Azure Arc-enabled Servers

Two day challenge hack going deeper on operations and management for Azure Arc-enabled servers.


This is a two day hack to get you skilled up in the various aspects of using Azure Arc to onboard VMs outside of Azure and leverage the management plane and range of services to transform how you manage your hybrid estates.

The hack is used in the UK to enable partners and those partners will make use of Azure Passes with pre-created resources to accelerate the hack. You are absolutely free to reuse the content yourself as it is 100% public, including the repository used to create the “on prem” resources.

The hack is a challenge hack, so each section gives you a number of challenges to meet, plus a set of links for your reference. As you complete each section you will screen share with your proctor to confirm the success criteria has been met before moving on to the next section.



Attending an Azure Arc for Management & Governance hack? If so then complete these first.


Your customer, Wide World Importers, would like a small proof of concept before moving forward with a larger Azure Arc project. Get the background and their initial requirements.

Hack Overview

Brief overview covering the flow of labs within this hack.

Azure Landing Zone

Deploy a default Azure Landing Zone using the Bicep repo.

Arc Pilot resource group

Create a target resource group, plus a few resources and tag inheritance policies.

Azure Monitoring Agent

Summary of the switch from legacy agents (MMA, Dependency) to the Azure Monitor Agent. Enable VM Insights with the AMA.

Additional policy assignments

Explore some of the other built-in and custom policies for Azure Arc-enabled servers. Assign a few additional policies.

Access your on prem VMs

Check you can access your Windows and Linux on prem virtual machines. Plus additional info for Cloud Shell and Code Tunnels.

Create onboarding scripts

Create the Bash and PowerShell scripts for onboarding using the service principal.

Onboarding using scripts

Create the Bash and PowerShell scripts for onboarding using the service principal.


Start simple with inventory. Customise the Azure Arc-enabled Servers view and then create a resource graph query that can go across subscriptions.


Configure the new Azure Monitor agent and Data Collection Rules. Optionally integrate with 'Microsoft Defender for Cloud' and Azure Sentinel.


Configure SSH for your Azure Arc-enabled Servers.

Windows Admin Center

Configure Windows Admin Center in the Azure Portal to manage on prem Windows servers.


Use Azure Policy and the Guest Configuration policy definitions to govern your on prem resources and prove compliance.

Custom Script Extension

The custom script extension opens up opportunities to automate PowerShell and Bash scripts at scale for both cloud and on prem servers.

Key Vault Extension

Rotating server certificates in a large estate has always been a administration hassle, so let this key vault extension take the heavy lifting for both Azure and Azure Arc-enabled VMs.

Managed Identity

Each connected machine has a system assigned managed identity. This lab will walk through using the REST API calls on your Arc-enabled servers to get challenge tokens, resource tokens and access the ARM and PaaS API endpoints

On Prem VMs

You will need some on premises servers to onboard and connect to Azure as part of the pilot. Create then on the platform of your choice, or spin them up in Azure using our Terraform repo.