How to Configure Azure Arc with Read-Only Permissions for On-Premises Backup Servers?

Question

I am planning to use Azure Arc for the integration and monitoring of on-premises backup servers. However, I need to ensure that Azure Arc, or anyone accessing the servers through Azure Arc, has read-only permissions and cannot make any changes to these systems.

Is there a way to securely configure this? Specifically, I would like to:

1. Set up Azure Arc to grant only read-only permissions.
2. Restrict the Azure Connected Machine Agent and other components accordingly.
3. Ensure that no management functions such as script execution or policy enforcement can be enabled.

Answer 1

Hi @Bianca,

Welcome to Microsoft Q&A Forum, thank you for posting your query here!

Yes, you can configure Azure Arc to ensure read-only access to your on-premises backup servers. Here are the steps to achieve this:

1. Set Up Read-Only Permissions:
   • Use Azure Role-Based Access Control (RBAC) to assign the Reader role to users or groups. Refer: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/hybrid/arc-enabled-servers/eslz-identity-and-access-management
   • You can create a custom role if you need more granular control. For example, a custom role can be configured to allow only specific read operations1
2. Restrict the Azure Connected Machine Agent:

• Ensure that the Azure Connected Machine Agent is configured with the minimum required permissions. The agent itself should only have the necessary permissions to report status and collect logs2
• Avoid assigning roles like Contributor or Owner to the agent or users interacting with it, as these roles allow for changes and management operations

3.Restrict Script Execution and Policy Enforcement:

• Disable Azure Automation: Ensure that automation accounts are not linked to the connected machines if you want to avoid script execution or policy enforcement through runbooks. This limits the ability to run scripts on these machines.
• Restrict Policy Enforcement: Use Azure Policy to prevent any changes to the connected machines. For example, you can create a policy to deny updates or configuration changes.
  • Ensure that only monitoring and log data collection (like performance metrics or event logs) are allowed through the agent.

let us know if any help, we will always help as you needed.!

Please do not forget to "Accept the answer” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

I actually found my answer:

Local agent security controls Starting with agent version 1.16, you can optionally limit the extensions that can be installed on your server and disable Guest Configuration. These controls can be useful when connecting servers to Azure for a single purpose, such as collecting event logs, without allowing other management capabilities to be used on the server. These security controls can only be configured by running a command on the server itself and cannot be modified from Azure. This approach preserves the server admin's intent when enabling remote management scenarios with Azure Arc, but also means that changing the setting is more difficult if you later decide to change them. This feature is intended for sensitive servers (for example, Active Directory Domain Controllers, servers that handle payment data, and servers subject to strict change control measures). In most other cases, it's not necessary to modify these settings.

https://learn.microsoft.com/en-us/azure/azure-arc/servers/security-extensions#local-agent-security-controls