Bulk Enablement of Windows Admin Center Extension on Azure Arc
Overview
In today’s world, our approach to accessing and managing data has evolved significantly. We’ve transitioned from VPN connections to directly accessing and synchronizing our data with cloud providers of our preference. However, as always we IT people still need to have a solution to manage our Servers.
Traditionally, server management often involved investing in RDP manager tools to securely access and administer servers. This approach is mostly including lot of license costs.
To address these issues and streamline server management processes, Microsoft introduces the Windows Admin Center, a solution designed to simplify server administration tasks and enhance operational efficiency.
In this Blog Pos I will explain how you can manage your Azure Arc-Enabled Servers with Windows Admin Center and how you can enable the Windows Admin Center Extension automatically on all Hybrid Servers.
What is Windows Admin Center
Windows Admin Center is the next evolution of MMC and is web-based. We differentiate between the Windows Admin Center Gateway and the Windows Admin Center Extension. The Windows Admin Center Gateway can be hosted in your on-premise environment to securely manage your Windows Servers and even Windows Clients.
The Windows Admin Center Extension which can be used in Azure can be installed on Azure VMs and Azure Arc-Enabled Servers for standalone management.
In this Article we will focus us on the Windows Admin Center Extension on Azure Arc-Enabled Servers. At the Time this article was written Windows Admin Center Extension is still in Preview. Please consider this before using it for an productive Environment.
After I have installed the Windows Admin Center Extension on my Azure Arc-Enabled Servers I can securely manage the hybrid machine without needing a VPN, Public IP address, or other inbound connectivity to my machine.
And the best of all? Using Azure Arc and the Windows Admin Center Extension is without any additional cost as of today. But as we are still in preview this could change but let us hope for the best :-)
Sounds cool? Let us check how to implement Windows Admin Center in your Environment.
Implementation of Windows Admin Center
First of all we need to Register the resource Provider Microsoft.HybridConnectivity on our Subscription with our Azure Arc-Enabled Servers. For that we need to connect to our Azure Environment with an User which has at least Contributor Permission on the Subscription.
Azure Subscription
Connect-AzAccountSet the Scope to your Subscription
$subscriptionName = "sub-si-corp-shared-02"
Set-AzContext -subscriptionname $subscriptionNameRegister the Resource Provdier “Microsoft.HybridConnectivity”
Register-AzResourceProvider -ProviderNamespace Microsoft.HybridConnectivityNetwork Requirements
It is import to mention here that there is no inbound ports required in order to use Windows Admin Center. Windows Admin Center, via the Arc agent, is able to securely establish a reverse proxy session connection with the Azure Arc service in an outbound manner.
The hybrid machine must meet the following networking requirements:
- Outbound internet access or an outbound port rule allowing HTTPS traffic to the following endpoints:
*service.waconazure.comor theWindowsAdminCenterservice tagpas.windows.net*.servicebus.windows.net
The management machine where the Azure Portal is running must meet the following networking requirements:
- Outbound internet access over port
443
Role Based Access Control
Another cool thing is even if you have Owner Permission on a specific Subscription you are not automatically allowed to use the Windows Admin Center Extension.
You need to have the Windows Admin Center Administrator Login Permission.
Now you can either directly assign the Permission to your Use OR you can do it correctly.
Using Conditional Access authentication context allows you define exactly which requirements you need to fulfil to get the needed access.
As this would extend this blog article way to much I am linking the Microsoft Docs Article to this.
Read more about Conditional Access authentication context here: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-change-default-settings#on-activation-require-microsoft-entra-conditional-access-authentication-context
Azure Policy
As we like to automate I have created an Azure Policy which can enable the Windows Admin Center Extension on all of the Resources which you want.
But as many for any Azure Policy Remediation we need to create new Managed Identity.
- Go to the Azure Portal
- Search for Managed Identities
- Click Create
- Select the Resource Group
- Select the Region
- Select a Name
- Define the Tags as needed
- Click on Review + Create
As next step we need go give the Managed Identity the Permission “Windows Admin Center Administrator Login” on the Resource Group, Subscription or Management Group in which your Azure Arc-Enabled Server are located.
As second last step we need to create the Azure Policy for the Remediation.
You can find the Code in the Community Policy of Azure:
Let’s break down the Azure policy step by step:
- The policy is named “Configure Windows Arc-enabled machines to enable Windows Admin Center Extension.”
- The Policy has the following Parameters:
- Effect: Determines whether to deploy the extension if it doesn’t exist or to keep it disabled.
- Port: Defines the port on which the Windows Admin Center Extension operates.
- Proxy URL: Specifies the URL for a proxy, if necessary. Proxy URL is not mandatory
- The policy applies to Azure Arc-enabled machines
- The effect of the policy is determined by the “Effect” parameter. It is either Disabled or DeployIfNotExists
- Deployment of the extension is defined using ARM (Azure Resource Manager) templates.
- The deployment mode is incremental. If the Resource already exists it will not delete it.
- The extension is deployed based on the condition of whether a proxy URL is provided or not.
- If no proxy URL is provided, the extension is deployed without proxy settings.
- If a proxy URL is provided, the extension is deployed with proxy settings, specifying the proxy address and mode.
Now as we understand the Azure Policy we need to import the Azure Policy.
- Go to the Azure Portal
- Go to Policy
- Go to Definitions
- Click on “ + Policy Definition”
- Set the Definition Location
- Under Policy Rule add my Azure Policy from above
- Click Save
After the Azure Policy is added you can now assign the Azure Policy.
As last and final step we can now start the Remediation of our Azure Policy.
Troubleshooting
If you would like to check the Proxy Settings of your Extension you can check the following File on your Azure Arc-Enabled Server.
C:\Packages\Plugins\Microsoft.AdminCenter.AdminCenter\0.0.0.340\RuntimeSettings\0.Settings
Learnings
In my LAB Environment I broke my Configuration Manager Server when I installed the Extension on it. The Windows Admin Center Extension overwrite some of the Certificates which were needed from my Configuration Manager Server. Therefore I don’t recommend to install the Windows Admin Center Extension when you have a Server with IIS Installed. (May 2024)
Conclusion
In conclusion, the Azure Policy outlined automates the deployment of the Windows Admin Center Extension on Azure Arc-enabled servers, streamlining server management. By following the implementation steps, organizations can efficiently integrate Windows Admin Center, enhancing operational efficiency.
