Welcome back to our Azure Arc series! In Part 1, we introduced you to the transformative capabilities of Azure Arc and walked through onboarding a Windows virtual machine using a PowerShell script. In Part 2, we’ll dive deeper into deploying Azure Arc using service principals to enhance security and automation. We’ll explore various methods including automation scripts, managed installations with SCCM and GPO, all leveraging service principals where possible.
By integrating service principals into your deployment process, you ensure secure, scalable, and efficient management of your hybrid environment.
Azure Arc Deployment Strategies with Service Principals
Deploying Azure Arc-enabled servers efficiently is crucial for organisations managing resources across diverse environments. Using service principals allows us to automate deployments securely without relying on user credentials. Let’s explore different deployment methods:
- Automated Deployment Using Scripts with Service Principals
- Managed Installations with SCCM Using Service Principals
- Managed Installations with GPO Using Service Principals
- Manual Installation (Interactive Login)
1. Automated Deployment Using Scripts with Service Principals
Automation ensures consistency and efficiency, especially when onboarding multiple servers.
Using PowerShell Scripts with Service Principals
Why Use Service Principals?
- Secure Automation: Avoid embedding personal credentials in scripts.
- Least Privilege Access: Assign only necessary permissions to the service principal.
- Scalability: Automate onboarding across numerous servers securely.
Prerequisites:
- An Azure Active Directory (AD) Service Principal with the required permissions.
- Azure Connected Machine Agent installer accessible on target servers.
- Azure PowerShell module installed on target servers.
Step-by-Step Guide:
1. Create a Service Principal
First, create a service principal in Azure AD that will authenticate the connection.
Using Azure PowerShell
|
|
2. Securely Store Service Principal Credentials
Store the service principal credentials securely:
- Azure Key Vault: Store credentials and retrieve them during deployment.
- Secure Files: Use encrypted files or secure password management solutions.
- Environment Variables: Set credentials as environment variables on target machines.
3. Modify the PowerShell Script to Use the Service Principal
|
|
Note: Ensure that you retrieve the service principal secret ($spSecret) securely and avoid hardcoding sensitive information in scripts.
4. Execute the Script
Run the script on each server that you wish to onboard.
- Use remote execution tools like PowerShell Remoting, SSH, or Desired State Configuration (DSC).
- Ensure the script has the necessary execution permissions.
5. Verify the Connection
In the Azure Portal:
- Navigate to Azure Arc > Servers.
- Confirm that your servers appear and have a status of Connected.
2. Managed Installations with SCCM Using Service Principals
Leverage System Center Configuration Manager (SCCM) to deploy the Azure Connected Machine Agent and connect using service principals.
Prerequisites:
- SCCM environment with client agents installed on target machines.
- Access to the Azure Connected Machine Agent MSI.
- Service principal created and credentials securely stored.
1. Prepare the Agent Installer
- Download the AzureConnectedMachineAgent.msi and place it in a network share accessible by SCCM.
2. Create an Application in SCCM
- In the SCCM Console, navigate to Software Library > Application Management > Applications.
- Right-click Applications and select Create Application.
- Choose Windows Installer (*.msi file) and browse to the agent MSI.
- Proceed through the wizard to create the application.
3. Configure Deployment Types
-
In the deployment type properties, set the installation command:
1msiexec /i "AzureConnectedMachineAgent.msi" /qn -
Add a dependency for a script or program that will run the connection command using the service principal.
4. Create a Package for the Connection Script
-
Create a script that connects the agent using the service principal.
Example Connection Script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17# Retrieve credentials securely $tenantId = "<Tenant ID>" $subscriptionId = "<Subscription ID>" $resourceGroup = "<Resource Group>" $location = "<Azure Region>" $appId = "<Service Principal App ID>" $spSecret = "<Service Principal Secret>" # Connect the machine & "C:\\Program Files\\AzureConnectedMachineAgent\\azcmagent.exe" connect ` --resource-group $resourceGroup ` --subscription-id $subscriptionId ` --tenant-id $tenantId ` --location $location ` --service-principal-id $appId ` --service-principal-secret $spSecret ` --no-gui -
Create a new package in SCCM for this script.
-
Configure the program to run the script silently.
5. Deploy the Application and Package
- Deploy the agent application and connection script package to the target device collections.
- Ensure that the connection script runs after the agent installation.
6. Monitor Deployment
- Check the SCCM reports to ensure successful deployment.
- Verify that the servers appear in Azure Arc.
3. Managed Installations with GPO Using Service Principals
Use Group Policy Objects (GPO) to install the agent and connect using service principals for domain-joined machines.
Prerequisites:
- Active Directory environment.
- Machines must be domain-joined.
- Service principal created and credentials securely stored.
1. Prepare the MSI Package
- Place the AzureConnectedMachineAgent.msi in a shared folder accessible by target machines (e.g.,
\\\\YourServer\\Share\\AzureConnectedMachineAgent.msi).
2. Create a GPO for Software Deployment
- Open Group Policy Management Console (GPMC).
- Create a new GPO or edit an existing one applied to the target OUs.
- Navigate to Computer Configuration > Policies > Software Settings > Software Installation.
- Right-click and select New > Package.
- Browse to the network share and select the MSI.
- Choose Assigned as the deployment method.
3. Add a Startup Script for Connection
-
In the same GPO, go to Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown).
-
Add a Startup script to connect the agent using the service principal.
Startup Script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20# Path to the script \\\\YourServer\\Share\\Connect-AzureArc.ps1 # Contents of Connect-AzureArc.ps1 $tenantId = "<Tenant ID>" $subscriptionId = "<Subscription ID>" $resourceGroup = "<Resource Group>" $location = "<Azure Region>" $appId = "<Service Principal App ID>" $spSecret = "<Service Principal Secret>" # Connect the machine & "C:\\Program Files\\AzureConnectedMachineAgent\\azcmagent.exe" connect ` --resource-group $resourceGroup ` --subscription-id $subscriptionId ` --tenant-id $tenantId ` --location $location ` --service-principal-id $appId ` --service-principal-secret $spSecret ` --no-gui -
Ensure that the script has the appropriate permissions and is accessible.
4. Link the GPO
- Link the GPO to the organisational Units (OUs) containing the target computers.
5. Restart Target Machines
- The installation and connection will occur at startup. Reboot the target machines to apply the policy.
6. Verify Deployment
- Confirm that the agent is installed and connected by checking Azure Arc in the Azure Portal.
4. Manual Installation (Interactive Login)
For testing or small environments, you may opt for manual installation using interactive login.
-
Download and Install the Agent
1 2Invoke-WebRequest -Uri "<https://aka.ms/AzureConnectedMachineAgent>" -OutFile "AzureConnectedMachineAgent.msi" Start-Process msiexec.exe -Wait -ArgumentList '/I AzureConnectedMachineAgent.msi' -
Connect the Machine
-
Run the following command and follow the interactive prompts to log in:
1& "C:\\Program Files\\AzureConnectedMachineAgent\\azcmagent.exe" connect -
Provide the necessary details like resource group, subscription, and region during the prompts.
-
-
Verify Connection
-
Check the connection status:
1& "C:\\Program Files\\AzureConnectedMachineAgent\\azcmagent.exe" show
-
-
Verify in Azure Portal
- Navigate to Azure Arc > Servers to ensure the server is connected.
Conclusion
By integrating service principals into your Azure Arc deployment strategies, you enhance security, enable scalable automation, and adhere to best practices for credential management. Whether you’re using automation scripts, SCCM, or GPO, leveraging service principals allows you to deploy Azure Arc-enabled servers efficiently and securely.
Key Takeaways:
- Security First: Service principals prevent the need to use personal credentials in automation scripts.
- Scalable Automation: Automate deployments across numerous servers without manual intervention.
- Flexible Deployment Options: Choose the method that aligns with your organisation’s infrastructure and policies.
Learn More
Enhance your understanding with these Microsoft Learn resources: