Monitor mode: Azure’s monitoring capabilities delivered securely to Azure Arc-enabled servers
Monitor mode offers a simple and scalable way for customers to configure the Connected Machine agent for monitoring and security scenarios across hybrid, multicloud, and edge environments.
Security controls provide flexibility and customization in locking down the Connected Machine agent.
While Azure Arc-enabled servers affords a robust range of capabilities delivered through extensions and Machine Configuration, some of these capabilities may not be appropriate for sensitive servers like Active Directory Domain controllers or severs handling sensitive payment data. Available from Connected Machine agent 1.16 and above, security controls provide users the flexibility to lock down the Connected Machine agent’s capabilities. For example, if you want to avoid usage of Custom Script Extension on Azure Arc-enabled servers, security controls could be used to define an allow list of extensions or block list of extensions. Alternatively, if you want to avoid configuring server settings with Machine Configuration, the Guest Configuration service can be disabled with a security control. Security controls provide flexibility to lock down the Connected Machine agent on your terms.
Monitor mode groups together a set of predefined security controls, appropriate for using Azure Arc-enabled servers in restricted monitoring and security scenarios.
Modes are pre-defined configurations of security controls, extension allow lists and guest configuration, maintained by Microsoft. Available from Connected Machine agent 1.18 and above, Monitor mode groups together the appropriate security controls to limit Connected Machine Agent capabilities to only monitoring and security scenarios. Monitor mode has disabled Machine Configuration capabilities and allows only a limited set of extensions for monitoring and security. Moreover, Monitor mode disables the configuration property for incoming connection ports, preventing capabilities like SSH Arc and Windows Admin Center (WAC), which can be used for remote management of Azure Arc-enabled servers. Note, as more monitoring and security extensions are made available, Microsoft will update the allow list and agent configuration. This list of extensions cannot be modified from Monitor Mode. To define a custom list of allowed extensions, full mode with security controls must be used. With Monitor mode, Azure Arc-enabled servers will extend OS support to Windows 10 customers for their migration from legacy Log Analytics agents (both MMA on Windows and OMS on Linux) to Azure Monitor agent (AMA). Monitor mode provides a built-in offering a streamlined approach to locking down the Connected Machine agent.
A subset of Connected Machine agent capabilities (Full mode) are available in Monitor mode.
Capability |
Full mode (Default) |
Monitor mode |
Microsoft Defender for Cloud |
Allowed |
Allowed |
Microsoft Sentinel |
Allowed |
Allowed |
Azure Monitor agent |
Allowed |
|
Log Analytics extension |
Allowed |
Allowed |
VM Insights (Service Map) |
Allowed |
Allowed |
Qualys |
Allowed |
Allowed |
Custom Script Extension |
Allowed |
Not Allowed |
Azure Automation Update Management (v1) |
Allowed |
Allowed |
Update Management Center (v2) |
Allowed |
Not Allowed |
Hybrid Runbook Worker |
Allowed |
Not Allowed |
Change Tracking & Inventory Management |
Allowed |
Not Allowed |
Key Vault |
Allowed |
Not Allowed |
Machine Configuration (Guest Configuration) |
Enabled |
Disabled |
Connectivity to Windows Admin Center and SSH Arc |
Enabled |
Disabled |
As customers continue to leverage Azure Arc-enabled servers for extending their Azure’s observability services to their non-Azure infrastructure, Monitor mode empowers users with the control to meet the diverse security needs of their heterogeneous compute.
Published on:
Learn moreRelated posts
Final Days for the MSOnline and AzureAD PowerShell Modules
After many twists and turns since August 2021, the MSOnline module retirement will happen in April 2025. The AzureAD module will then retire i...
Join the Conversation: Call for Proposals for Azure Cosmos DB Conf 2025!
Are you passionate about Azure Cosmos DB? Do you have insights, experiences, or innovations that the developer community would love to hear? N...
High Performance Computing in Azure - with Mark Russinovich
See the latest innovations in silicon design from AMD with new system-on-a-chip high bandwidth memory breakthroughs with up to 7 terabytes of ...
Power Pages | Azure AD B2C | Confirm Email message on Profile
If you are unfamiliar with configuring Azure AD B2C as a Power Pages Identity Provider, refer to this post: Power Pages : Set up Azure AD B2C ...
Building a RAG-Based Smart Memory Application with Azure SQL Database
Project Mission The way people work and manage information is changing rapidly in our digital age. More and more people are struggling to keep...