Azure Citadel
  • Blogs
  • ARM
  • Azure Arc
    • Overview
    • Azure Arc-enabled Servers
      • Prereqs
      • Scenario
      • Hack Overview
      • Azure Landing Zone
      • Arc Pilot resource group
      • Azure Monitoring Agent
      • Additional policy assignments
      • Access your on prem VMs
      • Create onboarding scripts
      • Onboarding using scripts
      • Inventory
      • Monitoring
      • SSH
      • Windows Admin Center
      • Governance
      • Custom Script Extension
      • Key Vault Extension
      • Managed Identity
    • Azure Arc-enabled Kubernetes
      • Prereqs
      • Background
      • Deploy Cluster
      • Connect to Arc
      • Enable GitOps
      • Deploy Application
      • Enable Azure AD
      • Enforce Policy
      • Enable Monitoring
      • Enable Azure Defender
      • Enable Data Services
      • Enable Application Delivery
    • Useful Links
  • Azure CLI
    • Install
    • Get started
    • JMESPATH queries
    • Integrate with Bash
  • Azure Landing Zones
    • Prereqs
    • Day 1
      • Azure Baristas
      • Day 1 Challenge
    • Day 2
      • Example
      • Day 2 Challenge
    • Day 3
      • Day 3 Challenge
    • Useful Links
  • Azure Policy
    • Azure Policy Basics
      • Policy Basics in the Azure Portal
      • Creating Policy via the CLI
      • Deploy If Not Exists
      • Management Groups and Initiatives
    • Creating Custom Policies
      • Customer scenario
      • Policy Aliases
      • Determine the logic
      • Create the custom policy
      • Define, assign and test
  • Azure Stack HCI
    • Overview
    • Useful Links
    • Updates from Microsoft Ignite 2022
  • Marketplace
    • Introduction
      • Terminology
      • Offer Types
    • Partner Center
    • Offer Type
    • Publish a VM Offer HOL
      • Getting Started
      • Create VM Image
      • Test VM Image
      • VM Offer with SIG
      • VM Offer with SAS
      • Publish Offer
    • Other VM Resources
    • Publish a Solution Template HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Publish a Managed App HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Managed Apps with AKS HOL
    • Other Managed App Resources
    • SaaS Offer HOLs
    • SaaS Offer Video Series
      • Video 1 - SaaS Offer Overview
      • Video 2 - Purchasing a SaaS Offer
      • Video 3 - Purchasing a Private SaaS Plan
      • Video 4 - Publishing a SaaS Offer
      • Video 5 - Publishing a Private SaaS Plan
      • Video 6 - SaaS Offer Technical Overview
      • Video 7 - Azure AD Application Registrations
      • Video 8 - Using the SaaS Offer REST Fulfillment API
      • Video 9 - The SaaS Client Library for .NET
      • Video 10 - Building a Simple SaaS Landing Page in .NET
      • Video 11 - Building a Simple SaaS Publisher Portal in .NET
      • Video 12 - SaaS Webhook Overview
      • Video 13 - Implementing a Simple SaaS Webhook in .NET
      • Video 14 - Securing a Simple SaaS Webhook in .NET
      • Video 15 - SaaS Metered Billing Overview
      • Video 16 - The SaaS Metered Billing API with REST
  • Microsoft Fabric
    • Theory
    • Prereqs
    • Fabric Capacity
    • Set up a Remote State
    • Create a repo from a GitHub template
    • Configure an app reg for development
    • Initial Terraform workflow
    • Expanding your config
    • Configure a workload identity
    • GitHub Actions for Microsoft Fabric
    • GitLab pipeline for Microsoft Fabric
  • Packer & Ansible
    • Packer
    • Ansible
    • Dynamic Inventories
    • Playbooks & Roles
    • Custom Roles
    • Shared Image Gallery
  • Partner
    • Lighthouse and Partner Admin Link
      • Microsoft Cloud Partner Program
      • Combining Lighthouse and PAL
      • Minimal Lighthouse definition
      • Using service principals
      • Privileged Identity Management
    • Useful Links
  • REST API
    • REST API theory
    • Using az rest
  • Setup
  • Terraform
    • Fundamentals
      • Initialise
      • Format
      • Validate
      • Plan
      • Apply
      • Adding resources
      • Locals and outputs
      • Managing state
      • Importing resources
      • Destroy
    • Working Environments for Terraform
      • Cloud Shell
      • macOS
      • Windows with PowerShell
      • Windows with Ubuntu in WSL2
    • Using AzAPI
      • Using the REST API
      • azapi_resource
      • Removing azapi_resource
      • azapi_update_resource
      • Data sources and outputs
      • Removing azapi_update_resource
  • Virtual Machines
    • Azure Bastion with native tools & AAD
    • Managed Identities
  • About
  • Archive
  1. Home
  2. Azure Arc
  3. Azure Arc-enabled Servers
  4. Azure Monitoring Agent

Table of Contents

  • Introduction
  • Delete policy assignments
  • VM Insights policy initiative
  • Log Analytics workspace
  • Required roles
  • Assign the policy
  • Check the roles
  • Success criteria
  • Resources
  • Next

Azure Monitoring Agent

Summary of the switch from legacy agents (MMA, Dependency) to the Azure Monitor Agent. Enable VM Insights with the AMA.

Introduction

The Azure Monitor Agent (AMA) is replacing the legacy monitoring agents.

Historically the agent based collection has been done using the Log Analytics Agent (also known as the Microsoft Monitoring Agent (MMA) agent or OMS agent), as well as the secondary Telegraf agent used for Linux metrics. It also changes how the Dependency agent is configured for Service Map information.

The older agent will be retired on August 31, 2024.

Wide World Importers have decided to exclusively use the newer AMA agent in the POC.

As a starting point, they would like to have VM Insights configured for the hybrid servers. There is a level of confusion whilst some of the documentation pages and policy definitions continue to refer to the legacy agents. However, enabling VM Insights using the Azure Monitor Agent is in preview and that is what will be configured in the POC.

Delete policy assignments

OK, first things first. We will delete a couple of the legacy policy assignments created by Azure Landing Zones.

The default policy assignments continue to deploy the legacy agents whilst some of the Azure Monitor Agent policies remain in preview. Unassign them.

  • Navigate to the Policy | Assignments blade

  • Search on Enable Azure Monitor

  • Select one of the assignments

  • Click on View definition

    Legacy policy initiatives

    The name and description are now prefixed with “Legacy”.

  • Click on the red cross at the top right twice to return back to the filtered list

  • Delete both assignments

    Delete assignments of legacy policy initiatives

VM Insights policy initiative

  1. View the Enable Azure Monitor for Hybrid VMs with AMA policy initiative definition

    Enable Azure Monitor for Hybrid VMs with AMA

    If you dive into the Dependency agent policies then you’ll notice that the extension deployment has a setting, "enableAMA": "true", to configure it for the AMA rather than MMA.

  2. Check the parameters

    The only required parameter value is logAnalyticsWorkspace.

    The dataCollectionRuleName parameter value will default to ama-vmi-default.

    The definition will prefix the dataCollectionRuleName with MSVMI- and suffix it with -dcr, so the default DCR name will be MSVMI-ama-vmi-default-dcr.

    The enableProcessesAndDependencies boolean defaults to false.

⚠️ Don’t deploy the policy initiative via the portal even though that would be quicker.

We want to know how to automate this so will step through the process as an example.

Log Analytics workspace

When you looked at the policy initiative, the only required parameter values was a workspace ID.

Create a workspace in the arc_pilot resource group.

Name it MSVMI-ama-vmi-default-workspace to be consistent with the default DCR naming.

  1. Create a Log Analytics workspace for VM Insights

    az monitor log-analytics workspace create --name MSVMI-ama-vmi-default-workspace \
  --resource-group arc_pilot --location westeurope

Required roles

The policies in the initiative use Deploy If Not Exists to provision the DCR, the AMA and Dependency extensions, and the DCR VM association.

You need to determine the required permissions for the managed identity if you are going to automate the deployment.

Return to the policy definition view and we’ll do a partial deployment to view the roles.

  1. Click on Assign

  2. Basics tab: Select the Landing Zones (alz-landingzones) management group

  3. Parameters tab: Use the ellipsis (…) to select the subscription and workspace

  4. Remediation tab: Check the permissions for the RBAC roles

    Managed identity permissions

    The required roles are:

    • Azure Connected Machine Resource Administrator
    • Log Analytics Contributor
    • Monitoring Contributor

  5. Click on Cancel

    ⚠️ Do not click on Create! You’ll assign the policy via the CLI.

Assign the policy

  1. Get to the workspace ID

    workspace_id=$(az monitor log-analytics workspace show --name MSVMI-ama-vmi-default-workspace \
  --resource-group arc_pilot --query id --output tsv)

  2. Set scope to the Landing Zones management group

    scope=/providers/Microsoft.Management/managementGroups/alz-landingzones

  3. Assign the policy initiative

    az policy assignment create --name AMAhybrid \
  --display-name "Enable Azure Monitor for Hybrid VMs with AMA" \
  --description "Enable Azure Monitor for Hybrid VMs with Azure Monitor Agent (VM Insights)" \
  --policy-set-definition 59e9c3eb-d8df-473b-8059-23fd38ddd0f0 \
  --scope $scope \
  --mi-system-assigned --location westeurope \
  --identity-scope $scope \
  --role "Azure Connected Machine Resource Administrator" \
  --params "{\"logAnalyticsWorkspace\": {\"value\":\"$workspace_id\"}, \"enableProcessesAndDependencies\": {\"value\": true}}"

    Setting the enableProcessesAndDependencies boolean to true installs the Dependency agent.

    The policies automatically set the agent’s enableAMA property to true.

    You can only assign a single role when creating policy assignments via the Azure CLI.

  4. Assign additional roles to the managed identity

    az policy assignment identity assign --name AMAhybrid \
  --scope $scope \
  --system-assigned --identity-scope $scope \
  --role "Log Analytics Contributor"

    az policy assignment identity assign --name AMAhybrid \
  --scope $scope \
  --system-assigned --identity-scope $scope \
  --role "Monitoring Contributor"

Check the roles

  • Portal:

    Filter on “Monitor” in Policy | Assignments, select Enable Azure Monitor for Hybrid VMs with AMA and select the Managed Identity tab.

    Managed identity permissions

  • CLI:

    identity_id=$(az policy assignment identity show --name AMAhybrid --scope $scope --query principalId --output tsv)
az role assignment list --scope $scope --assignee $identity_id --query "[].roleDefinitionName"

    Expected output:

    [
  "Azure Connected Machine Resource Administrator",
  "Log Analytics Contributor",
  "Monitoring Contributor"
]

Success criteria

Show the proctor:

  1. the resource group name, location, tags and resources
  2. the RBAC assignment for Azure Arc Admins
  3. your tag inheritance policy assignments
  4. your VM Insights initiative assignment
  5. that the initial Enable Azure Monitor assignments have been deleted

Resources

  • https://learn.microsoft.com/azure/azure-monitor/agents/agents-overview
  • https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-migration
  • https://learn.microsoft.com/azure/azure-monitor/vm/vminsights-overview
  • https://learn.microsoft.com/azure/azure-monitor/vm/vminsights-enable-overview#agents

Next

The policy initiative is a great way to deploy the new Azure Monitoring Agent at scale, and you can also

In the next lab you will assign more policy initiatives for deploying additional extensions to hybrid machines.

Arc Pilot resource group Azure Monitoring Agent Additional policy assignments