Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
You can onboard Active Directory–joined Windows machines to Azure Arc-enabled servers at scale using Group Policy.
First, you set up a remote share that hosts the Connected Machine agent, and then modify a script specifying the Arc-enabled server's landing zone within Azure. Next, you run a script that generates a Group Policy Object (GPO) to onboard a group of machines to Azure Arc-enabled servers. This Group Policy Object can be applied at the site, domain, or organizational level. The assignment can also use Access Control List (ACL) and other security filtering native to Group Policy. All machines in the scope of the Group Policy will be onboarded to Azure Arc-enabled servers, so scope your GPO to only include those machines that you want to onboard to Azure Arc.
Before you get started, ensure your environment meets the Connected Machine Agent prerequisites and the networking requirements for deploying Azure Arc-enabled servers. For information about supported regions and other related considerations, see supported Azure regions. To understand more about design and deployment criteria, review our at-scale planning guide.
If you don't have an Azure subscription, create a free account before you begin.
Automatic connection for SQL Server
When you connect a Windows or Linux server to Azure Arc that also has Microsoft SQL Server installed, the SQL Server instances are automatically connected to Azure Arc as well. SQL Server enabled by Azure Arc provides a detailed inventory and additional management capabilities for your SQL Server instances and databases. As part of the connection process, an extension is deployed to your Azure Arc-enabled server, and new roles are applied to your SQL Server and databases. If you don't want to automatically connect your SQL Servers to Azure Arc, you can opt out by adding a tag to the Windows or Linux server with the name ArcSQLServerExtensionDeployment and value Disabled when connecting it to Azure Arc.
For more information, see Manage automatic connection for SQL Server enabled by Azure Arc.
Prepare a remote share and create a service principal
The Group Policy Object, which is used to onboard Azure Arc-enabled servers, requires a remote share with the Connected Machine agent.
Prepare a remote share to host the Azure Connected Machine agent package for Windows and the configuration file. You need to be able to add files to this remote share. The network share must be accessible by domain controllers and the domain machines. Domain computers should have Change permissions, and domain admins should have Full Control permissions.
Follow the steps to create a service principal for onboarding at scale.
- Assign the Azure Connected Machine Onboarding role to your service principal. Limit the scope of the role to the target Azure landing zone.
- Make a note of the Service Principal Secret; you'll need this value later.
Download and unzip the folder ArcEnabledServersGroupPolicy_vX.X.X from https://github.com/Azure/ArcEnabledServersGroupPolicy/releases/latest/. This folder contains the ArcGPO project structure with the scripts
EnableAzureArc.ps1,DeployGPO.ps1, andAzureArcDeployment.psm1. These assets are used for onboarding the machine to Azure Arc-enabled servers.Download the latest version of the Azure Connected Machine agent Windows Installer package from the Microsoft Download Center and save it to the remote share.
Execute the deployment script
DeployGPO.ps1on the domain controller, modifying the run parameters for DomainFQDN, ReportServerFQDN, ArcRemoteShare, Service Principal secret, Service Principal Client ID, Subscription ID, Resource Group, Region, Tenant, and AgentProxy (if applicable). Details about these values can be found in the script comments.For example, the following command deploys the GPO to the contoso.com domain and copies the onboarding script
EnableAzureArc.ps1to the remote shareAzureArcOnBoardin theServer.contoso.comserver:.\DeployGPO.ps1 -DomainFQDN contoso.com -ReportServerFQDN Server.contoso.com -ArcRemoteShare AzureArcOnBoard -ServicePrincipalSecret $ServicePrincipalSecret -ServicePrincipalClientId $ServicePrincipalClientId -SubscriptionId $SubscriptionId -ResourceGroup $ResourceGroup -Location $Location -TenantId $TenantId [-AgentProxy $AgentProxy]
Apply the Group Policy Object
On the Group Policy Management Console (GPMC), right-click on the desired Organizational Unit (OU) and link the GPO named [MSFT] Azure Arc Servers (datetime). This GPO has a scheduled task to onboard the machines. Within 20 minutes, the GPO is replicated to the respective domain controllers. For more information about creating and managing group policy in Microsoft Entra Domain Services, see Administer Group Policy in a Microsoft Entra Domain Services managed domain.
Verify successful onboarding
After you install and configure the agent, verify that the servers in your OU were successfully connected to Azure Arc. You can do so by ensuring that they appear in the Azure portal under Azure Arc - Machines.
Important
After confirming that your servers have successfully onboarded to Azure Arc, disable the Group Policy Object. Doing so prevents the PowerShell commands in the scheduled task from executing again when the system reboots or when the group policy is updated.
Next steps
- Review the Planning and deployment guide to plan for deploying Azure Arc-enabled servers at any scale and implement centralized management and monitoring.
- Review connection troubleshooting information in the Troubleshoot Connected Machine agent guide.
- Learn how to manage your machine using Azure Policy for such things as Azure Machine configuration, verifying that the machine is reporting to the expected Log Analytics workspace, enabling monitoring with VM insights, and much more.
- Learn more about Group Policy.