Use Azure Policy to manage Extensions Allow- and Blocklist on Azure Arc Connected Machines

Lukas Berger 20

Is there a way to manage Extensions Allow- and Blocklist for Azure Arc Connected Machines?
As mentioned in this KB-Article, it should be possible. But it is not precisely stated, if this works only for Azure VMs, or if this also applies for Arc Connected Machines / VMs hosted On-Premises.
It seems, that you can only manage these Extensions for Azure VMs, not for On-Premises VMs.

I found the following Built-In Policy, but this Policy can't be applied to Arc Connected Machines:
https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc0e996f8-39cf-4af9-9f45-83fbde810432

Pranay Reddy Madireddy 1,925 Reputation points Microsoft Vendor

2025-01-20T18:02:36.67+00:00

Hi Lukas Berger
Just checking in to see if the below answer provided by @Jeff Pigott helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Accepted answer

Pranay Reddy Madireddy 1,925 Reputation points Microsoft Vendor

2025-01-30T06:15:39.35+00:00

Hi Lukas Berger

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

Currently, Azure Policy does not fully support managing extensions for Azure Arc-connected machines in the same way it does for Azure VMs. The built-in policies intended for Azure VMs do not apply to Arc-connected machines, which means that even if you apply these policies, they won't reflect any compliance status for the Arc machines.

It's crucial to ensure that the policy is applied to the correct scope where your Arc machines reside (management group, subscription, or resource group). The correct target resource type for Azure Arc servers is "Microsoft.HybridCompute/machines.

You can use these tools to manage extensions on your Arc-connected machines effectively. The Azure Connected Machine Agent allows you to control extensions directly, even if the Azure Policy does not apply.

If necessary, you can create custom policies tailored specifically for your Arc-connected machines. This approach allows you to define specific controls that align with your organization's security requirements.

https://learn.microsoft.com/en-us/azure/azure-arc/servers/manage-vm-extensions
https://learn.microsoft.com/en-us/azure/azure-arc/servers/security-overview?WT.mc_id=modinfra-100794-socuff
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/extensions-rmpolicy-howto-ps#create-the-policy

let us know if any help, we will always help as you needed.!

Please do not forget to "Accept the answer” and upvote it wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.
Please sign in to rate this answer.

1 person found this answer helpful.
Pranay Reddy Madireddy 1,925 Reputation points Microsoft Vendor

2025-02-04T02:17:11.2+00:00

Hi Lukas Berger
I have convert the comment into an answer. If you could kindly accept answer for the benefit of the community, it would be greatly appreciated and helpful to others.

Pranay Reddy Madireddy 1,925 Reputation points Microsoft Vendor

2025-02-05T01:10:49.0966667+00:00

Hi Lukas Berger
If you had a chance to see my comment to your question. If it was helpful, please click "Upvote" and ''accept answer'' on my post let us know Thank you...!

Pranay Reddy Madireddy 1,925 Reputation points Microsoft Vendor

2025-02-06T01:53:32.81+00:00

Hi Lukas Berger
If I have answered your question, please accept this as answer as a token of appreciation and don't forget to thumbs up for "Was it helpful"!

Pranay Reddy Madireddy 1,925 Reputation points Microsoft Vendor

2025-02-07T01:58:51.15+00:00

Hi Lukas Berger
If I have answered your question, please accept this as answer as a token of appreciation and don't forget to thumbs up for "Was it helpful"!

Pranay Reddy Madireddy 1,925 Reputation points Microsoft Vendor

2025-02-07T21:53:28.2266667+00:00

Hi Lukas Berger If I have answered your question, please accept this as answer as a token of appreciation and don't forget to thumbs up for "Was it helpful"!

Pranay Reddy Madireddy 1,925 Reputation points Microsoft Vendor

2025-02-11T06:58:24.2233333+00:00

Hi Lukas Berger
If I have answered your question, please accept this as answer as a token of appreciation and don't forget to thumbs up for "Was it helpful"!
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

2 additional answers

Jeff Pigott 170 Reputation points Microsoft Employee

2025-01-17T18:16:31.34+00:00

Yes, you are correct. The policy you found is only applicable to Azure VMs and cannot be applied to Azure Arc Connected Machines or VMs hosted on-premises. Currently, there is no built-in policy available to manage extensions allow- and blocklist for Azure Arc Connected Machines. However, you can use Azure Arc to onboard your on-premises machines to Azure and then apply the built-in policy to manage extensions allow- and blocklist for those machines. Alternatively, you can create a custom policy to manage extensions allow- and blocklist for Azure Arc Connected Machines. Let me know if you need any further assistance.
Please sign in to rate this answer.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Lukas Berger 20 Reputation points

2025-01-21T09:47:05.8066667+00:00

Yes, I need further assistance.

For clarification on my side: The affected VMs are already Arc-Onboarded and Accessible through Azure Arc. We have multiple Extensions in Production.

In Azure Policy I can assign the mentioned built-in Policy to the affected Resource Group. But after that, if I check the compliance status, there are 0 compliant and 0 non-compliant machines. So I assume that the policy doesn't look at the Arc onboarded machines.

Pranay Reddy Madireddy 1,925 Reputation points Microsoft Vendor

2025-01-23T13:51:43.5933333+00:00

Hi Lukas Berger

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

Azure Arc-enabled servers let you control which extensions can be used, but you need to set this up on each server individually using the Azure Connected Machine agent, rather than through Azure Policy.

If you've assigned the policy to a resource group with Azure Arc machines and see no compliant or non-compliant statuses, it means the policy doesn't apply to those machines. This is a known limitation because built-in policies can't manage Azure Arc-enabled servers at this time.
https://learn.microsoft.com/en-us/azure/azure-arc/servers/manage-vm-extensions
https://docs.azure.cn/en-us/azure-arc/servers/security-extensions

If you have any further queries, do let us know.

If the answer is helpful, please and "Upvote it".

Pranay Reddy Madireddy 1,925 Reputation points Microsoft Vendor

2025-01-24T08:56:17.29+00:00

Hi Lukas Berger
If you had a chance to see my comment to your question. If it was helpful, please click "Upvote" on my post let us know Thank you...!

Lukas Berger 20 Reputation points

2025-01-24T10:53:59.31+00:00

Hello and thanks for your answer.
Yes, I know that. I configured Local Agent Security Controls with a PowerShell Script. But in this Article from Microsoft it is stated, that you can use Azure Policy to control the Allow- and Blocklist for Extensions on Azure Arc Connected Machines:
https://learn.microsoft.com/en-us/azure/azure-arc/servers/security-extensions#allowlists-and-blocklists
See the last paragraph: "Azure Policies can also be used to restrict which extensions can be installed. Azure Policies have the advantage of being configurable in the cloud and not requiring a change on each individual server if you need to change the list of approved extensions. However, anyone with permission to modify policy assignments could override or remove this protection. If you choose to use Azure Policies to restrict extensions, make sure you review which accounts in your organization have permission to edit policy assignments and that appropriate change control measures are in place."

Also, Jeff Mentioned that it should be possible to control the Extension Allow- and Blocklist via Azure Policy for Arc Enabled Connected Machines.

Thanks for your further investigation.

Pranay Reddy Madireddy 1,925 Reputation points Microsoft Vendor

2025-01-28T15:08:52.9133333+00:00

Hi Lukas Berger

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

Azure Policies can be set up in the cloud, enabling changes to be applied globally without the need to update each individual server. This is especially useful for managing a large number of connected machines.

By implementing Azure Policies, organizations can control which extensions are permitted or blocked, boosting security by preventing unauthorized installations.
https://learn.microsoft.com/en-us/azure/azure-arc/servers/security-extensions

https://www.techielass.com/azure-arc-enabled-server-extensions/

If you have any further queries, do let us know.

If the answer is helpful, please and "Upvote it".

Rahul Podila 1,730 Reputation points Microsoft Vendor

2025-01-30T04:53:11.82+00:00

Hi @Lukas Berger

We haven't heard back from you. Please reply if you have any questions in this matter and we will gladly continue the discussion.

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Lukas Berger 20 Reputation points

2025-01-30T05:33:45.1866667+00:00

Hello.
Could you please respond to my previous comment?
An explanation of what Azure Policy is, is not what my question was.

Thank you.

Rahul Podila 1,730 Reputation points Microsoft Vendor

2025-01-31T04:10:19.11+00:00

Hi @Lukas Berger

We haven't heard back from you. Please reply if you have any questions in this matter and we will gladly continue the discussion.

Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

Lukas Berger 20 Reputation points

2025-02-04T09:04:23.3733333+00:00

I answered you on Jan 30. 2025 at 6:33 AM.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

Use Azure Policy to manage Extensions Allow- and Blocklist on Azure Arc Connected Machines

2 additional answers

Your answer