How to Manage and Govern Hybrid Servers with Azure Arc

A couple of days ago, I wrote a blog post on how you can onboard a server to Azure Arc. Azure Arc for servers extends Azure to allow you to manage machines that are outside of Azure, using tools like Azure Log Analytics and Azure Policy. In this blog post, we will have a look at how you can manage and govern your servers with Azure Arc by using Azure Guest Configuration Policy.

Before we go into how you can manage your hybrid servers running on-premises or in a multi-cloud environment, I want to give you a quick look at Azure Guest Configuration Policy. Guest Configuration uses a PowerShell Desired State Configuration (DSC) resource module to create the configuration for auditing of the Azure machines. It works with and Windows machines. Think about something like group policies without the need for an Domain, almost like Group Policies on steroids.  

Azure Policy Guest Configuration can not only be used to audit settings inside machines. You can also use a remediation task to change settings inside the machines.

We have a couple of built-in policies you can use, but you can also write your custom policies.  For now, this was only possible with running in Azure, but with Azure Arc, we can now use this feature for our on-premises and multi-cloud servers.

How to assign Azure Guest Configuration Policy to Azure Arc server

Let's have a look at how we can assign an Azure policy to a server onboarded using Azure Arc. To show you how this feature works, I am taking a straightforward example. In my case, I have a couple of servers, some of them running in Azure, and some of them running on-premises. With the combination of Azure Arc and Azure Policy, I want to make sure that my servers are all set to the right time zone.

Azure PolicyAzure Policy

To assign a policy, go to Azure Policy in the Azure Portal and navigate to Assignments. There you can assign a new policy or policy initiative, which is a set of policies. In my case, I am going to assign a built-in Policy definition.

Assign Policy DefinitionAssign Policy Definition

First, set the scope you want to assign the policy definition. This can be a management group, subscription, or policy. All the resources will inherit the policy or the policy definition under a specific scope.

Next, you will select the Initiative definition which you want to assign. In my case, there is a build-in one called “Audit Windows VMs that are not set to the specified time zone”. Optionally you can change the Assignment name and set description.

On the next page, we are going to set the parameters for this initiative. This one only has one parameter, and it is the time zone I want my servers to be in. In my case, this is UTC+01:00.


After that, you can click on Review + create. Your policy definition is now assigned, and it will start auditing the servers which are in scope. This will take a couple of minutes to complete.

Check compliance of your servers

If you switch to the compliant view in Azure Policy, you can now see for which policies and policy definitions you have non-compliant resources.

Compliance ViewCompliance View

If you click on our Audit Windows VMs that are not set to the specified time zone definition, we can now see our non-compliant resources. You can see that we now see Azure next to Azure Arc machines.

Non-compliant resourcesNon-compliant resources

And it looks like my on-premises FS01 server is not compliant and must be set to another time zone than UTC+01:00. If I have a look at the server, I can see that this is the case.

Server Wrong Time ZoneServer Wrong Time Zone

If I am a server admin of the FS01 server, and I have access to Azure Arc, I can now also see this information directly within the Azure Arc resource, in the Azure Portal.

Azure Arc Server - PoliciesAzure Arc Server – Policies

Azure Guest Configuration Policy Remediation

To fix this issue, I can now tell the server administrator of FS01 to change the time zone setting on the server, or I can directly remediate the issue from the Azure Portal using a remediation task. To do that, click on Create Remediation Task.

NOTE: Remediation of settings inside machines with Policy Guest Configuration in Azure virtual machine is supported. However, Azure Arc is still in preview and might does not support that feature fully yet.

Remediation TaskRemediation Task

After running the remediation task, you will see the server has the desired time zone configured.

Desired Time ZoneDesired Time Zone

And that the server is now compliant with the Azure Guest Configuration Policy.

Azure Arc Server Compliant with Azure Guest Configuration PolicyAzure Arc Server Compliant with Azure Guest Configuration Policy

Azure Friday Video

If you want to watch a video overview of how you can manage and govern your hybrid servers, I recommend that you the Azure Friday episode with Donovan Brown and me.


I hope this gives you an overview of how you can manage and govern hybrid servers running on-premises and in multi-cloud environments using Azure Arc with Azure Guest Configuration Policy. Check out how you can onboard servers to Azure Arc, and if you want to learn more about Azure Guest Configuration Policy, check out the Microsoft Docs.

Credits: David Coulter (Microsoft) for the collaboration on this article.


This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.