Register your servers and assign permissions for Azure Stack HCI, version 23H2 deployment

Applies to: Azure Stack HCI, version 23H2

This article describes how to register your Azure Stack HCI servers and then set up the required permissions to deploy an Azure Stack HCI, version 23H2 cluster.

Prerequisites

Before you begin, make sure you've completed the following prerequisites:

  • Satisfy the prerequisites and complete deployment checklist.

  • Prepare your Active Directory environment.

  • Install the Azure Stack HCI, version 23H2 operating system on each server.

  • Register your subscription with the required resource providers (RPs). You can use either the Azure portal or the Azure PowerShell to register. You need to be an owner or contributor on your subscription to register the following resource RPs:

    • Microsoft.HybridCompute
    • Microsoft.GuestConfiguration
    • Microsoft.HybridConnectivity
    • Microsoft.AzureStackHCI

    Note

    The assumption is that the person registering the Azure subscription with the resource providers is a different person than the one who is registering the Azure Stack HCI servers with Arc.

  • If you're registering the servers as Arc resources, make sure that you have the following permissions on the resource group where the servers were provisioned:

    To verify that you have these roles, follow these steps in the Azure portal:

    1. Go to the subscription that you use for the Azure Stack HCI deployment.
    2. Go to the resource group where you're planning to register the servers.
    3. In the left-pane, go to Access Control (IAM).
    4. In the right-pane, go the Role assignments. Verify that you have the Azure Connected Machine Onboarding and Azure Connected Machine Resource Administrator roles assigned.

Register servers with Azure Arc

Important

Run these steps on every Azure Stack HCI server that you intend to cluster.

  1. Install the Arc registration script from PSGallery.

    #Register PSGallery as a trusted repo
    Register-PSRepository -Default -InstallationPolicy Trusted
    
    #Install Arc registration script from PSGallery 
    Install-Module AzsHCI.ARCinstaller
    
    #Install required PowerShell modules in your node for registration
    Install-Module Az.Accounts -Force
    Install-Module Az.ConnectedMachine -Force
    Install-Module Az.Resources -Force
    

    Here's a sample output of the installation:

    PS C:\Users\SetupUser> Install-Module -Name AzSHCI.ARCInstaller                                           
    NuGet provider is required to continue                                                                                  
    PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet  provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
    'C:\Users\SetupUser\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by
    running 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install
    and import the NuGet provider now?
    [Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y
    PS C:\Users\SetupUser>
    
    PS C:\Users\SetupUser> Install-Module Az.Accounts -Force
    PS C:\Users\SetupUser> Install-Module Az.ConnectedMachine -Force
    PS C:\Users\SetupUser> Install-Module Az.Resources -Force
    
  2. Set the parameters. The script takes in the following parameters:

    Parameters Description
    SubscriptionID The ID of the subscription used to register your servers with Azure Arc.
    TenantID The tenant ID used to register your servers with Azure Arc. Go to your Microsoft Entra ID and copy the tenant ID property.
    ResourceGroup The resource group precreated for Arc registration of the servers. A resource group is created if one doesn't exist.
    Region The Azure region used for registration. See the Supported regions that can be used.
    AccountID The user who registers and deploys the cluster.
    DeviceCode The device code displayed in the console at https://microsoft.com/devicelogin and is used to sign in to the device.
     #Define the subscription where you want to register your server as Arc device
     $Subscription = "YourSubscriptionID"
    
     #Define the resource group where you want to register your server as Arc device
     $RG = "YourResourceGroupName"
    
     #Define the region you will use to register your server as Arc device
     $Region = "eastus"
    
     #Define the tenant you will use to register your server as Arc device
     $Tenant = "YourTenantID"
    

    Here's a sample output of the parameters:

    PS C:\Users\SetupUser> $Subscription = "<Subscription ID>"
    PS C:\Users\SetupUser> $RG = "myashcirg"
    PS C:\Users\SetupUser> $Tenant = "<Tenant ID>"
    PS C:\Users\SetupUser> $Region = "eastus"
    
  3. Connect to your Azure account and set the subscription. You'll need to open browser on the client that you're using to connect to the server and open this page: https://microsoft.com/devicelogin and enter the provided code in the Azure CLI output to authenticate. Get the access token and account ID for the registration.

    #Connect to your Azure account and Subscription
    Connect-AzAccount -SubscriptionId $Subscription -TenantId $Tenant -DeviceCode
    
    #Get the Access Token for the registration
    $ARMtoken = (Get-AzAccessToken).Token
    
    #Get the Account ID for the registration
    $id = (Get-AzContext).Account.Id   
    

    Here's a sample output of setting the subscription and authentication:

    PS C:\Users\SetupUser> Connect-AzAccount -SubscriptionId $Subscription -TenantId $Tenant -DeviceCode
    WARNING: To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code A44KHK5B5
    to authenticate.
    
    Account               SubscriptionName      TenantId                Environment
    -------               ----------------      --------                -----------
    guspinto@contoso.com AzureStackHCI_Content  <Tenant ID>             AzureCloud
    
    PS C:\Users\SetupUser> $ARMtoken = (Get-AzAccessToken).Token
    PS C:\Users\SetupUser> $id = (Get-AzContext).Account.Id
    
  4. Finally run the Arc registration script. The script takes a few minutes to run.

    #Invoke the registration script. Use a supported region.
    Invoke-AzStackHciArcInitialization -SubscriptionID $Subscription -ResourceGroup $RG -TenantID $Tenant -Region $Region -Cloud "AzureCloud" -ArmAccessToken $ARMtoken -AccountID $id  
    

    If you're accessing the internet via a proxy server, you need to pass the -proxy parameter and provide the proxy server as http://<Proxy server FQDN or IP address>:Port when running the script.

    Here's a sample output of a successful registration of your servers:

    PS C:\DeploymentPackage> Invoke-AzStackHciArcInitialization -SubscriptionID $Subscription -ResourceGroup $RG -TenantID $Tenant -Region $Region -Cloud "AzureCloud" -ArmAccessToken $ARMtoken -AccountID $id -Force
    Installing and Running Azure Stack HCI Environment Checker
    All the environment validation checks succeeded
    Installing Hyper-V Management Tools
    Starting AzStackHci ArcIntegration Initialization
    Installing Azure Connected Machine Agent
    Total Physical Memory:         588,419 MB
    PowerShell version: 5.1.25398.469
    .NET Framework version: 4.8.9032
    Downloading agent package from https://aka.ms/AzureConnectedMachineAgent to C:\Users\AzureConnectedMachineAgent.msi
    Installing agent package
    Installation of azcmagent completed successfully
    0
    Connecting to Azure using ARM Access Token
    Connected to Azure successfully   
    Microsoft.HybridCompute RP already registered, skipping registration 
    Microsoft.GuestConfiguration RP already registered, skipping registration
    Microsoft.HybridConnectivity RP already registered, skipping registration
    Microsoft.AzureStackHCI RP already registered, skipping registration
    INFO    Connecting machine to Azure... This might take a few minutes.
    INFO    Testing connectivity to endpoints that are needed to connect to Azure... This might take a few minutes.
      20% [==>            ]
      30% [===>           ]
      INFO    Creating resource in Azure...
    Correlation ID=<Correlation ID>=/subscriptions/<Subscription ID>/resourceGroups/myashci-rg/providers/Microsoft.HybridCompute/machines/ms309
      60% [========>      ]
      80% [===========>   ]
     100% [===============]
      INFO    Connected machine to Azure
    INFO    Machine overview page: https://portal.azure.com/
    Connected Azure ARC agent successfully
    Successfully got the content from IMDS endpoint
    Successfully got Object Id for Arc Installation <Object ID>
    $Checking if Azure Stack HCI Device Management Role is assigned already for SPN with Object ID: <Object ID>
    Assigning Azure Stack HCI Device Management Role to Object : <Object ID>
    $Successfully assigned Azure Stack HCI Device Management Role to Object Id <Object ID>
    Successfully assigned permission Azure Stack HCI Device Management Service Role to create or update Edge Devices on the resource group
    $Checking if Azure Connected Machine Resource Manager is assigned already for SPN with Object ID: <Object ID>
    Assigning Azure Connected Machine Resource Manager to Object : <Object ID>
    $Successfully assigned Azure Connected Machine Resource Manager to Object Id <Object ID>
    Successfully assigned the Azure Connected Machine Resource Manager role on the resource group
    $Checking if Reader is assigned already for SPN with Object ID: <Object ID>
    Assigning Reader to Object : <Object ID>
    $Successfully assigned Reader to Object Id <Object ID>
    Successfully assigned the reader Resource Manager role on the resource group
    Installing  TelemetryAndDiagnostics Extension
    Successfully triggered  TelemetryAndDiagnostics Extension installation
    Installing  DeviceManagement Extension
    Successfully triggered  DeviceManagementExtension installation
    Installing LcmController Extension
    Successfully triggered  LCMController Extension installation
    Please verify that the extensions are successfully installed before continuing...
    
    Log location: C:\Users\Administrator\.AzStackHci\AzStackHciEnvironmentChecker.log
    Report location: C:\Users\Administrator\.AzStackHci\AzStackHciEnvironmentReport.json
    Use -Passthru parameter to return results as a PSObject.   
    
  5. After the script completes successfully on all the servers, verify that:

    1. Your servers are registered with Arc. Go to the Azure portal and then go to the resource group associated with the registration. The servers appear within the specified resource group as Machine - Azure Arc type resources.

      Screenshot of the Azure Stack HCI servers in the resource group after the successful registration.

    2. The mandatory Azure Stack HCI extensions are installed on your servers. From the resource group, select the registered server. Go to the Extensions. The mandatory extensions show up in the right pane.

      Screenshot of the Azure Stack HCI registered servers with mandatory extensions installed.

Assign required permissions for deployment

This section describes how to assign Azure permissions for deployment from the Azure portal.

  1. In the Azure portal, go to the subscription used to register the servers. In the left pane, select Access control (IAM). In the right pane, select + Add and from the dropdown list, select Add role assignment.

    Screenshot of the Add role assignment in Access control in subscription for Azure Stack HCI deployment.

  2. Go through the tabs and assign the following role permissions to the user who deploys the cluster:

    • Azure Stack HCI Administrator
    • Cloud Application Administrator
    • Reader

    Note

    The Cloud Application Administrator permission is temporarily needed to create the service principal. After deployment, this permission can be removed.

  3. In the Azure portal, go to the resource group used to register the servers on your subscription. In the left pane, select Access control (IAM). In the right pane, select + Add and from the dropdown list, select Add role assignment.

    Screenshot of the Add role assignment in Access control in resource group for Azure Stack HCI deployment.

  4. Go through the tabs and assign the following permissions to the user who deploys the cluster:

    • Key Vault Data Access Administrator: This permission is required to manage data plane permissions to the key vault used for deployment.
    • Key Vault Secrets Officer: This permission is required to read and write secrets in the key vault used for deployment.
    • Key Vault Contributor: This permission is required to create the key vault used for deployment.
    • Storage Account Contributor: This permission is required to create the storage account used for deployment.
  5. In the right pane, go to Role assignments. Verify that the deployment user has all the configured roles.

Next steps

After setting up the first server in your cluster, you're ready to deploy using Azure portal: