Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article explains how to set up the Azure Migrate appliance to discover physical servers and servers running in AWS, GCP, or any other cloud.
The Azure Migrate appliance is a lightweight tool that Azure Migrate: Discovery and assessment uses to:
- Discover on-premises servers.
- Send metadata and performance data of the discovered servers to Azure Migrate: Discovery and assessment.
Prerequisites
Before you set up the appliance, create an Azure Migrate project by following these steps.
Prepare Azure Migrate appliance
- Check the hardware requirements for the Azure Migrate appliance.
- Ensure the appliance VM can connect to all the required endpoints.
Prepare Windows server
To discover Windows servers and enable software inventory and agentless dependency analysis, use a domain account for domain-joined servers or a local account for servers that are not domain-joined.
You can create the local user account in one of two ways:
Option 1: Set up administrator account
To set up:
- Create an account with administrator rights on the servers.
- This account helps collect configuration and performance data using a CIM connection.
- It also supports software inventory (finding installed applications) and enables agentless dependency analysis through PowerShell remoting.
Option 2: Set up a least-privileged Windows user account
- Add the user account to these groups: Remote Management Users, Performance Monitor Users, and Performance Log Users.
- If the Remote Management Users group is not available, add the user to the
WinRMRemoteWMIUsers_ group
instead. - The account needs these permissions so the appliance can create a CIM connection with the server and collect configuration and performance data from the required WMI classes.
- Sometimes, even after adding the account to the right groups, it may not return the needed data because of UAC filtering. To fix this, give the user account the right permissions on the CIMV2 namespace and its sub-namespaces on the target server. You can follow these steps to set the required permissions.
Note
- For Windows Server 2008 and 2008 R2, ensure that WMF 3.0 is installed on the servers.
- To discover SQL Server databases on Windows Servers, both Windows and SQL Server authentication are supported.
You can enter credentials for both types in the appliance configuration manager.
Azure Migrate needs a Windows user account that is part of thesysadmin
server role.
Prepare Linux server
For discovering Linux servers, you can set up a least privileged sudo account by following these steps:
Set up Least privileged Linux user accounts
You need a sudo user account on the Linux servers you want to discover.
This account helps collect configuration and performance data, perform software inventory (find installed applications), and enable agentless dependency analysis using SSH.
Ensure that you enable
NOPASSWD
for the account so it can run the required commands without asking for a password each time it uses sudo.Modify the sudoers file to disable terminal (requiretty) for the user account.
For example, you can add an entry like this in the
/etc/sudoers
file.
AzMigrateLeastprivuser ALL=(ALL) NOPASSWD: /usr/sbin/dmidecode, /usr/sbin/fdisk -l, /usr/sbin/fdisk -l *, /usr/bin/ls -l /proc/*/exe, /usr/bin/netstat -atnp, /usr/sbin/lvdisplay ""
Defaults:AzMigrateLeastprivuser !requiretty
- If any of the packages mentioned aren't available in the target Linux distributions, use the following fallback commands:
- If /usr/sbin/dmidecode -s system-uuid is not available, add permissions to /usr/bin/cat /sys/class/dmi/id/product_uuid.
- If /usr/sbin/dmidecode -t 1 isn't available, add permissions to /usr/sbin/lshw ""
- If /usr/sbin/dmidecode system-manufacturer isn't available, add permissions to /usr/bin/cat /sys/devices/virtual/dmi/id/sys_vendor
- If /usr/bin/netstat isn't available, add permissions to /usr/sbin/ss -atnp
- The list of commands run on the target servers and the information they collect. Learn more.
- Below is the list of supported Linux operating system distributions.
Operating system | Versions |
---|---|
Red Hat Enterprise Linux | 5.1, 5.3, 5.11, 6.x, 7.x, 8.x, 9.x, 9.5 |
Ubuntu | 524.04, 22.04, 12.04, 14.04, 16.04, 18.04, 20.04, 22.04 |
Oracle Linux | 6.1, 6.7, 6.8, 6.9, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 8, 8.1, 8.3, 8.5 |
SUSE Linux | 10, 11 SP4, 12 SP1, 12 SP2, 12 SP3, 12 SP4, 15 SP2, 15 SP3 |
Debian | 7, 8, 9, 10, 11 |
Amazon Linux | 2.0.2021 |
CoreOS Container | 2345.3.0 |
Alma Linux | 8.x, 9.x |
Rocky Linux | 8.x, 9.x |
Note
- We recommend setting up the least privileged sudo accounts. Any account, such as root, that has the superset of the mentioned permissions can also be used for Linux discovery.
- We recommend following the above steps to set up non-root accounts. Using
setcap
to set up capabilities is no longer advised.
Generate the project key
To generate the project key, follow the steps:
In Servers, databases, and web apps > Azure Migrate: Discovery and assessment, select Discover.
In Discover servers > Are your servers virtualized?, select Physical or other (AWS, GCP, Xen, etc.).
Generate project key, enter a name for the Azure Migrate appliance you want to set up to discover physical or virtual servers. The name should be alphanumeric and 14 characters or fewer.
Select Generate key to start creating the required Azure resources. Keep the Discover servers page open while the resources are created.
After the resources are created successfully, a project key is generated.
Copy the key as you’ll need it to register the appliance during its setup.
Download the installer script
- In Download Azure Migrate appliance, select Download.
- Verify security: Before you install, check that the zipped file is safe. On the server where you downloaded the file, open a command window as an administrator.
- Run this command to generate the hash for the zipped file:
C:\>CertUtil -HashFile <file_location> [Hashing Algorithm]
- For example:
C:\>CertUtil -HashFile C:\Users\administrator\Desktop\AzureMigrateInstaller.zip SHA256
- Verify the latest appliance version and hash value to ensure that they match.
Download | Hash value |
---|---|
Latest version | c88e90691ebf87166243dafb2d3a18dd34066b4624595ee3f9b4fbe6885e81da |
Note
You can use the same script to set up the physical appliance for both Azure Public and Azure Government cloud.
Run the Azure Migrate installer script
To run the installer script:
Extract the zipped file to a folder on the server where you want to install the appliance. Ensure that you don’t run the script on a server that already has an Azure Migrate appliance.
Open PowerShell on that server with administrator (elevated) rights.
Go to the folder where you extracted the files from the zipped download. Run the script named
AzureMigrateInstaller.ps1
using this command:PS C:\Users\administrator\Desktop\AzureMigrateInstaller> .\AzureMigrateInstaller.ps1
Select from the scenario, cloud, and connectivity options to deploy an appliance with the desired configuration. For instance, the selection shown below sets up an appliance to discover and assess physical servers (or servers running on other clouds like AWS, GCP, Xen, etc.) to an Azure Migrate project with default (public endpoint) connectivity on Azure public cloud.
The installer script does the following:
- Installs agents and a web application.
- Installs Windows roles like Windows Activation Service, IIS, and PowerShell ISE.
- Downloads and installs an IIS rewritable module.
- Updates a registry key (HKLM) with Azure Migrate settings.
- Creates these files under the path:
- Config Files:
%Programdata%\Microsoft Azure\Config
- Log Files:
%Programdata%\Microsoft Azure\Logs
- Config Files:
After the script runs successfully, it automatically launches the appliance configuration manager.
Note
If you face any issues, you can find the script logs at C:\ProgramData\Microsoft Azure\Logs\AzureMigrateScenarioInstaller_Timestamp.log to troubleshoot
.
Verify appliance access to Azure
Ensure that the appliance connects to Azure URLs for public and government clouds.
Configure the Appliance
Set up the appliance for the first time:
Open a browser on any machine that connects to the appliance. Go to the appliance web app URL:https://[appliance name or IP address]:44368. Or open the app from the desktop by selecting the shortcut.
Accept the license terms and read the partner information.
Set up prerequisites and register the appliance
In the configuration manager, select Set up prerequisites, and then follow these steps:
Connectivity: The appliance checks if the server has internet access. If the server uses a proxy:
- Select Setup proxy and enter the proxy address (http://ProxyIPAddress or http://ProxyFQDN, where FQDN means fully qualified domain name) and the listening port.
- Enter credentials if the proxy needs authentication.
- If you add or change proxy settings or disable the proxy or authentication, select Save to apply the changes and check connectivity again.
Note
Only HTTP proxy is supported.
Time sync: Check that the appliance time matches internet time. This is needed for discovery to work properly.
Install updates and register appliance: Follow the steps to run auto-update and register the appliance.
To enable automatic updates on the appliance, paste the project key you copied from the portal.
If you don't have the key, go to Azure Migrate: Discovery and assessment > Overview > Manage existing appliances.
Select the appliance name you used when you created the project key, then copy the key shown there.
The appliance verifies the key and starts the auto-update service. This service updates all appliance components to their latest versions. After the update finishes, you can select View appliance services to see the status and versions of the services running on the appliance server.
To register the appliance, select Login. In Continue with Azure Login select Copy code & Login to copy the device code. You need this code to sign in to Azure. The browser opens a new tab with the Azure sign-in prompt. Make sure you turn off the pop-up blocker to see the prompt.
In a new browser tab, paste the device code and sign in using your Azure username and password. You cannot sign in with a PIN.
Note
If you close the sign-in tab accidentally without logging in, refresh the browser tab of the appliance configuration manager. It shows the device code and the Copy code & Login button again.
- After you sign in successfully, return to the browser tab that displays the appliance configuration manager.
- If the Azure account you used has the right permissions for the Azure resources created during key generation, the appliance starts registration.
- When the appliance registers successfully, select View details to see the registration information.
- You can run the prerequisites again anytime during the appliance setup to check if it meets all the requirements.
Add credentials
Now, connect the appliance to the physical servers and start discovery:
Provide credentials for discovery of Windows and Linux physical or virtual servers, select Add credentials.
For a Windows server:
- Select the source type as Windows Server.
- Enter a friendly name for the credentials.
- Add the username and password.
- Select Save.
If you use password-based authentication for a Linux server, select the source type as Linux Server (Password-based).
- Enter a friendly name for the credentials.
- Add the username and password, and then select Save.
If you use SSH key-based authentication for a Linux server:
- Select the source type as Linux Server (SSH key-based).
- Enter a friendly name for the credentials.
- Add the username.
- Browse and select the SSH private key file.
- Select Save.
Note
- Azure Migrate supports SSH private keys created using the ssh-keygen command with RSA, DSA, ECDSA, and ed25519 algorithms.
- It does not support SSH keys with a passphrase. Use a key without a passphrase.
- It does not support SSH private key files created by PuTTY.
- It supports SSH private key files in OpenSSH format.
To add multiple credentials at once, select Add more to save and enter more credentials. The appliance supports multiple credentials for physical server discovery.
Note
By default, the appliance uses the credentials to collect data about installed applications, roles, and features. It also collects dependency data from Windows and Linux servers, unless you turn off the slider to skip these actions in the last step.
Add server details
Provide physical or virtual server details.
Select Add discovery source to enter the server IP address or FQDN and the friendly name for the credentials used to connect to the server.
- The appliance uses WinRM port 5986 (HTTPS) by default to communicate with Windows servers, and port 22 (TCP) for Linux servers.
- If the target Hyper-V servers do not have HTTPS prerequisites set up, the appliance switches to WinRM port 5985 (HTTP).
- To use HTTPS communication without fallback, turn on the HTTPS protocol toggle in Appliance Config Manager.
- After you turn on the checkbox, ensure that the prerequisites are configured on the target servers. If the servers do not have certificates, discovery fails on both current and newly added servers.
- WinRM HTTPS needs a local computer Server Authentication certificate. The certificate must have a CN that matches the hostname. It must not be expired, revoked, or self-signed. Learn more.
You can Add single item at a time or Add multiple items together. You can also provide server details through Import a CSV file.
- If you choose Add single item, select the OS type.
- Enter a friendly name for the credentials, add the server IP address or FQDN.
- Select Save.
- If you choose Add multiple items, enter multiple records at once by specifying the server IP address or FQDN.
- Enter the friendly name for the credentials in the text box.
- Verify the records and then select Save.
- If you choose Import CSV (this is selected by default), download the CSV template file.
- Fill it with the server IP address or FQDN.
- Enter the friendly name for the credentials. Then import the file into the appliance.
- Verify the records, and then select Save.
When you select Save, the appliance validates the connection to the added servers and shows the Validation status in the table next to each server.
- If validation fails for a server, you can review the error by selecting Validation failed in the Status column. Fix the issue and validate again.
- To remove a server, select Delete.
You can revalidate the connectivity to servers any time before you start the discovery.
Before you start discovery, you can turn off the slider to skip software inventory and agentless dependency analysis on the added servers. You can change this option at any time.
To discover SQL Server instances and databases, you add extra credentials (Windows domain, non-domain, or SQL authentication). The appliance then tries to automatically map these credentials to the SQL servers. If you add domain credentials, the appliance authenticates them with the domain’s Active Directory to prevent user account lockouts. To check if the domain credentials are valid, follow these steps:
- In the configuration manager credentials table, you see the Validation status for domain credentials. Only domain credentials are validated.
- If you use domain accounts, the username must be in Down-Level format (domain\username). The UPN format (username@domain.com) isn't supported.
- If validation fails, you can select the Failed status to view the error. Fix the issue, and then select Revalidate credentials to try again.
Start discovery
Select Start discovery to begin discovering the validated servers. After discovery starts, you can check each server’s discovery status in the table.
How discovery works
- It takes about 2 minutes to discover 100 servers and show their metadata in the Azure portal.
- Software inventory (installed applications discovery) starts automatically after the server discovery finishes.
- The time to discover installed applications depends on the number of servers. For 500 servers, it takes about one hour for the inventory to appear in the Azure Migrate project in the portal.
- The server credentials are checked and validated for agentless dependency analysis during software inventory. After server discovery finishes, you can enable agentless dependency analysis in the portal. You can select only the servers that pass validation.
Verify servers in the portal
After discovery finishes, you can verify that the servers appear in the portal.
- Open the Azure Migrate dashboard.
- In Servers, databases and web apps > Azure Migrate: Discovery and assessment page, select the icon that displays the count for discovered servers.
View License support status
You get deeper insights into your environment’s support posture from the Discovered servers and Discovered database instances sections.
The Operating system license support status column shows whether the operating system is in mainstream support, extended support, or out of support. When you select the support status, a pane opens on the right and gives clear guidance on what actions you can take to secure servers and databases that are in extended support or out of support.
To view the remaining duration until end of support, select Columns > Support ends in > Submit. The Support ends in column then shows the remaining duration in months.
The Database instances section displays the number of instances that Azure Migrate discovers. Select the number to view the database instance details. The Database instance license support status shows the support status of each instance. When you select the support status, a pane opens on the right and provides clear guidance on actions you can take to secure servers and databases that are in extended support or out of support.
To see how many months are left until the end of support, select Columns > Support ends in > Submit. The Support ends in column then shows the remaining duration in months.
Delete servers
After discovery starts, you can delete any added server from the appliance configuration manager by searching for the server name in the Add discovery source table and selecting Delete.
Note
If you delete a server after discovery starts, it stops the ongoing discovery and assessment. This action might affect the confidence rating of the assessment that includes the server. Learn more.
Next steps
Try assessment of physical servers with Azure Migrate: Discovery and assessment.