": true, - "description": "", - "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32", - "valueName": "" - }, - { - "name": "Registry_16", - "groupTag": "Recommended", - "enabled": false, - "recurse": true, - "description": "", - "keyName": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\KnownDlls", - "valueName": "" - }, - { - "name": "Registry_17", - "groupTag": "Recommended", - "enabled": false, - "recurse": true, - "description": "", - "keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify", - "valueName": "" - } - ] - }, - "fileSettings": { - "fileCollectionFrequency": 2700 - }, - "softwareSettings": { - "softwareCollectionFrequency": 1800 - }, - "inventorySettings": { - "inventoryCollectionFrequency": 36000 - }, - "servicesSettings": { - "serviceCollectionFrequency": 1800 - } - }, - "name": "CTDataSource-Windows" - }, - { - "streams": [ - "Microsoft-ConfigurationChange", - "Microsoft-ConfigurationChangeV2", - "Microsoft-ConfigurationData" - ], - "extensionName": "ChangeTracking-Linux", - "extensionSettings": { - "enableFiles": true, - "enableSoftware": true, - "enableRegistry": false, - "enableServices": true, - "enableInventory": true, - "fileSettings": { - "fileCollectionFrequency": 900, - "fileInfo": [ - { - "name": "ChangeTrackingLinuxPath_default", - "enabled": true, - "destinationPath": "/etc/.*.conf", - "useSudo": true, - "recurse": true, - "maxContentsReturnable": 5000000, - "pathType": "File", - "type": "File", - "links": "Follow", - "maxOutputSize": 500000, - "groupTag": "Recommended" - } - ] - }, - "softwareSettings": { - "softwareCollectionFrequency": 300 - }, - "inventorySettings": { - "inventoryCollectionFrequency": 36000 - }, - "servicesSettings": { - "serviceCollectionFrequency": 300 - } - }, - "name": "CTDataSource-Linux" - } - ] - }, - "destinations": { - "logAnalytics": [ - { - "workspaceResourceId": "[parameters('workspaceResourceId')]", - "name": "Microsoft-CT-Dest" - } - ] - }, - "dataFlows": [ - { - "streams": [ - "Microsoft-ConfigurationChange", - "Microsoft-ConfigurationChangeV2", - "Microsoft-ConfigurationData" - ], - "destinations": [ - "Microsoft-CT-Dest" - ] - } - ] - } - }, - { - "type": "Microsoft.OperationsManagement/solutions", - "name": "[Concat('ChangeTracking', '(', variables('workspaceName'), ')')]", - "location": "[[parameters('workspaceRegion')]", - "apiVersion": "2015-11-01-preview", - "id": "[Concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.OperationsManagement/solutions/ChangeTracking', '(', variables('workspaceName'), ')')]", - "properties": { - "workspaceResourceId": "[parameters('workspaceResourceId')]" - }, - "plan": { - "name": "[Concat('ChangeTracking', '(', variables('workspaceName'), ')')]", - "product": "OMSGallery/ChangeTracking", - "promotionCode": "", - "publisher": "Microsoft" - } - } - ] - } - } - } - ] -} diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/README.md b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/README.md index f0b9ec489..cccb42086 100644 --- a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/README.md +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/README.md @@ -1,7 +1,7 @@ # Overview -As a coach (or participant) you might need to have some VMs available which you can use in this microhack to onboard via Arc to Azure. This folder provides scripts and templates to quickly create such VMs. As deployment platform Azure IaaS will be used. Azure VMs need to be [reconfigured](https://learn.microsoft.com/en-us/azure/azure-arc/servers/plan-evaluate-on-azure-virtual-machine) in order to simulate on-prem VMs, so that the Azure Guest agent does not interfere with the Azure Arc agent. The scripts to reconfigure this are included in the ```create_vms.sh```. +As a coach (or participant) you might need to have some VMs available which you can use in this microhack to onboard via Arc to Azure. This folder provides scripts and templates to quickly create such VMs and resource groups. As deployment platform Azure IaaS will be used. Azure VMs need to be [reconfigured](https://learn.microsoft.com/en-us/azure/azure-arc/servers/plan-evaluate-on-azure-virtual-machine) in order to simulate on-prem VMs, so that the Azure Guest agent does not interfere with the Azure Arc agent. The scripts to reconfigure this are included in the ```create-vms-and-rgs.sh```. -For each participant, you will need one Windows 2012 R2, one Windows 2025 and one Linux VM. You can provide the number of participants in the script. The script will then create 1 Windows 2012 R2, 1 Windows 2025 and 1 Ubuntu 24_04-lts-gen2 VM for each participant. +For each participant, you will need one Windows 2012 R2, one Windows 2025 and one Linux VM. You can provide the number of participants in the script. The script will then create 1 Windows 2012 R2, 1 Windows 2025 and 1 Ubuntu 24_04-lts-gen2 VM for each participant. The VMs will be created in one individual resource group per particpant. Additionally, the script creates another resource group for each participant to deploy their arc resources during the MicroHack. ## Deployment instructions Open a bash shell and login to Azure: @@ -10,20 +10,37 @@ az login ``` Make sure you are using the subscription you intent to (if not, set it to the correct subscription: ```az account set -s ```). -Open the file ```create_vms.sh``` in an editor and adjust the parameters as needed. +Now that you're ready to deploy, the next steps are to create the VMs, resource groups, and users, and then assign each user to their respective resource groups. Each participant will receive one on-prem and one Arc resource group. This is done using two scripts: ```create-vms-and-rgs.sh``` and ```assign-users.sh```. You can run them individually as described below, or simply use ```create-and-assign.sh``` to execute both in sequence. Just make sure to run ```create-vms-and-rgs.sh``` **before** ```assign-users.sh```. Follow the instructions to adjust the parameters and make the files executable: + +Open the file ```create-vms-and-rgs.sh``` in an editor and adjust the parameters as needed. |Parameter |Description |Default value | |----------------- |---------------|------------| -|resourceGroupName |The name of the resource group the VMs willl get deployed to. Will be created if not existing|rg-on-prem-vms| -|resourceGroupLocation |Azure region where your resource group will be created in|germanywestcentral| +|resourceGroupforOnpremBase |The base name of the resource groups the VMs willl get deployed to. Will be created if it does not exist|mh-arc-onprem- + ID| +|resourceGroupforOnpremLocation |Azure region where your resource groups for the VMs will be created in|germanywestcentral| +|resourceGroupforArcBase |The base name of the empty resource groups that are created for arc resources. Will be created if it does not exist|mh-arc-cloud- + ID| +|resourceGroupforArcLocation |Azure region where your resource groups for the arc resources be created in|westeurope| |adminUsername |local admin/root account in your VMs (will be the same for all machines)|mhadmin| |adminPassword |local admin/root password (will be the same for all machines). Use a password which honors complexity rules for Windows & Ubuntu|Pick a safe one| |number_of_participants |Adjust this to the number of participants in your cohort. For each particpants 2 VMs are created|10| |regions |An array of regions to which you want to deploy. If using a Sponsored subscription, you might have core limits per region. If providing more than one region in the array, the script will iterate through the regions and distribute the VMs evenly to the named regions. 2 Win and 1 Linux VM will be deployed to a region before moving on in the iteration|("germanywestcentral" "swedencentral" "francecentral")| |virtualMachineSize |You can adjust the VM size if needed|Standard_D2ads_v5| -Save the file. Make sure the shell script has execution permission in your directory (if not add it: ```chmod +x create_vms.sh```). Now, execute the shell script +Save the file. Make sure the shell script has execution permission in your directory (if not add it: ```chmod +x create-vms-and-rgs.sh```). Now, execute the shell script ```shell -./create_vms.sh +./create_vms-and-rgs.sh ``` +Afterward creating the VMs and resource groups, you can create the users assign them to the resource groups with ```assign-users.sh``` script. First, open the file ```assign-users.sh``` in an editor and adjust the parameters as needed. Make sure the match your values for resource group names and number of participants defined in ```create-vms-and-rgs.sh```. + +|Parameter |Description |Default value | +|----------------- |---------------|------------| +|resourceGroupforOnpremBase |The base name of the resource groups the VMs willl get deployed to. Will be created if it does not exist. Must match the base name in create-vms-and-rgs.sh |mh-arc-onprem- + ID| +|resourceGroupforArcBase |The base name of the empty resource groups that are created for arc resources. Will be created if it does not exist. Must match the base name in create-vms-and-rgs.sh |mh-arc-cloud- + ID| +|password | Microsoft Entra password of all users, used for logging into the Azure Portal. | Pick a safe one that fulfills the complexity requirements| +|number_of_participants |Adjust this to the number of participants in your cohort. Must match the number of participants in create-vms-and-rgs.sh. |10| + +Save the file. Make sure the shell script has execution permission in your directory (if not add it: ```chmod +x assign-users.sh```). Now, execute the shell script +```shell +./assign-users.sh.sh +``` \ No newline at end of file diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/assign-users.sh b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/assign-users.sh new file mode 100755 index 000000000..c4e235651 --- /dev/null +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/assign-users.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# Make sure to first create your VMs and resource groups with the create-vms-and-rgs.sh before running this script +# You can also use the create-and-assign.sh to run the scripts in sequence automatically + +# Variables +resourceGroupforOnpremBase="mh-arc-onprem" +resourceGroupforArcBase="mh-arc-cloud" +password="REPLACE-ME" +number_of_participants=10 + +# Disable all Conditional access policies to enable frictionless login for participants +token=$(az account get-access-token --resource https://graph.microsoft.com --query accessToken --output tsv) +policy_ids=$(az rest --method get \ + --uri https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies \ + --headers "Authorization=Bearer $token" \ + --query "value[].id" \ + --output tsv) + +for id in $policy_ids; do + echo "Disabling conditional access policy with ID: $id" + az rest --method patch \ + --uri https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/$id \ + --headers "Authorization=Bearer $token" "Content-Type=application/json" \ + --body '{"state": "disabled"}' +done + +# Enable all necesarry resource providers for the challenges +echo Enabling resource providers... +az provider register --namespace Microsoft.KeyVault +az provider register --namespace Microsoft.HybridCompute + +# Create users and assign resource groups +tenant=$(az account show --query tenantDefaultDomain --output tsv) + +for i in $(eval echo {0..$(($number_of_participants-1))}); do + displayName="MHUser$i" + userPrincipalName="MHUser$i@$tenant" + resourceGroupOnpremId=$(az group show --name "$resourceGroupforOnpremBase-$i" --query "id" --output tsv) + resourceGroupArcId=$(az group show --name "$resourceGroupforArcBase-$i" --query "id" --output tsv) + + echo Creating user $displayName... + az ad user create \ + --display-name "$displayName" \ + --user-principal-name "$userPrincipalName" \ + --password "$password" + user=$(az ad user show --id "$userPrincipalName" --query "id" --output tsv) + + echo Assigning $displayName to resource groups... + # Owner required in case we want to run SSH using Azure CLI + az role assignment create --assignee "$user" --role "Owner" --scope "$resourceGroupOnpremId" --output none + # Policy Contributer and RBAC write needed to assign DINE policies in challenge 7, requiring owner role + az role assignment create --assignee "$user" --role "Owner" --scope "$resourceGroupArcId" --output none + +done \ No newline at end of file diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/create-and-assign.sh b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/create-and-assign.sh new file mode 100755 index 000000000..600375f46 --- /dev/null +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/create-and-assign.sh @@ -0,0 +1,11 @@ +############################################################################################ +# # +# Make sure to adjust the parameters in both scripts to match your intended values!!! # +# # +############################################################################################ + +echo Creating VMs and resource groups... +./create-vms-and-rgs.sh + +echo create users and assign to resource groups... +./assign-users.sh \ No newline at end of file diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/create_vms.sh b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/create-vms-and-rgs.sh old mode 100644 new mode 100755 similarity index 76% rename from 03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/create_vms.sh rename to 03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/create-vms-and-rgs.sh index 97698b8ac..de9b97505 --- a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/create_vms.sh +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-creator/create-vms-and-rgs.sh @@ -1,6 +1,8 @@ # adjust parameters with your own values as needed -resourceGroupName="mh-arc-onprem-demo" -resourceGroupLocation="germanywestcentral" +resourceGroupforOnpremBase="mh-arc-onprem" +resourceGroupforOnpremLocation="germanywestcentral" +resourceGroupforArcBase="mh-arc-cloud" +resourceGroupforArcLocation="westeurope" adminUsername="mhadmin" adminPassword="REPLACE-ME" @@ -12,12 +14,17 @@ adminPassword="REPLACE-ME" # the script takes about 3min per VM (resulting in 9min per participant). number_of_participants=10 -regions=("germanywestcentral" "italynorth" "swedencentral" "francecentral" "polandcentral" "uksouth") +regions=("italynorth" "swedencentral" "francecentral" "polandcentral" "uksouth") virtualWinMachineSize="Standard_D2ds_v4" # use a vm size with only 2 cores to avoid core limit issues in sponsored subscriptions virtualLnxMachineSize="Standard_DS1_v2" # use a vm size with only 1 core to avoid core limit issues in sponsored subscriptions -# create a resource group -az group create --name $resourceGroupName --location $resourceGroupLocation +# create resource groups for each participant +for i in $(eval echo {0..$(($number_of_participants-1))}) +do + az group create --name "$resourceGroupforOnpremBase-$i" --location "$resourceGroupforOnpremLocation" + az group create --name "$resourceGroupforArcBase-$i" --location "$resourceGroupforArcLocation" +done + number_of_regions=${#regions[@]} echo "Number of regions: $number_of_regions" number_of_loops=$((number_of_participants * 3 - 1 )) @@ -42,7 +49,7 @@ do virtualMachineSize=$virtualWinMachineSize fi - vmName="vm-$type-mh$i" + vmName="vm-$type-$i" echo "Creating VM $vmName in $location" networkInterfaceName="$vmName-nic" @@ -54,7 +61,7 @@ do # Create a VM az deployment group create \ - --resource-group $resourceGroupName \ + --resource-group "$resourceGroupforOnpremBase-$i" \ --name $deploymentName \ --template-file ./template-$type.json \ --parameters @parameters-$type.json \ @@ -66,17 +73,17 @@ do networkSecurityGroupName=$networkSecurityGroupName \ virtualNetworkName=$virtualNetworkName \ virtualMachineComputerName=$virtualMachineComputerName \ - virtualMachineRG=$resourceGroupName \ + virtualMachineRG="$resourceGroupforOnpremBase-$i" \ virtualMachineSize=$virtualMachineSize \ location=$location # Run the reconfig script to disable the Azure Guest Agent if [ $type != "linux" ]; then echo "Running reconfig-win.ps1 on $vmName" - az vm run-command create --name reconfigWin$i --vm-name $vmName -g $resourceGroupName --location $location --script @reconfig-win.ps1 --async-execution + az vm run-command create --name reconfigWin$i --vm-name $vmName -g "$resourceGroupforOnpremBase-$i" --location $location --script @reconfig-win.ps1 --async-execution else echo "Running reconfig-ubuntu.sh on $vmName" - az vm run-command invoke -g $resourceGroupName -n $vmName --command-id RunShellScript --scripts @reconfig-ubuntu.sh --no-wait + az vm run-command invoke -g "$resourceGroupforOnpremBase-$i" -n $vmName --command-id RunShellScript --scripts @reconfig-ubuntu.sh --no-wait fi done diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-onboarder/README.md b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-onboarder/README.md index 311a16798..9f7a888de 100644 --- a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-onboarder/README.md +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-onboarder/README.md @@ -1,7 +1,7 @@ # Overview As a coach (or consultant) you might want to quickly prepare a demo environment for Azure arc-enabled servers. You can use the scripts provided in this folder to -- create multiple VMs in Azure to mimick your on-prem machines. They will be prepared by removing the Azure agent using the 'create_vms.sh' script from folder [demo-vm-creator](../demo-vm-creator/). -- automatically onboard all VMs of a given resource group in Azure to Azure Arc using ansible onboarding playbooks. The VMs must be stripped of the Azure agent and Windows machines must be configured for remote WinRM and network connection must be possible via WinRM port. If creating the machines with the demo-vm-creator folder, this will automatically be configured. +- create multiple VMs in Azure to mimick your on-prem machines. They will be prepared by removing the Azure agent using the 'create_vms-and-rgs.sh' script from folder [demo-vm-creator](../demo-vm-creator/). +- automatically onboard all VMs of resource groups that contain the string of the variable `resourceGroupforOnpremBase` in their name in Azure to Azure Arc using ansible onboarding playbooks. The VMs must be stripped of the Azure agent and Windows machines must be configured for remote WinRM and network connection must be possible via WinRM port. If creating the machines with the demo-vm-creator folder, this will automatically be configured. You can either create and onboard in separate steps, or you can use the 'create-and-onboard.sh' script to to both steps in one script. @@ -29,14 +29,13 @@ Open the file ```arc-enable-vms.sh``` in an editor and adjust the parameters as |Parameter |Description |Default value | |----------------- |---------------|------------| -|resourceGroupforOnprem |The name of the resource group where the VMs are located which shall be onboarded to Azure arc |mh-arc-onprem| -|resourceGroupforArc |Name of resource group where the arc resources will get onboarded to. Will be created if not exists. |mh-arc-cloud| +|resourceGroupforOnprem |The base name of the resource groups where the VMs are located which shall be onboarded to Azure arc |mh-arc-onprem- + ID| +|resourceGroupforArc |The base name of resource groups where the arc resources will get onboarded to. Will be created if not exists. |mh-arc-cloud- + ID| |adminUsername |local admin/root account in your VMs (same for all machines)|mhadmin| |adminPassword |local admin/root password (same for all machines). Use a password which honors complexity rules for Windows & Ubuntu|REPLACE-ME| -|arcRegion |the region to which vms will be onboarded | westeurope | |triggerPolicyEvaluation |If you onboard VMs to an environement where Azure Policies are used to install arc extensions such as Monitoring etc. you can set this to 'true' so the policy evaluation gets triggered after onboarding | true | -Save the file. Make sure the all shell scripts have execution permission in your directory (if not add it i.e.: ```chmod +x create_vms.sh```). +Save the file. Make sure the all shell scripts have execution permission in your directory (if not add it i.e.: ```chmod +x create_vms-and-rgs.sh```). If you want to just onboard existing VMs, execute ```shell diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-onboarder/arc-enable-vms.sh b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-onboarder/arc-enable-vms.sh old mode 100644 new mode 100755 index e0c1ab05a..e1349e2bf --- a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-onboarder/arc-enable-vms.sh +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-onboarder/arc-enable-vms.sh @@ -1,64 +1,62 @@ -resourceGroupforOnprem="mh-arc-onprem" -resourceGroupforArc="mh-arc-cloud" +resourceGroupforOnpremBase="mh-arc-onprem" +resourceGroupforArcBase="mh-arc-cloud" adminUsername="mhadmin" adminPassword="REPLACE-ME" -arcRegion="westeurope" triggerPolicyEvaluation=true - -# the script takes about 1:30 min per VM - -# before creating azure resource group, check if it already exists -if az group show --name $resourceGroupforArc &> /dev/null; then - echo "Resource group $resourceGroupforArc already exists." -else - echo "Creating resource group $resourceGroupforArc in $arcRegion" - az group create --name $resourceGroupforArc --location $arcRegion -fi - -#create service principal for arc onboarding -subscriptionId=$(az account show --query 'id' --output tsv) -tmp=$(az ad sp create-for-rbac --name "mh-arc-onboarding-sp" --role "Azure Connected Machine Onboarding" --scopes "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupforArc") -tenantId=$(echo $tmp | jq -r '.tenant') -servicePrincipalId=$(echo $tmp | jq -r '.appId') -clientSecret=$(echo $tmp | jq -r '.password') - -######## set ansible variables according to target environment --> parameters will be passed on via ansible command line ######## - -for yamlFile in ./*.yml; do - echo "Updating $yamlFile with service principal and resource group details" - sed -i "s|service_principal_id: '.*'|service_principal_id: '$servicePrincipalId'|g" "$yamlFile" - sed -i "s|service_principal_secret: '.*'|service_principal_secret: '$clientSecret'|g" "$yamlFile" - sed -i "s|resource_group: '.*'|resource_group: '$resourceGroupforArc'|g" "$yamlFile" - sed -i "s|tenant_id: '.*'|tenant_id: '$tenantId'|g" "$yamlFile" - sed -i "s|subscription_id: '.*'|subscription_id: '$subscriptionId'|g" "$yamlFile" - #sed -i "s|location: '.*'|location: '$LOCATION'|g" "$yamlFile" -done - - -# get all servers from the resource group where the onprem servers are mimicked -servers=$(az vm list -g $resourceGroupforOnprem | jq -c '.[]') - -# Loop through each VM in the servers array -for server in $servers; do - vm_name=$(echo $server | jq -r '.name') - vm_id=$(echo $server | jq -r '.id') - public_ip=$(az vm list-ip-addresses --name "$vm_name" --resource-group "$resourceGroupforOnprem" --query "[].virtualMachine.network.publicIpAddresses[0].ipAddress" --output tsv) - echo "Processing VM: $vm_name with ID: $vm_id" - - # Check if the current VM is a Windows OS - os_type=$(echo $server | jq -r '.storageProfile.osDisk.osType') - - if [ "$os_type" == "Windows" ]; then - echo "Starting Ansible playbook for Windows VM: $vm_name" - ansible-playbook onboard-win.yml -i "$public_ip," -e "ansible_user='$adminUsername' ansible_password='$adminPassword' ansible_port=5985 ansible_connection=winrm ansible_winrm_transport=basic ansible_winrm_server_cert_validation=ignore" # azure_service_principal_id='$servicePrincipalId' azure_service_principal_secret='$clientSecret' azure_resource_group='$resourceGroupforArc' azure_tenant_id='$tenantId' azure_subscription_id='$subscriptionId'" - else - echo "Starting Ansible playbook for Linux VM: $vm_name" - ansible-playbook onboard-linux.yml -i "$public_ip," -e "ansible_user='$adminUsername' ansible_ssh_pass='$adminPassword' ansible_port=22 ansible_connection=ssh ansible_ssh_common_args='-o StrictHostKeyChecking=no'" # azure_service_principal_id='$servicePrincipalId' azure_service_principal_secret='$clientSecret' azure_resource_group='$resourceGroupforArc' azure_tenant_id='$tenantId' azure_subscription_id='$subscriptionId'" - fi - -done - -if [ "$triggerPolicyEvaluation" = true ]; then - echo "Triggering policy evaluation for Azure Arc enabled servers" - az policy state trigger-scan -g $resourceGroupforArc --no-wait -fi \ No newline at end of file +number_of_participants=10 + +# the script takes about 4:30 min per participant / 1:30 min per VM + +for i in $(eval echo {0..$(($number_of_participants-1))}) +do + resourceGroupforArc="$resourceGroupforArcBase-$i" + resourceGroupforOnprem="$resourceGroupforOnpremBase-$i" + + # create service principal for arc onboarding + subscriptionId=$(az account show --query 'id' --output tsv) + tmp=$(az ad sp create-for-rbac --name "mh-arc-onboarding-sp" --role "Azure Connected Machine Onboarding" --scopes "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupforArc") + tenantId=$(echo $tmp | jq -r '.tenant') + servicePrincipalId=$(echo $tmp | jq -r '.appId') + clientSecret=$(echo $tmp | jq -r '.password') + + ######## set ansible variables according to target environment --> parameters will be passed on via ansible command line ######## + + for yamlFile in ./*.yml; do + echo "Updating $yamlFile with service principal and resource group details" + sed -i "s|service_principal_id: '.*'|service_principal_id: '$servicePrincipalId'|g" "$yamlFile" + sed -i "s|service_principal_secret: '.*'|service_principal_secret: '$clientSecret'|g" "$yamlFile" + sed -i "s|resource_group: '.*'|resource_group: '$resourceGroupforArc'|g" "$yamlFile" + sed -i "s|tenant_id: '.*'|tenant_id: '$tenantId'|g" "$yamlFile" + sed -i "s|subscription_id: '.*'|subscription_id: '$subscriptionId'|g" "$yamlFile" + #sed -i "s|location: '.*'|location: '$LOCATION'|g" "$yamlFile" + done + + # get all servers from the resource group where the onprem servers are mimicked + servers=$(az vm list -g $resourceGroupforOnprem | jq -c '.[]') + + # loop through each VM in the servers array + for server in $servers; do + vm_name=$(echo $server | jq -r '.name') + vm_id=$(echo $server | jq -r '.id') + public_ip=$(az vm list-ip-addresses --name "$vm_name" --resource-group "$resourceGroupforOnprem" --query "[].virtualMachine.network.publicIpAddresses[0].ipAddress" --output tsv) + echo "Processing VM: $vm_name with ID: $vm_id" + + # check if the current VM is a Windows OS + os_type=$(echo $server | jq -r '.storageProfile.osDisk.osType') + + if [ "$os_type" == "Windows" ]; then + echo "Starting Ansible playbook for Windows VM: $vm_name" + ansible-playbook onboard-win.yml -i "$public_ip," -e "ansible_user='$adminUsername' ansible_password='$adminPassword' ansible_port=5985 ansible_connection=winrm ansible_winrm_transport=basic ansible_winrm_server_cert_validation=ignore" # azure_service_principal_id='$servicePrincipalId' azure_service_principal_secret='$clientSecret' azure_resource_group='$resourceGroupforArc' azure_tenant_id='$tenantId' azure_subscription_id='$subscriptionId'" + else + echo "Starting Ansible playbook for Linux VM: $vm_name" + ansible-playbook onboard-linux.yml -i "$public_ip," -e "ansible_user='$adminUsername' ansible_ssh_pass='$adminPassword' ansible_port=22 ansible_connection=ssh ansible_ssh_common_args='-o StrictHostKeyChecking=no'" # azure_service_principal_id='$servicePrincipalId' azure_service_principal_secret='$clientSecret' azure_resource_group='$resourceGroupforArc' azure_tenant_id='$tenantId' azure_subscription_id='$subscriptionId'" + fi + + done + + if [ "$triggerPolicyEvaluation" = true ]; then + echo "Triggering policy evaluation for Azure Arc enabled servers" + az policy state trigger-scan -g $resourceGroupforArc --no-wait + fi + +done \ No newline at end of file diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-onboarder/create-and-onboard.sh b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-onboarder/create-and-onboard.sh index b1000d3e9..ed0b4ea67 100644 --- a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-onboarder/create-and-onboard.sh +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/demo-vm-onboarder/create-and-onboard.sh @@ -6,7 +6,7 @@ cd ../demo-vm-creator # create the VMs -./create_vms.sh +./create-vms-and-rgs.sh cd ../demo-vm-onboarder # onboard the VMs diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-1/solution.md b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-1/solution.md index c3b264245..ffc30b834 100644 --- a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-1/solution.md +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-1/solution.md @@ -8,7 +8,7 @@ Duration: 20 minutes Please ensure that you successfully verified the [General prerequisits](../../Readme.md#general-prerequisites) before continuing with this challenge. -### Task 1: Create Azure Resource Group +### Task 1: Create Azure Resource Group - not relevant for MicroHack participants Sign in to the [Azure Portal](https://portal.azure.com/). @@ -20,7 +20,7 @@ Sign in to the [Azure Portal](https://portal.azure.com/). * [Create Service Principal](https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale) -### Task 3: Enable Service providers +### Task 3: Enable Service providers - not relevant for MicroHack participants * Enable Azure Resource Provider [Azure Arc Azure resource providers](https://learn.microsoft.com/en-us/azure/azure-arc/servers/prerequisites#azure-resource-providers) diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.1_Monitor_Configure_Insights.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.1_Monitor_Configure_Insights.png new file mode 100644 index 000000000..bb9220003 Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.1_Monitor_Configure_Insights.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.2_Monitor_enable_overview.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.2_Monitor_enable_overview.png new file mode 100644 index 000000000..d75522635 Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.2_Monitor_enable_overview.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.3_Monitor_configuration_dcr_new.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.3_Monitor_configuration_dcr_new.png new file mode 100644 index 000000000..dca3a97a4 Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.3_Monitor_configuration_dcr_new.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.4_Assign_Policy_Monitor_AMA.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.4_Assign_Policy_Monitor_AMA.png deleted file mode 100644 index bcddc2a9b..000000000 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.4_Assign_Policy_Monitor_AMA.png and /dev/null differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.4_Monitor_dcr_create.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.4_Monitor_dcr_create.png new file mode 100644 index 000000000..2954fc2f8 Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.4_Monitor_dcr_create.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.5_Assign_Policy_Monitor_AMA_remidiate.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.5_Assign_Policy_Monitor_AMA_remidiate.png deleted file mode 100644 index 96bf54b92..000000000 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.5_Assign_Policy_Monitor_AMA_remidiate.png and /dev/null differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.5_Monitor_view_metrics.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.5_Monitor_view_metrics.png new file mode 100644 index 000000000..8407864f0 Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.5_Monitor_view_metrics.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.6_Assign_Policy_Monitor_AMA_remidiate.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.6_Assign_Policy_Monitor_AMA_remidiate.png deleted file mode 100644 index 31ff17c66..000000000 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.6_Assign_Policy_Monitor_AMA_remidiate.png and /dev/null differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.7_Assign_Policy_Monitor_AMA_remidiate.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.7_Assign_Policy_Monitor_AMA_remidiate.png deleted file mode 100644 index 7b879493e..000000000 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/3.7_Assign_Policy_Monitor_AMA_remidiate.png and /dev/null differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/4.10_Update_Management.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/4.10_Update_Management.png deleted file mode 100644 index 6d43638a5..000000000 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/4.10_Update_Management.png and /dev/null differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/4.11_Update_Management.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/4.11_Update_Management.png deleted file mode 100644 index f19faeba8..000000000 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/4.11_Update_Management.png and /dev/null differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/4.1_Update_manger_update_settings.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/4.1_Update_manger_update_settings.png new file mode 100644 index 000000000..91ebe9a71 Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/4.1_Update_manger_update_settings.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/4.2_Update_manager_change_enable_periodic_assessment.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/4.2_Update_manager_change_enable_periodic_assessment.png new file mode 100644 index 000000000..7c91bd049 Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/4.2_Update_manager_change_enable_periodic_assessment.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/4.3_Update_Management_individual_trigger.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/4.3_Update_Management_individual_trigger.png new file mode 100644 index 000000000..619e1bd34 Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/4.3_Update_Management_individual_trigger.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/4.4_Update_Management_individual_install.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/4.4_Update_Management_individual_install.png new file mode 100644 index 000000000..a565a434a Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/4.4_Update_Management_individual_install.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/5.1_CTI_individual.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/5.1_CTI_individual.png new file mode 100644 index 000000000..030f53855 Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/5.1_CTI_individual.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/5.1_remediation_tasks.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/5.1_remediation_tasks.png deleted file mode 100644 index 64a809968..000000000 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/5.1_remediation_tasks.png and /dev/null differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/5.2_CTI_LAW_selection.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/5.2_CTI_LAW_selection.png new file mode 100644 index 000000000..ef57ef9ab Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/5.2_CTI_LAW_selection.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/5.9_Inventory.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/5.9_Inventory.png deleted file mode 100644 index 0ecb92e13..000000000 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/img/5.9_Inventory.png and /dev/null differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/solution.md b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/solution.md index 12af3866d..5cf044715 100644 --- a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/solution.md +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-2/solution.md @@ -13,7 +13,7 @@ Please ensure that you successfully passed [challenge 1](../../Readme.md#challen 1. Sign in to the [Azure Portal](https://portal.azure.com/). -2. Create a new Log Analytics Workspace called *mh-arc-servers-automation-law* with default settings in the same Resource Group. +2. Create a new Log Analytics Workspace called *mh-arc-servers-automation-law* with default settings in the your Resource Group. ![image](./img/5_CreateLAW.jpg) @@ -28,7 +28,7 @@ Please ensure that you successfully passed [challenge 1](../../Readme.md#challen ![image](./img/2.2_Create_Data_Collection_Rule.png) -3. Name the Data Collection Rule *mh-dcr* select your subscription and *mh-rg* as ressource group and change the Region to *West Europe*. Change Platform Type to *All* and click *Next: Resources* to continue. +3. Name the Data Collection Rule *mh-dcr* select your subscription, set your ressource group and change the Region to *West Europe*. Change Platform Type to *All* and click *Next: Resources* to continue. ![image](./img/2.3_Create_Data_Collection_Rule_Basics.png) @@ -43,127 +43,99 @@ Please ensure that you successfully passed [challenge 1](../../Readme.md#challen 7. Create the Data Collection Rule. -### Task 3: Enable Azure Monitor for Azure Arc enabled Servers with Azure Policy initiative +### Task 3: Enable Azure Monitor Insights for Azure Arc enabled Servers through the Azure portal (incl. Azure Monitoring Agent) +Enabling Azure Monitor insights automatically sets up the Azure Monitoring Agent (AMA) on the selected machines. It is also possible to set up AMA with custom data collection rules. This gives you fine-grained control over what data is collected and avoids the default configurations that come with VM Insights. To enable Azure Monitor Insights for arc enabled servers, follow the steps below. -1. Navigate to *Policy* using the top search bar and select *Assignments* in the left navigation pane. +1. Navigate to Azure Monitor by typing *Monitor* in the top search bar -2. Select *Assignments* in the left navigation pane and go to *Assign initiative* +2. In the navigation side bar, under *Insights*, select the *Virtual machines* tab and click on "Configure Insights" or "Overiew". -3. In this section you can now configure the assignment with the following settings and create the assignment: +![image](./img/3.1_Monitor_Configure_Insights.png) -- Scope: Please select your resource group -- Basics: Please search for *Enable Azure Monitor for Hybrid VMs with AMA* and select the initiative. -- Parameters: Please insert the Resource ID of the Data Collection Rule from Task 2. -- Remediation: Please select the System assigned identity location according to your resources, e.g. West Europe. Don't check the box for "Create a remediation task" here, as it would only create a remediation task for the first policy within the policy initiative. We will do this in one of the next steps for all policies. -- Click *Review + create* and then *Create* +3. In the "Not monitored" tab, adjust the filter type to "arc machines" and resource group to only show your resource group -4. Please wait around 30 seconds until the creation of the assignment is complete. You should see that the initiative is assigned. Every new Azure Arc server will now automatically install the AMA and Dependency agents as well the necessary association with the data collection rule we created in task 2. Be aware that agent installation can take up to 60 Minutes. +4. For each machine, do the following: -![image](./img/3.4_Assign_Policy_Monitor_AMA.png) +5. In the tree view, click "enable" and then enable again int the pop up -5. Important: Both machines were already onboarded earlier. As a result, you need to create a remediation task for each policy in the initiative to apply the policy to your existing Azure Arc Servers. Please select the Policy Assignment and select *Create Remediation Task*. +![image](./img/3.2_Monitor_enable_overview.png) -![image](./img/3.5_Assign_Policy_Monitor_AMA_remidiate.png) +6. Under data collection rule, click "Create New" -6. Accept the default values, check *Re-evaluate resource compliance before remediating* and repeat the remediation for the following policies: - - AzureMonitorAgent_Windows_HybridVM_Deploy - - AzureMonitorAgent_Linux_HybridVM_Deploy - - DependencyAgentExtension_AMA_Windows_HybridVM_Deploy - - DependencyAgentExtension_AMA_Linux_HybridVM_Deploy - - DataCollectionRuleAssociation_Windows - - DataCollectionRuleAssociation_Linux +![image](./img/3.3_Monitor_configuration_dcr_new.png) -![image](./img/3.6_Assign_Policy_Monitor_AMA_remidiate.png) +7. Create a new rule with an appropriate name, enable processes and dependencies and select your log analytics workspace you created earlier. Then click "Create" -7. In Policy > Remediation > Remediation Task, verify that all remediation completed successfully: +![image](./img/3.4_Monitor_dcr_create.png) -![image](./img/3.7_Assign_Policy_Monitor_AMA_remidiate.png) +8. to Verify the monitoring works, navigate to the Arc control pane and select your one of your enabled VMs. Navigate to the *Insights* tab to see the metrics for that virtual machine. -### Task 4: Enable and configure Update Management +![image](./img/3.5_Monitor_view_metrics.png) -1. Navigate to *Policy* using the top search bar and select *Assignments* in the left navigation pane. +### Task 4: Enable and configure Update Manager through the Azure portal +To enable periodic update checking with the Azure Update Manager through the Azure Portal, the following steps have to be completed: -2. Select *Assignments* in the left navigation pane and go to *Assign Policy* +1. Navigate to the Update manager by typing *Azure Update Manager* in the top search bar -3. In this section you can now configure the assignment with the following settings and create the assignment: +2. Under the resource category, select the *Machines* tab in the side navigation bar. -- Scope: Please select the resource group called *mh-arc-servers-rg* -- Basics: Please search for *Configure periodic checking for missing system updates on azure Arc-enabled servers* and select the policy. As *Assignment name* append *(Windows)* -- Parameters: Skip, and keep defaults (which targeting Windows guest OS.) -- Remediation: Please select the System assigned identity location according to your resources, e.g. West Europe. -- Click *Review + create* and then *Create* +3. Filter by resource type and select "Arc-enabled servers" and your resource group -4. Please wait a few seconds until the creation of the assignment is complete. You should see that the policy is assigned. +4. Select all servers with a checkbox and click on "Update settings". Click on confirm in the pop-up dialouge -5. Repeat step 3 and 4 for the policy definition *Configure periodic checking for missing system updates on azure Arc-enabled servers*, apply the same configuration as in step 3 but this time unselect the checkbox at *Only show parameters that need input or review*, and change OS Type to *Linux*. Also append *(Linux)* in the *Assignment name* field. +![image](./img/4.1_Update_manger_update_settings.png) -6. Important: Both machines were already onboarded earlier. As a result, you need to create a remediation task to trigger the DeployIfNotExists effect of the policy to your Azure Arc Servers. Please select the policy assignment and select *Create Remediation Task*. +5. In the wizard, select "enable" in the periodic assessment column for all servers and confirm by pressing "save". -7. Accept the default values, check *Re-evaluate resource compliance before remediating* and repeat the remediation for the following policies: - - Configure periodic checking for missing system updates on azure Arc-enabled servers (Windows) - - Configure periodic checking for missing system updates on azure Arc-enabled servers (Linux) +![image](./img/4.2_Update_manager_change_enable_periodic_assessment.png) -8. Verify that all remediation were successful. +To verify your new settings you can either check one or multiple servers. To select one machine: -9. Navigate to Azure Arc, select Servers, repeat step 10 for your your Windows and Linux Server. +1. Navigate to *Azure Arc* using the top search bar and select a machine. Within the overview panel, on the sidebar select *Updates*. If there are no update information dispayed yet, click *Check for updates* and wait until missing updates appear. Then click on *One-time update* or *Schedule updates* if you would like to postpone the installation to a later point in time. (follow the wizzard). -10. Select Updates. If there are no update information dispayed yet, click *Check for updates* and wait until missing updates appear. Then click on *One-time update* or *Schedule updates* if you would like to postpone the installation to a later point in time. (follow the wizzard). +![image](./img/4.3_Update_Management_individual_trigger.png) -![image](./img/4.10_Update_Management.png) +2. After applying the updates point-in-time or via scheduler you should see the updates being installed on the system. -11. After applying the updates point-in-time or via scheduler you should see the updates beeing installed on the system. +![image](./img/4.4_Update_Management_individual_install.png) -![image](./img/4.11_Update_Management.png) +Or to verify the new settings for all machines: -### Task 5: Enable Change Tracking and Inventory +1. Navigate to the Update manager by typing *Azure Update Manager* in the top search bar -In order to use the built-in policy initiative to enable *Change Tracking and Inventory* feature, we first need to create a special data collection rule. At the time of authoring this solution walkthrough, this is not possible using the Azure portal. But you can use the ARM template here: [/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/ChangeTracking/template-DCR-ChangeTracking.json](../../resources/ChangeTracking/template-DCR-ChangeTracking.json) to create this data collection rule. +2. Check for pending Updates in the *Pending Updates* overview - if there are none, follow the steps below -In the custom ARM template, provide the following parameters: -| *Parameter* | *Value* | -|---------------------------------------|---------------------------| -| Resource group | mh-arc-servers-rg | -| Data Collection Rule | leave the Default | -| Log Analytics_workspace_ResourceId |
i.e. /subscriptions/<*your-subscription-guid*>/resourcegroups/mh-arc-servers-rg/providers/microsoft.operationalinsights/workspaces/mh-arc-la| +3. Under the *Machines* tab, filter for and then select all arc-enabled machines -In your command shell, navigate to the folder where the template is located and execute the following command: +4. Click on *Check for updates* -``` - az deployment group create -g 'mh-arc-servers-rg' --template-file template-DCR-ChangeTracking.json --parameters workspaceResourceId='/subscriptions//resourcegroups//providers/microsoft.operationalinsights/workspaces/' -``` +5. The identified updates can be found after the operations completes in the navigation bar under *Pending updates* -Check whether the change tracking data collection rule as been created successfully and note the resource id (you will need it during the policy initiative assignment). Then create the policy assignment following these steps: +### Task 5: Enable Change Tracking and Inventory through the Azure portal +To enable change tracking and inventory, we can use the azure portal. There are multiple ways to enable it and the following will describe two possible options. Firstly, it can be enabled for individual arc enabled machines: -1. Navigate to *Policy* using the top search bar and select *Assignments* in the left navigation pane. +1. Select an arc-enabled server in your resource group -2. Select *Assignments* in the left navigation pane and click *Assign initiative* +2. In the side panel under *Operations*, select > *Inventory* and input the previously created log analytics workspace. You might need to first select the correct azure region to see a list of all log analytics workspaces in that region. -3. In this section you can now configure the assignment with the following settings and create the assignment: +3. Click on *Enable* and wait for the option to complete -- Scope: Please select the resource group called *mh-arc-servers-rg* -- Basics: Please search for *Enable ChangeTracking and Inventory for Arc-enabled virtual machines* and select the initiative. -- Parameters: As *Data Collection Rule Resource Id* provide the resourceId of the data collection rule you just created in the beginning of this task - i.e. */subscriptions/<*your-subscription-guid*>/resourceGroups/mh-arc-servers-rg/providers/Microsoft.Insights/dataCollectionRules/DCR-ChangeTracking*. -- Remediation: Please select the System assigned identity location according to your resources, e.g. West Europe. You do NOT check the box for "Create a remediation task" at this point in time, as it would only create one of the six required. We will do this in one of the next steps. +4. Repeat the same steps in the interface under *Operations* > *Change Tracking*. Important: If the previous operation from step three did not complete yet, you will recieve an error when you enable the extension. ("Wait, An extension of type AzureMonitorLinuxAgent is still processing. Only one instance of an extension may be in progress at a time for the same resource") -4. Please wait a few seconds until the creation of the assignment is complete. You should see that the policy is assigned. +![image](./img/5.1_CTI_individual.png) -5. Important: Both machines were already onboarded earlier. As a result, you need to create a remediation tasks to apply all policies within the initiative to your Azure Arc Servers. Please select the Initiative Assignment and select *Create Remediation Task* for each policy. -![image](./img/5.1_remediation_tasks.png) +Change Tracking and inventory can also be enabled through the portal for for multiple machines at once: -6. Accept the default values, check *Re-evaluate resource compliance before remediating* and repeat the remediation for the following policies: - - DeployAMALinuxHybridVMWithUAIChangeTrackingAndInventory - - DCRALinuxHybridVMChangeTrackingAndInventory - - DeployChangeTrackingExtensionLinuxHybridVM - - DeployChangeTrackingExtensionWindowsHybridVM - - DeployAMAWindowsHybridVMWithUAIChangeTrackingAndInventory - - DCAWindowsHybridVMChangeTrackingAndInventory +1. Navigate to *Change Tracking and Inventory* using the top search bar and select *Arch enabled Machines* in the filter settings. -8. Verify that all remediation were successful. This might take multiple minutes (or even hours). +1. Use the checkboxes to select all machines you want to enable change tracking for and then click on *Enable Change Tracking & Inventory* in the row over the filter settings. -9. Navigate to Azure Arc, select Servers, followed by selecting your Windows Server. Select Inventory. Please be aware that generating the initial inventory takes multiple Minutes/hours. After a while the white page should show values. +3. Confirm your selection in the dialogue box. In the next screen of the wizard, make sure to change all the log analytics workspaces to the one you created previously by selecting the right region and picking your LAW from the dropdown. Confirm by clickng on the enable button in the wizard. -![image](./img/5.9_Inventory.png) +4. Wait for the deployment to finish and verify the machines showing up in the overview in side panel *Inventory*. In the panel *Change tracking*, you will not see any entries, until you start changing files on your previously added servers + +![image](./img/5.2_CTI_LAW_selection.png) ### Task 6: Enable VM Insights diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-3/img/1.3_Assing_KeyVault_permissions.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-3/img/1.3_Assing_KeyVault_permissions.png new file mode 100644 index 000000000..d9da28c5a Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-3/img/1.3_Assing_KeyVault_permissions.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-3/img/3_Assign_KeyVault_permissions.jpg b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-3/img/3_Assign_KeyVault_permissions.jpg deleted file mode 100644 index 161d68630..000000000 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-3/img/3_Assign_KeyVault_permissions.jpg and /dev/null differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-3/solution.md b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-3/solution.md index 8e46dd58e..364c617bc 100644 --- a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-3/solution.md +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-3/solution.md @@ -14,7 +14,7 @@ Please ensure that you successfully passed [challenge 2](../../Readme.md#challen ![image](./img/1_new_KV.png) -2. Create the Azure Key Vault in your resource group *mh-arc-servers-rg* with default settings and call it *mh-arc-servers-kv* with a random number at the end as the name needs to be unique across all Azure Key Vaults. +2. Create the Azure Key Vault in your resource group with default settings and call it *mh-arc-servers-kv* with a random number at the end as the name needs to be unique across all Azure Key Vaults. ![image](./img/2_KV_settings.jpg) @@ -22,18 +22,20 @@ Please ensure that you successfully passed [challenge 2](../../Readme.md#challen ### Task 2: Create a new secret in your Key Vault -1. After the creation navigate to the Azure Key Vault and assign the *Secret Management* template to the managed identity of your Linux Azure Arc-enabled server. +1. After the creation navigate to the Azure Key Vault, select *Access control (IAM)* on the left control pane and assign your own user the *Key Vault Secrets Officer* role. This is necesarry to create secrets in the next step. -![image](./img/3_Assign_KeyVault_permissions.jpg) +2. Now assign the role *Key Vault Secrets User* to the managed identity of your Linux Azure Arc-enabled server. -2. Create a new secret called *kv-secret* and give it a value like *This-is-top-secret!!!*. +![image](./img/1.3_Assing_KeyVault_permissions.png) + +3. Create a new secret called *kv-secret* and give it a value like *This-is-top-secret!!!*. You might need to wait several minutes for role assignments from Step 1. to become effective ![image](./img/4_Create_Secret.png) ### Task 3: Call the secret without providing any credentials -1. Connect via SSH to the Virtual Machine *microhack-arc-servers-lin01*. +1. Connect via SSH to the virtual Machine running linux 2. Elevate your privileges using the following command: @@ -47,92 +49,48 @@ sudo -i apt-get -y install jq ``` -4. Request an access token for the Key Vault using the following command: - +4. Request an access token for the Key Vault. With the access token, you can call the Azure Key Vault instance to retrieve the secret from the previous task. The below script can be used ```shell -ChallengeTokenPath=$(curl -s -D - -H Metadata:true "http://127.0.0.1:40342/metadata/identity/oauth2/token?api-version=2019-11-01&resource=https%3A%2F%2Fmanagement.azure.com" | grep Www-Authenticate | cut -d "=" -f 2 | tr -d "[:cntrl:]") -ChallengeToken=$(cat $ChallengeTokenPath) -if [ $? -ne 0 ]; then - echo "Could not retrieve challenge token, double check that this command is run with root privileges." -else - AccessToken=$(curl -s -H Metadata:true -H "Authorization: Basic $ChallengeToken" "http://127.0.0.1:40342/metadata/identity/oauth2/token?api-version=2019-11-01&resource=https%3A%2F%2Fvault.azure.net") -fi -``` +#!/bin/sh - > **Note** - > For Windows machines you can use the following command: - -```powershell - Function Get-AzureArcToken { - [cmdletbinding()] - param( - [string]$ResourceURI - ) - # Build up URL - $SafeString = [System.Net.WebUtility]::URLEncode($ResourceURI) - $URI = "http://localhost:40342/metadata/identity/oauth2/token?api-version=2019-11-01&resource={0}" -f $SafeString - # Get Arc API Token - try { - Invoke-WebRequest -UseBasicParsing -Uri $uri -Headers @{ Metadata = "true" } -Verbose:0 - } - catch { - $script:response = $_.Exception.Response - } - - # Extract the path to the challenge token - $tokenpath = $script:response.Headers["WWW-Authenticate"].TrimStart("Basic realm=") - - # Read the token - $token = Get-Content $tokenpath - - # Acquire and return Access Token - Invoke-RestMethod -UseBasicParsing -Uri $uri -Headers @{ Metadata = "true"; Authorization = "Basic $token" } - } -``` +VAULT_NAME="REPLACE-ME" +SECRET_NAME="REPLACE-ME" +CHALLENGE_TOKEN_PATH=$(curl -s -D - -H Metadata:true "http://127.0.0.1:40342/metadata/identity/oauth2/token?api-version=2021-02-01&resource=https://vault.azure.net" \ + | grep -i "Www-Authenticate" \ + | cut -d "=" -f 2 \ + | tr -d '[:cntrl:]') -> **❗Hint:** -> The above request connects to the Azure Instance Metadata Service to retrieve an access token for the managed identity of your Azure Arc-enabled server. By default, the IMDS is accessible via 169.254.169.254 from Azure VMs. Azure Arc-enabled servers need to use 127.0.0.1 to proxy the request with the Azure Arc agent to Azure.` +CHALLENGE_TOKEN=$(cat "$CHALLENGE_TOKEN_PATH") +if [ -z "$CHALLENGE_TOKEN" ]; then + echo "Could not retrieve challenge token. Are you running as root?" + exit 1 +fi -4. Verify that you received an access token using the following command: +ACCESS_TOKEN_RESPONSE=$(curl -s -H Metadata:true -H "Authorization: Basic $CHALLENGE_TOKEN" \ + "http://127.0.0.1:40342/metadata/identity/oauth2/token?api-version=2021-02-01&resource=https://vault.azure.net") -```shell -token=$(echo "$AccessToken" | jq -r '.access_token') -echo $token -``` -You should see the access token in the output. In addition, the result is saved in the variable *token* for the next step. +ACCESS_TOKEN=$(echo "$ACCESS_TOKEN_RESPONSE" | jq -r '.access_token') -5. Now, it's time to call the Azure Key Vault instance to retrieve the secret from the previous task. +if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then + echo "Failed to retrieve access token:" + echo "$ACCESS_TOKEN_RESPONSE" + exit 1 +else + echo "Access token retrieved successfully." + echo "$ACCESS_TOKEN" + echo +fi -```shell -curl 'https://mh-arc-servers-kv0815.vault.azure.net/secrets/kv-secret?api-version=2016-10-01' -H "Authorization: Bearer $token" +curl -s -H "Authorization: Bearer $ACCESS_TOKEN" \ + "https://${VAULT_NAME}.vault.azure.net/secrets/${SECRET_NAME}?api-version=7.3" ``` > **❗Hint:** -> Please make sure to call your instance of Key Vault and adjust the name in the above command accordingly. +> The above request connects to the Azure Instance Metadata Service to retrieve an access token for the managed identity of your Azure Arc-enabled server. By default, the IMDS is accessible via 169.254.169.254 from Azure VMs. Azure Arc-enabled servers need to use 127.0.0.1 to proxy the request with the Azure Arc agent to Azure.` ![image](./img/5_result_secret.png) - > **Note** - > For Windows machines you can use the following command: - -```powershell - # Get an Azure KeyVault Access Token with new Function - $AccessToken = Get-AzureArcToken -ResourceURI 'https://vault.azure.net' - # Setup Query Attributes - $Query = @{ - # URI of the specific secret we want - Uri = "https://mh-arc-servers-kv2212.vault.azure.net/secrets/test?api-version=7.1" - Method = "Get" - Headers = @{ - Authorization = "Bearer $($AccessToken.access_token)" - } - } - - # Retrieve Secrets - Invoke-RestMethod @Query | Select-Object -ExpandProperty Value | fl * -``` - Congratulations! You retrieved the secret from your Key Vault without providing any credentials. The resulting possibilities are limitless. You can use it for managing certificates or any secret that is necessary to run your on-premises application. You successfully completed challenge 3! 🚀🚀🚀 diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/1.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/1.png deleted file mode 100644 index 72bc7e5dc..000000000 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/1.png and /dev/null differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/2.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/2.png deleted file mode 100644 index 874577116..000000000 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/2.png and /dev/null differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/3.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/3.png deleted file mode 100644 index 2074bb5be..000000000 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/3.png and /dev/null differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/4.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/4.png deleted file mode 100644 index f851681c7..000000000 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/4.png and /dev/null differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/5.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/5.png deleted file mode 100644 index db64a41eb..000000000 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/5.png and /dev/null differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/6.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/6.png deleted file mode 100644 index b273b3f06..000000000 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/6.png and /dev/null differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/7.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/7.png deleted file mode 100644 index bf3f015fa..000000000 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/7.png and /dev/null differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/image.png similarity index 100% rename from 03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image.png rename to 03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/image.png diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/image2.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/image2.png new file mode 100644 index 000000000..9d387cbd5 Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/image2.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/image3.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/image3.png new file mode 100644 index 000000000..3b8712dca Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/image3.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/image4.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/image4.png new file mode 100644 index 000000000..b87887744 Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/image4.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/image5.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/image5.png new file mode 100644 index 000000000..de0dda4fe Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/image5.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/image6.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/image6.png new file mode 100644 index 000000000..dfce56206 Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/image6.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image7.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/image7.png similarity index 100% rename from 03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image7.png rename to 03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/img/image7.png diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/solution.md b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/solution.md index 49df1f79b..c3a683789 100644 --- a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/solution.md +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-4/solution.md @@ -1,33 +1,55 @@ -# Walkthrough Challenge 4 - Microsoft Defender for Cloud integration with Azure Arc +# Walkthrough Challenge 4 - Best Practices Assessment for Windows Server -Duration: 30 minutes +Duration: 20 minutes + +[Previous Challenge Solution](../challenge-4/solution.md) - **[Home](../../Readme.md)** -[Previous Challenge Solution](../challenge-3/solution.md) - **[Home](../../Readme.md)** - [Next Challenge Solution](../challenge-5/solution.md) ## Prerequisites -Please ensure that you successfully passed [challenge 3](../../Readme.md#challenge-3) before continuing with this challenge. +Please ensure that you successfully passed [challenge 2](../../Readme.md#challenge-3) before continuing with this challenge, as we need a Log Analytics Workspace for this feature. + + +## Task 1: Set up the Best Practices Assessment for a Windows server + +1. Browse to the Azure Arc [Machines overview](https://portal.azure.com/#view/Microsoft_Azure_ArcCenterUX/ArcCenterMenuBlade/~/servers) +2. Click one of your Windows 2016 (or later) machines +3. In the left pane, select "Windows Management" and then "Best Practices Assessment (preview)" +4. Click "Attest to your license type" in the blue overlay +![alt text](img/image6.png) +4. Check the "Activate Azure benefits" box and click "Confirm" to enable the Azure Benefits for this machine. This may take up to 10 minutes. Go back to the page of step 3. +![alt text](img/image7.png) +4. Click the "Get Started" button. A blade will open on the right. +![alt text](img/image.png) +5. Select your ressoruce group and priviously created Log Analytics Workspace +6. Let the validation check and confirm via "Set up" +![alt text](img/image2.png) +7. Wait for the deployment to go through. This may take up to 15 minutes. Feel free to continue with another challenge in the meantime. +![alt text](img/image3.png) +### + + + +## Task 2: Start the assessment -### Task 1: Check and collect the Log Analytics workspace from [Challenge 2](../challenge-2/solution.md) +1. Click "Go to resource" after the deployment has finished to move back to the Windows Server we're working on +2. In the left pane, select "Windows Management" and then "Best Practices Assessment (preview)" +![alt text](img/image4.png) +3. Click the "Run assessment" at the top of the page (you might get a message it's already processing) +4. Running the assessment for the first time takes upward to 4 hours for the assessment to run and provide results. Please continue with the next challenge and feel free to come back later. -### Task 2: Configure Defender for Cloud -* Enable Defender for Server -* Click on Upgrade -![image](./img/1.png) -* Verify -![image](./img/2.png) -* Check that the Defender for Servers Plan 2 is enabled -![image](./img/3.png) -![image](./img/4.png) -* Configure autodeployment of the AMA agent -![image](./img/5.png) -![image](./img/6.png) +### -### Task 3: Check that the server is visible in the inventory with all checks green. +**Congratulations**! You successfully completed this challenge! 🚀🚀🚀 +### -![image](./img/7.png) -Congratulations! You secured any server which is outside of Azure and onboarded via Azure Arc. -You successfully completed challenge 4! 🚀🚀🚀 +## Optional Steps: +1. You can take a look at the installed extensions that were deployed when setting up the BPA by navigating to your server and clicking "Settings" -> "Extensions" in the left navigation blade: + - AzureMonitorWindowsAgent + - assessmentplatform + - windowsserverassessment + ![alt text](img/image5.png) +2. Please come back later to review the output of the assessment once it has finished. \ No newline at end of file diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/image1.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image1.png similarity index 100% rename from 03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/image1.png rename to 03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image1.png diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image2.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image2.png index 9d387cbd5..e24580798 100644 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image2.png and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image2.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image3.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image3.png index 3b8712dca..a4d05b82e 100644 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image3.png and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image3.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image4.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image4.png index b87887744..cbb991c22 100644 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image4.png and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image4.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image5.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image5.png index de0dda4fe..925140313 100644 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image5.png and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image5.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image6.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image6.png index dfce56206..c302d71d0 100644 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image6.png and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/img/image6.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/solution.md b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/solution.md index 39f7f9cbe..fedaabfaa 100644 --- a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/solution.md +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-5/solution.md @@ -1,55 +1,47 @@ -# Walkthrough Challenge 5 - Best Practices Assessment for Windows Server +# Walkthrough Challenge 5 - Activate ESU for Windows Server 2012 R2 -Duration: 20 minutes +Duration: 15 minutes -[Previous Challenge Solution](../challenge-4/solution.md) - **[Home](../../Readme.md)** +[Previous Challenge Solution](../challenge-5/solution.md) - **[Home](../../Readme.md)** -## Prerequisites +## Task 1: Create a Windows Server ESU license -Please ensure that you successfully passed [challenge 2](../../Readme.md#challenge-3) before continuing with this challenge, as we need a Log Analytics Workspace for this feature. - - -## Task 1: Set up the Best Practices Assessment for a Windows server - -1. Browse to the Azure Arc [Machines overview](https://portal.azure.com/#view/Microsoft_Azure_ArcCenterUX/ArcCenterMenuBlade/~/servers) -2. Click one of your Windows 2016 (or later) machines -3. In the left pane, select "Windows Management" and then "Best Practices Assessment (preview)" -4. Click "Attest to your license type" in the blue overlay -![alt text](img/image6.png) -4. Check the "Activate Azure benefits" box and click "Confirm" to enable the Azure Benefits for this machine. This may take up to 10 minutes. Go back to the page of step 3. -![alt text](img/image7.png) -4. Click the "Get Started" button. A blade will open on the right. -![alt text](img/image.png) -5. Select your ressoruce group and priviously created Log Analytics Workspace -6. Let the validation check and confirm via "Set up" -![alt text](img/image2.png) -7. Wait for the deployment to go through. This may take up to 15 minutes. Feel free to continue with another challenge in the meantime. -![alt text](img/image3.png) +1. Navigate to the Azure Arc center and click "Licenses" and "Windows Server ESU licenses" (or click [here](https://portal.azure.com/#view/Microsoft_Azure_ArcCenterUX/ArcCenterMenuBlade/~/license)) +2. Click "Create" on the top bar. A new blade will open. +3. Fill in the required field: + - Subscription and Resource group (where you created your previous objects) + - A license name - should only contain letters (both uppercase and lowercase), digits, hyphens, underscores, and periods. Consecutive dots are not allowed. + - Select "Activate now" (you could create one with "Activate later" but cannot attach it to a server then) + - Keep "West Europe" as the selected region + - Select virtual cores with 8 total + - De-select the "Have an invoice?" checkbox at the bottom + - Make sure the Software Assurance box is checked, and then click "Create" + ![alt text](img/image1.png) + ![alt text](img/image2.png) + - Wait a couple of moments and click "Refresh" in the license overview. Your new item will apprear: + ![alt text](img/image3.png) ### -## Task 2: Start the assessment +## Task 2: Attach the ESU license to the server: -1. Click "Go to resource" after the deployment has finished to move back to the Windows Server we're working on -2. In the left pane, select "Windows Management" and then "Best Practices Assessment (preview)" +1. Navigate to the Azure Arc center and click "Licenses" and "Windows Server ESU licenses" (or click [here](https://portal.azure.com/#view/Microsoft_Azure_ArcCenterUX/ArcCenterMenuBlade/~/license)) +2. Click "Eligible resources" on the top to get a list of Arc enabled server that are eligible to use an ESU license +3. Select your Windows 2012 server and click "Enable ESUs" ![alt text](img/image4.png) -3. Click the "Run assessment" at the top of the page (you might get a message it's already processing) -4. Running the assessment for the first time takes upward to 4 hours for the assessment to run and provide results. Please continue with the next challenge and feel free to come back later. +4. Select "Virtual Cores" which will then allow you to select your previously created license +![alt text](img/image5.png) +5. Click "Enable" to attach the license to the server +6. The overview, once refreshed, will now report the server es ESU enabled -### - -**Congratulations**! You successfully completed this challenge! 🚀🚀🚀 -### + ![alt text](img/image6.png) -## Optional Steps: +### +**Congratulations!** You successfully completed the challenge! 🚀🚀🚀 -1. You can take a look at the installed extensions that were deployed when setting up the BPA by navigating to your server and clicking "Settings" -> "Extensions" in the left navigation blade: - - AzureMonitorWindowsAgent - - assessmentplatform - - windowsserverassessment - ![alt text](img/image5.png) -2. Please come back later to review the output of the assessment once it has finished. \ No newline at end of file +### Optional Steps: +1. Check for Windows Updates and observe that new security rollups are being downloaded and installed \ No newline at end of file diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/PolicyAssignment.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/PolicyAssignment.png similarity index 100% rename from 03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/PolicyAssignment.png rename to 03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/PolicyAssignment.png diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/PolicyAssignmentBasics.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/PolicyAssignmentBasics.png similarity index 100% rename from 03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/PolicyAssignmentBasics.png rename to 03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/PolicyAssignmentBasics.png diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/PolicyAssignmentMessage.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/PolicyAssignmentMessage.png similarity index 100% rename from 03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/PolicyAssignmentMessage.png rename to 03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/PolicyAssignmentMessage.png diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/PolicyAssignmentParameters.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/PolicyAssignmentParameters.png similarity index 100% rename from 03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/PolicyAssignmentParameters.png rename to 03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/PolicyAssignmentParameters.png diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/PolicyAssignmentRemediation.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/PolicyAssignmentRemediation.png similarity index 100% rename from 03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/PolicyAssignmentRemediation.png rename to 03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/PolicyAssignmentRemediation.png diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/PolicyAssignmentReview.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/PolicyAssignmentReview.png similarity index 100% rename from 03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/PolicyAssignmentReview.png rename to 03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/PolicyAssignmentReview.png diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/image2.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/image2.png deleted file mode 100644 index e24580798..000000000 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/image2.png and /dev/null differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/image3.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/image3.png deleted file mode 100644 index a4d05b82e..000000000 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/image3.png and /dev/null differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/image4.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/image4.png deleted file mode 100644 index cbb991c22..000000000 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/image4.png and /dev/null differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/image5.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/image5.png deleted file mode 100644 index 925140313..000000000 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/image5.png and /dev/null differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/image6.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/image6.png deleted file mode 100644 index c302d71d0..000000000 Binary files a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/img/image6.png and /dev/null differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/solution.md b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/solution.md index 770d23d64..796b7c708 100644 --- a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/solution.md +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-6/solution.md @@ -1,47 +1,144 @@ -# Walkthrough Challenge 6 - Activate ESU for Windows Server 2012 R2 +# Walkthrough Challenge 6 - Azure Automanage Machine Configuration -Duration: 15 minutes +Duration: 30 minutes -[Previous Challenge Solution](../challenge-5/solution.md) - **[Home](../../Readme.md)** +## Action 1: Create an Azure Policy Guest Configuration for your Azure Arc VMs +### Setup a Policy that checks if the user "FrodoBaggins" is part of the local administrators group -## Task 1: Create a Windows Server ESU license -1. Navigate to the Azure Arc center and click "Licenses" and "Windows Server ESU licenses" (or click [here](https://portal.azure.com/#view/Microsoft_Azure_ArcCenterUX/ArcCenterMenuBlade/~/license)) -2. Click "Create" on the top bar. A new blade will open. -3. Fill in the required field: - - Subscription and Resource group (where you created your previous objects) - - A license name - should only contain letters (both uppercase and lowercase), digits, hyphens, underscores, and periods. Consecutive dots are not allowed. - - Select "Activate now" (you could create one with "Activate later" but cannot attach it to a server then) - - Keep "West Europe" as the selected region - - Select virtual cores with 8 total - - De-select the "Have an invoice?" checkbox at the bottom - - Make sure the Software Assurance box is checked, and then click "Create" - ![alt text](img/image1.png) - ![alt text](img/image2.png) - - Wait a couple of moments and click "Refresh" in the license overview. Your new item will apprear: - ![alt text](img/image3.png) -### +1. Please navigate to Azure Policy. +2. Navigate to *Assignments* in the left navigation pane and select *Assign policy* in the top menu. + ![PolicyAssignment.png](./img/PolicyAssignment.png) -## Task 2: Attach the ESU license to the server: +3. In this section you can now configure the assignment with the following settings and create the assignment: -1. Navigate to the Azure Arc center and click "Licenses" and "Windows Server ESU licenses" (or click [here](https://portal.azure.com/#view/Microsoft_Azure_ArcCenterUX/ArcCenterMenuBlade/~/license)) -2. Click "Eligible resources" on the top to get a list of Arc enabled server that are eligible to use an ESU license -3. Select your Windows 2012 server and click "Enable ESUs" -![alt text](img/image4.png) -4. Select "Virtual Cores" which will then allow you to select your previously created license -![alt text](img/image5.png) -5. Click "Enable" to attach the license to the server -6. The overview, once refreshed, will now report the server es ESU enabled +- Scope: Please select the resource group called *mh-arc-servers-rg* +- Policy Definition: Please search for *administrators group* and select *Audit Windows machines missing any of the specified members in the Administrators group*. +- Parameters: Please ensure to set *Include Arc connected servers* to *true and *Members to include* to *FrodoBaggins*. - ![alt text](img/image6.png) + ![PolicyAssignmentBasics.png](./img/PolicyAssignmentBasics.png) + ![PolicyAssignmentParameters.png](./img/PolicyAssignmentParameters.png) + > **Note** + > This example does not include remediation. If you want to learn more on how to use guest configuration to remediate the state of your servers please refer to [Remediation options for guest configuration](https://docs.microsoft.com/en-us/azure/governance/policy/concepts/guest-configuration-policy-effects). + + +4. On Non-Compliance Message you can create a custom message that may contain additional information like link to internal documentation or just an explaination why this policy is set. -### -**Congratulations!** You successfully completed the challenge! 🚀🚀🚀 + ![PolicyAssignmentMessage.png](./img/PolicyAssignmentMessage.png) -### Optional Steps: -1. Check for Windows Updates and observe that new security rollups are being downloaded and installed \ No newline at end of file +5. Review the policy assignment and select *Create*. + + ![PolicyAssignmentReview.png](./img/PolicyAssignmentReview.png) + +6. After a few minutes you will be able to see the compliance state of your Windows-based servers. + +## Action 2: Create an Machine Configuration + +### Setup a Machine Configuration that creates a registry key + +Find the needed DSC Configuration in the following powershell code block + +```powershell +Configuration AddKey { + Import-DscResource -ModuleName 'PSDscResources' + + Node localhost { + Registry EnvironmentDSCKey { + Key = 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\EnvironmentKeyDSC' + Ensure = 'Present' + ValueName = '' + } + } +} + +AddKey +``` + +#### Optional Steps: + +1. Set up your Authoring Environment for DSC +2. Create DSC Config and Corresponding MOF File +3. Create the zip file for the Machine Configuration + +As this MicroHack focuses on the Arc and Hybrid those Steps are optional and you can also use the prepared zip file from the repository. +Find it here [AddKey.zip](https://github.com/microsoft/MicroHack/raw/main/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/AddKey.zip) + +### Create the Machine Configuration as Azure Policy + +1. You will need to upload the zip file to a Storage Account and create a SAS with read permissions. + + > **Warning** + > The following commands cannot be run from Azure Cloud Shell! Please use a local Powershell. + > To install the required modules use: + > ```powershell + > Install-Module -Name Az -Repository PSGallery -Force + > Install-Module -Name GuestConfiguration -Repository PSGallery -Force + > ``` + + + > **Note** + > You will need at least the *Storage Blob Data Contributor* role to be able to upload the file. + + > **Note** + > The expiry date needs be to less than 7 days in the future. + + ```powershell + #Define your environment + $storageAccountName = "uniquestorageaccname" + $containerName = "containername" + $fileName = "AddKey.zip" + $expiratioNDate = "2023-12-30T00:00:00Z" + + #Establish storage account context + $ctx = New-AzStorageContext -StorageAccountName $storageAccountName -UseConnectedAccount + + #Upload the file to your storage account + $Blob1HT = @{ + File = $fileName # Change path if your file is not in the same directory as the script + Container = $containerName + Blob = $fileName + Context = $ctx + StandardBlobTier = 'Hot' + } + Set-AzStorageBlobContent @Blob1HT -Force + + #Create the SAS to access the file later + $sas = New-AzStorageBlobSASToken -Context $ctx -Container $containerName -Blob $fileName -Permission r -ExpiryTime $expiratioNDate -FullUri + ``` + +3. To assign the Machine Configuration we will use a Azure Policy. To create the Policy refer to the following Powershell Block. The Policy is created at the Tenant Root so that we can assign it to all subscriptions. + > **Note** + > Depending on your machine configuration, this might need to be executed with local administrative privileges. + ```powershell + #Define your environment + $name = "AddKey Policy" + $tenantId = "" #Tenant ID is the ID of the Root Management Group, or any other Management Group ID of your choice + + #Define Policy Parameters + $PolicyConfig = @{ + PolicyId = (New-Guid).guid + ContentUri = $sas + DisplayName = $name + Description = $name + Path = '.\policies\' + Platform = 'Windows' + PolicyVersion = "1.0.0" + Mode = 'ApplyAndAutoCorrect' + } + + # Create the policy definition file + $configurationPolicy = New-GuestConfigurationPolicy @PolicyConfig + + # Create new policy from definition file + New-AzPolicyDefinition -Name $name -Policy $configurationPolicy.Path -ManagementGroupName $tenantID + ``` +4. Now that the policy definition is created you can assign the policy like in Action 1 but add a remediation like in the screenshot below. + + ![PolicyAssignmentRemediation.png](./img/PolicyAssignmentRemediation.png) + +5. It takes some minutes for the Machine Configuration to become compliant. If thats the case you can verify the registry key being created by launching ``` regedit.exe ``` and browse to ``` HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\ ``` diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/1.1_Disable_Monitoring_Insights_Overview.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/1.1_Disable_Monitoring_Insights_Overview.png new file mode 100644 index 000000000..15aab252b Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/1.1_Disable_Monitoring_Insights_Overview.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/1.2_Disable_Monitoring_Insights_Configuration.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/1.2_Disable_Monitoring_Insights_Configuration.png new file mode 100644 index 000000000..27228548f Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/1.2_Disable_Monitoring_Insights_Configuration.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/1.3._Disable_Monitoring_Insights_Confirm.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/1.3._Disable_Monitoring_Insights_Confirm.png new file mode 100644 index 000000000..6ace336d9 Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/1.3._Disable_Monitoring_Insights_Confirm.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/1.4._Disable_AMA.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/1.4._Disable_AMA.png new file mode 100644 index 000000000..17f947fd1 Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/1.4._Disable_AMA.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/1.5_Confirm_disabled_AMA.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/1.5_Confirm_disabled_AMA.png new file mode 100644 index 000000000..6a1704dda Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/1.5_Confirm_disabled_AMA.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/2.1_Assign_Policy_Assignments_Overview.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/2.1_Assign_Policy_Assignments_Overview.png new file mode 100644 index 000000000..3b99ba924 Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/2.1_Assign_Policy_Assignments_Overview.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/2.2_Assign_Policy_Monitor_AMA.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/2.2_Assign_Policy_Monitor_AMA.png new file mode 100644 index 000000000..6fa8db6bd Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/2.2_Assign_Policy_Monitor_AMA.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/2.3_Assign_Policy_Monitor_AMA_remidate.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/2.3_Assign_Policy_Monitor_AMA_remidate.png new file mode 100644 index 000000000..1e97e6706 Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/2.3_Assign_Policy_Monitor_AMA_remidate.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/2.4_Assign_Policy_Monitor_AMA_remidate.png b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/2.4_Assign_Policy_Monitor_AMA_remidate.png new file mode 100644 index 000000000..11b6500f3 Binary files /dev/null and b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/img/2.4_Assign_Policy_Monitor_AMA_remidate.png differ diff --git a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/solution.md b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/solution.md index 05a4ad8b3..7e60af7a6 100644 --- a/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/solution.md +++ b/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/walkthrough/challenge-7/solution.md @@ -2,145 +2,56 @@ Duration: 30 minutes -[Previous Challenge Solution](../challenge-4/solution.md) - **[Home](../../Readme.md)** +### Task 1: Disable Azure Monitor Insights and Azure Monitor Agent for arc enabled servers through the Azure portal -## Action 1: Create an Azure Policy Guest Configuration for your Azure Arc VMs +1. Navigate to Azure Monitor by using the top search bar and typing *Monitor* -### Setup a Policy that checks if the user "FrodoBaggins" is part of the local administrators group +2. In the left navigation plane, open the *Insights* menu and select *Virtual Machines* +3. In the center navigation plane under *Overview*, choose *Monitored* to find the Azure monitor enabled Arc VMs. -1. Please navigate to Azure Policy. +4. For each VM, click on *Enabled* in the Monitor Coverage Column. In the context menu, select edit and on the next screen, disable VM insights. -2. Navigate to *Assignments* in the left navigation pane and select *Assign policy* in the top menu. +5. To now remove the AMA, open the arc machine in your resource group and navigate to *Settings > Extensions* in the left control plane. - ![PolicyAssignment.png](./img/PolicyAssignment.png) +6. Select the appropriate Monitoring agent (in the picture for Linux) and click on uninstall + +7. Verify the uninstalling of the monitoring extension by navigating to the Azure Arc control plane by entering *Azure Arc* in the top search bar. From here, select *Azure Arc resources* in the left control plane and check the colum *Monitoring extension* for your servers. + +### Task 2: Re-Enable Azure Monitor Agent for Azure Arc enabled Servers with Azure Policy initiatives + +1. Navigate to *Policy* using the top search bar and select *Assignments* in the left navigation pane. + +2. Select *Assignments* in the left navigation pane and go to *Assign initiative* 3. In this section you can now configure the assignment with the following settings and create the assignment: -- Scope: Please select the resource group called *mh-arc-servers-rg* -- Policy Definition: Please search for *administrators group* and select *Audit Windows machines missing any of the specified members in the Administrators group*. -- Parameters: Please ensure to set *Include Arc connected servers* to *true and *Members to include* to *FrodoBaggins*. +- Scope: Please select your resource group +- Basics: Please search for *Enable Azure Monitor for Hybrid VMs with AMA* and select the initiative. +- Parameters: Please insert the Resource ID of the Data Collection Rule from Task 2. +- Remediation: Please select the System assigned identity location according to your resources, e.g. West Europe. Don't check the box for "Create a remediation task" here, as it would only create a remediation task for the first policy within the policy initiative. We will do this in one of the next steps for all policies. +- Click *Review + create* and then *Create* + +4. Please wait around 30 seconds until the creation of the assignment is complete. You should see that the initiative is assigned. Every new Azure Arc server will now automatically install the AMA and Dependency agents as well the necessary association with the data collection rule we created in task 2. Be aware that agent installation can take up to 60 Minutes. + +![image](./img/2.1_Assign_Policy_Assignments_Overview.png) + +5. Important: All three machines were already onboarded earlier. As a result, you need to create a remediation task for each policy in the initiative to apply the policy to your existing Azure Arc Servers. Please select the Initivative Assignment and select *Create Remediation Task*. + +![image](./img/2.2_Assign_Policy_Monitor_AMA.png) + +6. Accept the default values, check *Re-evaluate resource compliance before remediating* and repeat the remediation for the following policies: + - AzureMonitorAgent_Windows_HybridVM_Deploy + - AzureMonitorAgent_Linux_HybridVM_Deploy + - DependencyAgentExtension_AMA_Windows_HybridVM_Deploy + - DependencyAgentExtension_AMA_Linux_HybridVM_Deploy + - DataCollectionRuleAssociation_Windows + - DataCollectionRuleAssociation_Linux - ![PolicyAssignmentBasics.png](./img/PolicyAssignmentBasics.png) +![image](./img/2.3_Assign_Policy_Monitor_AMA_remidate.png) - ![PolicyAssignmentParameters.png](./img/PolicyAssignmentParameters.png) +7. In Policy > Remediation > Remediation Task, verify that all remediation completed successfully: - > **Note** - > This example does not include remediation. If you want to learn more on how to use guest configuration to remediate the state of your servers please refer to [Remediation options for guest configuration](https://docs.microsoft.com/en-us/azure/governance/policy/concepts/guest-configuration-policy-effects). - - -4. On Non-Compliance Message you can create a custom message that may contain additional information like link to internal documentation or just an explaination why this policy is set. - - ![PolicyAssignmentMessage.png](./img/PolicyAssignmentMessage.png) - -5. Review the policy assignment and select *Create*. - - ![PolicyAssignmentReview.png](./img/PolicyAssignmentReview.png) - -6. After a few minutes you will be able to see the compliance state of your Windows-based servers. - -## Action 2: Create an Machine Configuration - -### Setup a Machine Configuration that creates a registry key +![image](./img/2.4_Assign_Policy_Monitor_AMA_remidate.png) -Find the needed DSC Configuration in the following powershell code block - -```powershell -Configuration AddKey { - Import-DscResource -ModuleName 'PSDscResources' - - Node localhost { - Registry EnvironmentDSCKey { - Key = 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\EnvironmentKeyDSC' - Ensure = 'Present' - ValueName = '' - } - } -} - -AddKey -``` - -#### Optional Steps: - -1. Set up your Authoring Environment for DSC -2. Create DSC Config and Corresponding MOF File -3. Create the zip file for the Machine Configuration - -As this MicroHack focuses on the Arc and Hybrid those Steps are optional and you can also use the prepared zip file from the repository. -Find it here [AddKey.zip](https://github.com/microsoft/MicroHack/raw/main/03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers/resources/AddKey.zip) - -### Create the Machine Configuration as Azure Policy - -1. You will need to upload the zip file to a Storage Account and create a SAS with read permissions. - - > **Warning** - > The following commands cannot be run from Azure Cloud Shell! Please use a local Powershell. - > To install the required modules use: - > ```powershell - > Install-Module -Name Az -Repository PSGallery -Force - > Install-Module -Name GuestConfiguration -Repository PSGallery -Force - > ``` - - - > **Note** - > You will need at least the *Storage Blob Data Contributor* role to be able to upload the file. - - > **Note** - > The expiry date needs be to less than 7 days in the future. - - ```powershell - #Define your environment - $storageAccountName = "uniquestorageaccname" - $containerName = "containername" - $fileName = "AddKey.zip" - $expiratioNDate = "2023-12-30T00:00:00Z" - - #Establish storage account context - $ctx = New-AzStorageContext -StorageAccountName $storageAccountName -UseConnectedAccount - - #Upload the file to your storage account - $Blob1HT = @{ - File = $fileName # Change path if your file is not in the same directory as the script - Container = $containerName - Blob = $fileName - Context = $ctx - StandardBlobTier = 'Hot' - } - Set-AzStorageBlobContent @Blob1HT -Force - - #Create the SAS to access the file later - $sas = New-AzStorageBlobSASToken -Context $ctx -Container $containerName -Blob $fileName -Permission r -ExpiryTime $expiratioNDate -FullUri - ``` - -3. To assign the Machine Configuration we will use a Azure Policy. To create the Policy refer to the following Powershell Block. The Policy is created at the Tenant Root so that we can assign it to all subscriptions. - > **Note** - > Depending on your machine configuration, this might need to be executed with local administrative privileges. - ```powershell - #Define your environment - $name = "AddKey Policy" - $tenantId = "" #Tenant ID is the ID of the Root Management Group, or any other Management Group ID of your choice - - #Define Policy Parameters - $PolicyConfig = @{ - PolicyId = (New-Guid).guid - ContentUri = $sas - DisplayName = $name - Description = $name - Path = '.\policies\' - Platform = 'Windows' - PolicyVersion = "1.0.0" - Mode = 'ApplyAndAutoCorrect' - } - - # Create the policy definition file - $configurationPolicy = New-GuestConfigurationPolicy @PolicyConfig - - # Create new policy from definition file - New-AzPolicyDefinition -Name $name -Policy $configurationPolicy.Path -ManagementGroupName $tenantID - ``` -4. Now that the policy definition is created you can assign the policy like in Action 1 but add a remediation like in the screenshot below. - - ![PolicyAssignmentRemediation.png](./img/PolicyAssignmentRemediation.png) - -5. It takes some minutes for the Machine Configuration to become compliant. If thats the case you can verify the registry key being created by launching ``` regedit.exe ``` and browse to ``` HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\ ``` +8. After Policy remidiation, you should be able to confirm that the monitoring extension is enabled again by navigating to the Azure Arc control plane by entering *Azure Arc* in the top search bar. From here, select *Azure Arc resources* in the left control plane and check the colum *Monitoring extension* for your servers.