Deploy Azure Arc
Implementation Effort: Medium
Security and IT teams must plan and execute onboarding of non-Azure machines using Azure Arc, including identity setup, agent installation, and policy configuration.
User Impact: Low
Deployment is handled by administrators; end users are not directly involved.
Overview
Azure Arc enables organizations to extend Azure management and security capabilities—including Microsoft Defender for Servers—to on-premises, AWS, and GCP machines. By connecting these machines as Azure Arc-enabled servers, Defender for Cloud can apply consistent threat protection, compliance policies, and monitoring across hybrid and multicloud environments.
Key Capabilities
- Enables Defender for Servers protection on non-Azure machines.
- Supports policy-based governance, guest configuration, and update management.
- Integrates with Azure Monitor, Microsoft Defender for Endpoint, and Log Analytics.
Prerequisites
- Azure subscription with Defender for Servers Plan 1 or Plan 2 enabled.
- Machines must run supported versions of Windows or Linux.
- Outbound internet access or proxy configuration for Azure Arc agent communication.
- Permissions to register the Azure Arc resource provider and assign roles.
How to Deploy Azure Arc
For a Single Machine
- Follow the Quickstart guide to connect a hybrid machine:
- Download and run the onboarding script provided in the Azure portal.
- Verify the machine appears in Azure Arc > Servers.
For Multiple Machines (At Scale)
- Use Azure Policy, PowerShell, or System Center Configuration Manager (SCCM) to deploy the Azure Arc agent.
- Automate onboarding using:
- Service Principal or Managed Identity
- Custom scripts or Azure Automation
- Reference the full deployment guide:
Post-Deployment
- Enable Defender for Servers on the Arc-enabled machines.
- Configure guest configuration, update management, and vulnerability scanning.
- Monitor compliance and threat alerts in Microsoft Defender for Cloud.
Failing to deploy Azure Arc for non-Azure machines limits visibility and protection across hybrid environments. This capability supports the "Assume Breach" and "Verify Explicitly" principles of Zero Trust by ensuring all workloads are onboarded and continuously monitored.