Build Azure Arc connected server configurations with extensions and policies.
Last verified: May 2026
Build Azure Arc connected server configs with extensions, guest configuration, and patch management.
Required Fields
nameresourceGrouplocationsubscriptionIdextensionsOutput will appear here...Azure Arc extends Azure management and governance to servers running on-premises, at the edge, or in other clouds. Onboarding a server to Azure Arc installs the Connected Machine agent, which establishes a secure connection to Azure and registers the server as an Azure resource. Once connected, you can apply Azure Policy, deploy VM extensions (Log Analytics agent, custom scripts, Defender for Servers), manage updates with Azure Update Manager, and use Microsoft Defender for Cloud. The Arc Server Config Builder helps you configure agent installation parameters, extension deployments, and policy assignments for hybrid server management.
The server needs outbound HTTPS (port 443) connectivity to Azure endpoints (or through a proxy/Private Link). Supported operating systems include Windows Server 2012 R2+ and most major Linux distributions (Ubuntu, RHEL, CentOS, SLES, Debian, Amazon Linux, Oracle Linux). The service principal used for onboarding needs the Azure Connected Machine Onboarding role. The Connected Machine agent runs as a service (himds on Linux, Connected Machine Agent on Windows) and uses about 200MB of memory. Servers behind firewalls can use Azure Arc Private Link Scope for private connectivity.
Without Arc, on-premises servers are invisible to Azure management. With Arc, you can: assign Azure Policy for compliance auditing, deploy VM extensions for monitoring and security, use Microsoft Defender for Cloud for vulnerability assessments, manage OS updates with Azure Update Manager, query server inventory with Azure Resource Graph, use Azure Automanage for automated best-practice configurations, and track servers alongside Azure VMs in a single inventory. Essentially, Arc servers become first-class Azure resources for governance purposes.
Your team has 200 on-premises servers across 5 datacenters that need to be visible to Azure governance. The builder generates a phased onboarding plan: a PowerShell/bash script for the Connected Machine agent (parameterized by environment), Azure Policy assignments to auto-deploy Log Analytics + Defender extensions, and a Defender for Servers Plan 2 license at the subscription level. After 3 weeks of phased rollout, all 200 servers are Arc-enabled — providing centralized compliance reporting, vulnerability scanning, and unified inventory alongside Azure VMs. Eliminates the need for a separate vulnerability scanning tool.
The builder generates Azure Arc onboarding scripts and configuration: Connected Machine agent install command (with proxy settings, service principal credentials, optional Private Link Scope reference), VM extension deployments (Log Analytics agent, Microsoft Monitoring Agent, custom script extensions), and Azure Policy assignments scoped to Arc-enabled servers (e.g., 'Deploy Defender for Servers extension' policy). Output supports both PowerShell (for Windows) and bash (for Linux) onboarding scripts.
Always onboard servers via the Azure Connected Machine Onboarding role, NEVER via service principals with broader permissions. The role is specifically scoped to Arc onboarding and prevents common credential-leak risks (an SPN with Contributor that gets compromised has WAY more blast radius than one scoped to Arc onboarding).
Microsoft Defender for Servers Plan 2 on Arc-enabled servers costs ~$15/server/month but includes vulnerability scanning, file integrity monitoring, and adaptive application controls. For organizations subject to compliance audits (PCI, HIPAA, SOC 2), this is dramatically cheaper than equivalent third-party tools.
For air-gapped or strict-network environments, Azure Arc Private Link Scope provides Arc connectivity over ExpressRoute / VPN without internet access. The setup is more complex but enables compliance scenarios where outbound internet from servers is prohibited.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.