Azure Arc-enabled Servers

Two day challenge hack going deeper on operations and management for Azure Arc-enabled servers.


This is a two day hack to get you skilled up in the various aspects of using Azure Arc to onboard VMs outside of Azure and leverage the management plane and range of services to transform how you manage your hybrid estates.

The hack is used in the UK to enable partners and those partners will make use of Azure Passes with pre-created resources to accelerate the hack. You are absolutely free to reuse the content yourself as it is 100% public, including the repository used to create the “on prem” resources.

The hack is a challenge hack, so each section gives you a number of challenges to meet, plus a set of links for your reference. As you complete each section you will screen share with your proctor to confirm the success criteria has been met before moving on to the next section.



Attending an Azure Arc for Servers hack? If so then complete these first. And please - do so before the start of the hack!


Your customer, World Wide Importers, would like a small proof of concept before moving forward with a larger Azure Arc project. Get the background and their initial requirements.

Azure Landing Zone

Plan for deployment and prepare the target resource group for your Arc servers.

Additional Policies

Explore some of the other built-in and custom policies for Azure Arc-enabled servers. Create a Data Collection Rule via the REST API and then assign additional policies.

Final prep

Create a target resource group and a service principal with the "Azure Connected Machine Onboarding" role.

Scale Onboarding for Linux

Onboarding multiple Linux servers with a service principal, then connecting with the azcmagent.

Scale Onboarding for Windows

Onboarding multiple Windows servers using Windows Admin Center.

Azure Automanage

Use the Azure Automanage service to create a management baseline for the connected machines, enabling update management and inventory. Or use the services individually.


Configure the new Azure Monitor agent and Data Collection Rules. Optionally integrate with Azure Security Center and Azure Sentinel.


Use Azure Policy and the Guest Configuration policy definitions to govern your on prem resources and prove compliance.

Key Vault Extension

Rotating server certificates in a large estate has always been a administration hassle, so let this key vault extension take the heavy lifting for both Azure and Azure Arc-enabled VMs.

Custom Script Extension

The custom script extension opens up opportunities to automate PowerShell and Bash scripts at scale for both cloud and on prem servers.

Managed Identity

Each connected machine has a system assigned managed identity. This lab will walk through using the REST API calls on your Arc-enabled servers to get challenge tokens, resource tokens and access the ARM and PaaS API endpoints

On Prem VMs

You will need some on premises servers to onboard and connect to Azure as part of the pilot. Create then on the platform of your choice, or spin them up in Azure using our Terraform repo.