Enrolling Machines into Azure Arc via Service Principal

by Dan Farrall

Azure is my playground, but boy is it expensive. Fortunately you can bring Azure to the homelab via Arc! Azure Arc lets you expand control of resources that may be outside of Azure through an agent, providing you control via the portal.

Lets get some machines enrolled into Arc so we can really test it out, I’ll be enrolling my home lab environment into it as a guide.

Creating Enrollment Scripts

First head to the Azure ARC service and select Servers from the Infrastructure blade

When adding servers you have a few options;

Adding a single server will give you a script to run on the machine. This installs the Agent then connects it to Azure via a browser login page. (Provided you have the correct permissions) Non-GUI machines can be connected using separate machine via logon code.

If you have machines already enrolled into Update Management they can be connected to Arc via the existing automation account update management uses.

I have quite a few lab machines, so I’ll be using the Multiple Servers approach which uses a service principal for authentication. Next up setup your appropriate resource group and region. If you are onboarding Windows and Linux machines like me you’ll need to generate this script twice, once for each OS.

Next up Azure wants the Service Principal you’re using. It will only show service principals that have the correct permissions to join machines to Arc, so if you aren’t seeing yours check the permissions!

I don’t have a service principal setup for this yet, so lets go ahead and create one.

I’m limiting the permissions for this Service Principal to just the resource group I want the machines on-boarded into, however you could have this subscription wide if required. Helpfully the role assignment box is pre-filled with the appropriate role.

Be sure to take note of your secret, you won’t see it again and will need to re-create it if you lose it. Now you can choose your newly created service principal for ARC to use. If it doesn’t show up you may have assigned the wrong permissions.

Next up, set any tags you require, Arc has the idea of Physical Location tags to help you identify where in the world your machines may be, these reflect just like any other tag in Azure but add some additional functionality to the Arc portal.

Finally, you have a script to run to onboard your machine into ARC! Be sure to add your Service Principal secret ID into the script before running. One thing to note about the script is currently it seems to contain a bug where the the following parameters, $servicePrinipalClientID and $servicePrincipalSecret, both contain an unexpected semi-colon ‘;’ prior to the quotes ending. If yours does too be sure to adjust it to look like the $env parameters instead.

Enrolling Servers into Arc

Next up get get either a Powershell / Bash session ready on the machine you plan to enroll, you’ll need admin / sudo privileges so make sure you have them handy!

If all goes well you should see the following and your machine is connected via ARC! If it doesn’t connect be sure to check your service principal details in the script and/or permissions is has.

Check back in the ARC Portal to confirm your machines show up, I’ve added a handful of mine as you can see.

Now we have some servers enrolled there’s plenty of opportunity to exploit the cloud for free!

Why not automate your patching of these machines to start!

Related Posts

Leave a Comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More