Monitor mode: Azure’s monitoring capabilities delivered securely to Azure Arc-enabled servers

Monitor mode offers a simple and scalable way for customers to configure the Connected Machine agent for monitoring and security scenarios across hybrid, multicloud, and edge environments. 

Security controls provide flexibility and customization in locking down the Connected Machine agent.

While Azure Arc-enabled servers affords a robust range of capabilities delivered through extensions and Machine Configuration, some of these capabilities may not be appropriate for sensitive servers like Active Directory Domain controllers or severs handling sensitive payment data. Available from Connected Machine agent 1.16 and above, security controls provide users the flexibility to lock down the Connected Machine agent’s capabilities.  For example, if you want to avoid usage of Custom Script Extension on Azure Arc-enabled servers, security controls could be used to define an allow list of extensions or block list of extensions. Alternatively, if you want to avoid configuring server settings with Machine Configuration, the Guest Configuration service can be disabled with a security control. Security controls provide flexibility to lock down the Connected Machine agent on your terms.

Monitor mode groups together a set of predefined security controls, appropriate for using Azure Arc-enabled servers in restricted monitoring and security scenarios.

Modes are pre-defined configurations of security controls, extension allow lists and guest configuration, maintained by Microsoft. Available from Connected Machine agent 1.18 and above, Monitor mode groups together the appropriate security controls to limit Connected Machine Agent capabilities to only monitoring and security scenarios. Monitor mode has disabled Machine Configuration capabilities and allows only a limited set of extensions for monitoring and security. Moreover, Monitor mode disables the configuration property for incoming connection ports, preventing capabilities like SSH Arc and Windows Admin Center (WAC), which can be used for remote management of Azure Arc-enabled servers. Note, as more monitoring and security extensions are made available, Microsoft will update the allow list and agent configuration. This list of extensions cannot be modified from Monitor Mode. To define a custom list of allowed extensions, full mode with security controls must be used. With Monitor mode, Azure Arc-enabled servers will extend OS support to Windows 10 customers for their migration from legacy Log Analytics agents (both MMA on Windows and OMS on Linux) to Azure Monitor agent (AMA). Monitor mode provides a built-in offering a streamlined approach to locking down the Connected Machine agent.

A subset of Connected Machine agent capabilities (Full mode) are available in Monitor mode. 

As customers continue to leverage Azure Arc-enabled servers for extending their Azure’s observability services to their non-Azure infrastructure, Monitor mode empowers users with the control to meet the diverse security needs of their heterogeneous compute.