Plan and deploy Azure Arc-enabled servers

Deployment of an IT infrastructure service or business application is a challenge for any company. In order to execute it well and avoid any unwelcome surprises and unplanned costs, you need to thoroughly plan for it to ensure that you're as ready as possible. To plan for deploying Azure Arc-enabled servers at any scale, it should cover the design and deployment criteria that needs to be met in order to successfully complete the tasks.

For the deployment to proceed smoothly, your plan should establish a clear understanding of:

  • Roles and responsibilities.
  • Inventory of physical servers or virtual machines to verify they meet network and system requirements.
  • The skill set and training required to enable successful deployment and on-going management.
  • Acceptance criteria and how you track its success.
  • Tools or methods to be used to automate the deployments.
  • Identified risks and mitigation plans to avoid delays, disruptions, etc.
  • How to avoid disruption during deployment.
  • What's the escalation path when a significant issue occurs?

The purpose of this article is to ensure you are prepared for a successful deployment of Azure Arc-enabled servers across multiple production physical servers or virtual machines in your environment.

To learn more about our at-scale deployment recommendations, you can also refer to this video.


Consider the following basic requirements when planning your deployment:

  • Your machines must run a supported operating system for the Connected Machine agent.
  • Your machines must have connectivity from your on-premises network or other cloud environment to resources in Azure, either directly or through a proxy server.
  • To install and configure the Azure Connected Machine agent, you must have an account with elevated privileges (that is, an administrator or as root)on the machines.
  • To onboard machines, you must have the Azure Connected Machine Onboarding Azure built-in role.
  • To read, modify, and delete a machine, you must have the Azure Connected Machine Resource Administrator Azure built-in role.

For more details, see the prerequisites and network requirements for installing the Connected Machine agent.


Before deploying to all production machines, start by evaluating the deployment process before adopting it broadly in your environment. For a pilot, identify a representative sampling of machines that aren't critical to your companies ability to conduct business. You'll want to be sure to allow enough time to run the pilot and assess its impact: we recommend a minimum of 30 days.

Establish a formal plan describing the scope and details of the pilot. The following is a sample of what a plan should include to help get you started.

  • Objectives - Describes the business and technical drivers that led to the decision that a pilot is necessary.
  • Selection criteria - Specifies the criteria used to select which aspects of the solution will be demonstrated via a pilot.
  • Scope - Describes the scope of the pilot, which includes but not limited to solution components, anticipated schedule, duration of the pilot, and number of machines to target.
  • Success criteria and metrics - Define the pilot's success criteria and specific measures used to determine level of success.
  • Training plan - Describes the plan for training system engineers, administrators, etc. who are new to Azure and it services during the pilot.
  • Transition plan - Describes the strategy and criteria used to guide transition from pilot to production.
  • Rollback - Describes the procedures for rolling back a pilot to pre-deployment state.
  • Risks - List all identified risks for conducting the pilot and associated with production deployment.

Phase 1: Build a foundation

In this phase, system engineers or administrators enable the core features in their organization's Azure subscription to start the foundation before enabling machines for management by Azure Arc-enabled servers and other Azure services.

Task Detail Estimated duration
Create a resource group A dedicated resource group to include only Azure Arc-enabled servers and centralize management and monitoring of these resources. One hour
Apply Tags to help organize machines. Evaluate and develop an IT-aligned tagging strategy that can help reduce the complexity of managing your Azure Arc-enabled servers and simplify making management decisions. One day
Design and deploy Azure Monitor Logs Evaluate design and deployment considerations to determine if your organization should use an existing or implement another Log Analytics workspace to store collected log data from hybrid servers and machines.1 One day
Develop an Azure Policy governance plan Determine how you will implement governance of hybrid servers and machines at the subscription or resource group scope with Azure Policy. One day
Configure Role based access control (RBAC) Develop an access plan to control who has access to manage Azure Arc-enabled servers and ability to view their data from other Azure services and solutions. One day
Identify machines with Log Analytics agent already installed Run the following log query in Log Analytics to support conversion of existing Log Analytics agent deployments to extension-managed agent:
| summarize arg_max(TimeGenerated, OSType, ResourceId, ComputerEnvironment) by Computer
| where ComputerEnvironment == "Non-Azure" and isempty(ResourceId)
| project Computer, OSType
One hour

1 When evaluating your Log Analytics workspace design, consider integration with Azure Automation in support of its Update Management and Change Tracking and Inventory feature, as well as Microsoft Defender for Cloud and Microsoft Sentinel. If your organization already has an Automation account and enabled its management features linked with a Log Analytics workspace, evaluate whether you can centralize and streamline management operations, as well as minimize cost, by using those existing resources versus creating a duplicate account, workspace, etc.

Phase 2: Deploy Azure Arc-enabled servers

Next, we add to the foundation laid in Phase 1 by preparing for and deploying the Azure Connected Machine agent.

Task Detail Estimated duration
Download the pre-defined installation script Review and customize the pre-defined installation script for at-scale deployment of the Connected Machine agent to support your automated deployment requirements.

Sample at-scale onboarding resources:

  • At-scale onboarding VMware vSphere Windows Server VMs
  • At-scale onboarding VMware vSphere Linux VMs
  • At-scale onboarding AWS EC2 instances using Ansible
One or more days depending on requirements, organizational processes (for example, Change and Release Management), and automation method used.
Create service principal Create a service principal to connect machines non-interactively using Azure PowerShell or from the portal. One hour
Deploy the Connected Machine agent to your target servers and machines Use your automation tool to deploy the scripts to your servers and connect them to Azure. One or more days depending on your release plan and if following a phased rollout.

Phase 3: Manage and operate

Phase 3 is when administrators or system engineers can enable automation of manual tasks to manage and operate the Connected Machine agent and the machines during their lifecycle.

Task Detail Estimated duration
Create a Resource Health alert If a server stops sending heartbeats to Azure for longer than 15 minutes, it can mean that it is offline, the network connection has been blocked, or the agent is not running. Develop a plan for how you’ll respond and investigate these incidents and use Resource Health alerts to get notified when they start.

Specify the following when configuring the alert:
Resource type = Azure Arc-enabled servers
Current resource status = Unavailable
Previous resource status = Available
One hour
Create an Azure Advisor alert For the best experience and most recent security and bug fixes, we recommend keeping the Azure Connected Machine agent up to date. Out-of-date agents will be identified with an Azure Advisor alert.

Specify the following when configuring the alert:
Recommendation type = Upgrade to the latest version of the Azure Connected Machine agent
One hour
Assign Azure policies to your subscription or resource group scope Assign the Enable Azure Monitor for VMs policy (and others that meet your needs) to the subscription or resource group scope. Azure Policy allows you to assign policy definitions that install the required agents for VM insights across your environment. Varies
Enable Azure Update Manager for your Azure Arc-enabled servers. Configure Azure Update Manager on your Arc-enabled servers to manage system updates for your Windows and Linux virtual machines. You can choose to deploy updates on-demand or apply updates using custom schedule. 5 minutes

Next steps