Azure Citadel
  • Blogs
  • ARM
  • Azure Arc
    • Overview
    • Azure Arc-enabled Servers
      • Prereqs
      • Scenario
      • Hack Overview
      • Azure Landing Zone
      • Arc Pilot resource group
      • Azure Monitoring Agent
      • Additional policy assignments
      • Access your on prem VMs
      • Create onboarding scripts
      • Onboarding using scripts
      • Inventory
      • Monitoring
      • SSH
      • Windows Admin Center
      • Governance
      • Custom Script Extension
      • Key Vault Extension
      • Managed Identity
    • Azure Arc-enabled Kubernetes
      • Prereqs
      • Background
      • Deploy Cluster
      • Connect to Arc
      • Enable GitOps
      • Deploy Application
      • Enable Azure AD
      • Enforce Policy
      • Enable Monitoring
      • Enable Azure Defender
      • Enable Data Services
      • Enable Application Delivery
    • Useful Links
  • Azure CLI
    • Install
    • Get started
    • JMESPATH queries
    • Integrate with Bash
  • Azure Landing Zones
    • Prereqs
    • Day 1
      • Azure Baristas
      • Day 1 Challenge
    • Day 2
      • Example
      • Day 2 Challenge
    • Day 3
      • Day 3 Challenge
    • Useful Links
  • Azure Policy
    • Azure Policy Basics
      • Policy Basics in the Azure Portal
      • Creating Policy via the CLI
      • Deploy If Not Exists
      • Management Groups and Initiatives
    • Creating Custom Policies
      • Customer scenario
      • Policy Aliases
      • Determine the logic
      • Create the custom policy
      • Define, assign and test
  • Azure Stack HCI
    • Overview
    • Useful Links
    • Updates from Microsoft Ignite 2022
  • Marketplace
    • Introduction
      • Terminology
      • Offer Types
    • Partner Center
    • Offer Type
    • Publish a VM Offer HOL
      • Getting Started
      • Create VM Image
      • Test VM Image
      • VM Offer with SIG
      • VM Offer with SAS
      • Publish Offer
    • Other VM Resources
    • Publish a Solution Template HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Publish a Managed App HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Managed Apps with AKS HOL
    • Other Managed App Resources
    • SaaS Offer HOLs
    • SaaS Offer Video Series
      • Video 1 - SaaS Offer Overview
      • Video 2 - Purchasing a SaaS Offer
      • Video 3 - Purchasing a Private SaaS Plan
      • Video 4 - Publishing a SaaS Offer
      • Video 5 - Publishing a Private SaaS Plan
      • Video 6 - SaaS Offer Technical Overview
      • Video 7 - Azure AD Application Registrations
      • Video 8 - Using the SaaS Offer REST Fulfillment API
      • Video 9 - The SaaS Client Library for .NET
      • Video 10 - Building a Simple SaaS Landing Page in .NET
      • Video 11 - Building a Simple SaaS Publisher Portal in .NET
      • Video 12 - SaaS Webhook Overview
      • Video 13 - Implementing a Simple SaaS Webhook in .NET
      • Video 14 - Securing a Simple SaaS Webhook in .NET
      • Video 15 - SaaS Metered Billing Overview
      • Video 16 - The SaaS Metered Billing API with REST
  • Microsoft Fabric
    • Theory
    • Prereqs
    • Fabric Capacity
    • Set up a Remote State
    • Create a repo from a GitHub template
    • Configure an app reg for development
    • Initial Terraform workflow
    • Expanding your config
    • Configure a workload identity
    • GitHub Actions for Microsoft Fabric
    • GitLab pipeline for Microsoft Fabric
  • Packer & Ansible
    • Packer
    • Ansible
    • Dynamic Inventories
    • Playbooks & Roles
    • Custom Roles
    • Shared Image Gallery
  • Partner
    • Lighthouse and Partner Admin Link
      • Microsoft Cloud Partner Program
      • Combining Lighthouse and PAL
      • Minimal Lighthouse definition
      • Using service principals
      • Privileged Identity Management
    • Useful Links
  • REST API
    • REST API theory
    • Using az rest
  • Setup
  • Terraform
    • Fundamentals
      • Initialise
      • Format
      • Validate
      • Plan
      • Apply
      • Adding resources
      • Locals and outputs
      • Managing state
      • Importing resources
      • Destroy
    • Working Environments for Terraform
      • Cloud Shell
      • macOS
      • Windows with PowerShell
      • Windows with Ubuntu in WSL2
    • Using AzAPI
      • Using the REST API
      • azapi_resource
      • Removing azapi_resource
      • azapi_update_resource
      • Data sources and outputs
      • Removing azapi_update_resource
  • Virtual Machines
    • Azure Bastion with native tools & AAD
    • Managed Identities
  • About
  • Archive
  1. Home
  2. Azure Arc
  3. Azure Arc-enabled Servers
  4. Additional policy assignments

Table of Contents

  • Introduction
  • Challenge
  • Stretch target
  • Success criteria
  • Resources
  • Next Steps

Additional policy assignments

Explore some of the other built-in and custom policies for Azure Arc-enabled servers. Assign a few additional policies.

Introduction

You have already added to the default set of Azure Landing Zone policy assignments with additional policies for tagging and VM Insights.

In this lab you will extend the set of assigned policies with a few more inbuilt and custom policy initiatives designed for hybrid estates. The Deploy if Not Exists policies are useful to help automate configuration of resources including the installation of extension on hybrid machines.

Wide World Importers have asked for some additional policy and policy initiatives to be assigned at the Landing Zones management group.

Name Category Type
The legacy Log Analytics extension should not be installed on Azure Arc enabled Linux servers Monitoring Policy
The legacy Log Analytics extension should not be installed on Azure Arc enabled Windows servers Monitoring Policy
[Preview]: Deploy Microsoft Defender for Endpoint agent Security Center Initiative

The Microsoft Defender for Endpoint (MDE) agent has historically been a standalone agent install and was separately licenced. The direction of travel is towards Azure Arc being used as the framework for agent extensibility and with billing simplified through the Azure’s Cost Management and Billing mechanisms.

We will look more closely at Microsoft Defender for Cloud and Microsoft Defender for Endpoint in later labs.

Challenge

  • Assign the two individual policies
  • Assign the MDE agent deployment initiative
  • Use automation to assign - not the portal

It is up to you whether you use the CLI, PowerShell, REST, ARM, Bicep or Terraform. You’ll find links to the quickstarts below.

Stretch target

If you have time

  • add the two individual policies into a custom policy initiative and assign that instead

Policy initiatives are more flexible than multiple individual policies as you can add new policies to them. And they make it easier to report and manage from a compliancy perspective.

Remember the individual compliancy messages you used on the tagging policies? There is a way of linking individual non-compliancy messages to specific policies within the policy initiative.

Success criteria

Show your proctor that you have:

  • assigned the policies to check that the MMA is not installed
  • assigned the policy initiative to install the MDE

Stretch:

Show how you:

  • created and assigned the initiative
  • if you were specific with non-compliancy messages, either
    • the CLI command and switch
    • the initiative assignment property

Resources

  • https://learn.microsoft.com/azure/governance/policy/overview
  • https://learn.microsoft.com/azure/governance/policy/assign-policy-azurecli
  • https://learn.microsoft.com/azure/governance/policy/assign-policy-powershell
  • https://learn.microsoft.com/azure/governance/policy/assign-policy-rest-api
  • https://learn.microsoft.com/azure/governance/policy/assign-policy-template
  • https://learn.microsoft.com/azure/governance/policy/assign-policy-bicep?tabs=azure-powershell
  • https://learn.microsoft.com/azure/governance/policy/assign-policy-terraform
  • https://learn.microsoft.com/azure/governance/policy/assign-policy-portal
  • https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_policy_assignment
  • https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint
  • https://learn.microsoft.com/azure/governance/policy/concepts/initiative-definition-structure
  • https://learn.microsoft.com/azure/governance/policy/concepts/assignment-structure

Next Steps

OK, you should now have a target environment with a decent starting set of policies and initiatives, Azure AD groups, RBAC role assignments and some default resources.

It is preferable to configure the target environment before onboarding VMs as the policy engine will take care of extension installation and configuration. Remediating non-compliant resources is a slower process.

Key questions:

  • what is your preferred automation for deploying Azure Landing Zones for customers migrating to Azure?
  • what will you offer as a default suggested target environment for your customer’s hybrid and multi-cloud estates?
  • what supporting collateral will hybrid engagements need for
    • go to market
    • customer workshops
    • design documentation
    • internal deployment and management guides?
  • how will you iterate on the offer?

These are (mainly) rhetorical questions.

In the next lab we’ll test that you can access your on prem VMs before you start to onboard.

Azure Monitoring Agent Additional policy assignments Access your on prem VMs