Register your machines and assign permissions for Azure Local deployment

Applies to: Azure Local 2311.2 and later

This article describes how to register your Azure Local machines and then set up the required permissions to deploy Azure Local.

Prerequisites

Before you begin, make sure you've completed the following prerequisites:

Azure Local machine prerequisites

• Complete prerequisites and complete deployment checklist for your environment.
• Prepare Active Directory environment.
• Download the software and Install the Azure Stack HCI operating system, version 23H2 on each machine.

Azure prerequisites

• Register required resource providers. Make sure that your Azure subscription is registered against the required resource providers. To register, you must be an owner or contributor on your subscription. You can also ask an administrator to register.

  Run the following PowerShell commands to register:

  Register-ResourceProviderIfRequired -ProviderNamespace "Microsoft.HybridCompute" 
  Register-ResourceProviderIfRequired -ProviderNamespace "Microsoft.GuestConfiguration" 
  Register-ResourceProviderIfRequired -ProviderNamespace "Microsoft.HybridConnectivity" 
  Register-ResourceProviderIfRequired -ProviderNamespace "Microsoft.AzureStackHCI" 
  Register-ResourceProviderIfRequired -ProviderNamespace "Microsoft.Kubernetes" 
  Register-ResourceProviderIfRequired -ProviderNamespace "Microsoft.KubernetesConfiguration" 
  Register-ResourceProviderIfRequired -ProviderNamespace "Microsoft.ExtendedLocation" 
  Register-ResourceProviderIfRequired -ProviderNamespace "Microsoft.ResourceConnector" 
  Register-ResourceProviderIfRequired -ProviderNamespace "HybridContainerService" 
  

  Note

  The assumption is that the person registering the Azure subscription with the resource providers is a different person than the one who is registering the Azure Local machines with Arc.

• Create a resource group. Follow the steps to Create a resource group where you want to register your machines. Make a note of the resource group name and the associated subscription ID.

• Get the tenant ID. Follow the steps in Get the tenant ID of your Microsoft Entra tenant through the Azure portal:

  1. In the Azure portal, go to Microsoft Entra ID > Properties.

  2. Scroll down to the Tenant ID section and copy the Tenant ID value to use later.

• Verify permissions. As you register machines as Arc resources, make sure that you're either the resource group owner or have the following permissions on the resource group where the machines are provisioned:

  • Azure Connected Machine Onboarding.
  • Azure Connected Machine Resource Administrator.

  To verify that you have these roles, follow these steps in the Azure portal:

  1. Go to the subscription you used for the Azure Local deployment.

  2. Go to the resource group where you plan to register the machine.

  3. In the left-pane, go to Access Control (IAM).

  4. In the right-pane, go to Role assignments. Verify that you have Azure Connected Machine Onboarding and Azure Connected Machine Resource Administrator roles assigned.

• Check your Azure policies. Make sure that:

  • The Azure policies aren't blocking the installation of extensions.
  • The Azure policies aren't blocking the creation of certain resource types in a resource group.
  • The Azure policies aren't blocking the resource deployment in certain locations.

Register machines with Azure Arc

Important

Run these steps as a local administrator on every Azure Local machine that you intend to cluster.

1. Set the parameters. The script takes in the following parameters:

   Parameters	Description
   SubscriptionID	The ID of the subscription used to register your machines with Azure Arc.
   TenantID	The tenant ID used to register your machines with Azure Arc. Go to your Microsoft Entra ID and copy the tenant ID property.
   ResourceGroup	The resource group precreated for Arc registration of the machines. A resource group is created if one doesn't exist.
   Region	The Azure region used for registration. See the Supported regions that can be used.
   AccountID	The user who registers and deploys the instance.
   ProxyServer	Optional parameter. Proxy Server address when is required for outbound connectivity.
   DeviceCode	The device code displayed in the console at https://microsoft.com/devicelogin and is used to sign in to the device.

   PowerShell

   #Define the subscription where you want to register your machine as Arc device
   $Subscription = "YourSubscriptionID"
   
   #Define the resource group where you want to register your machine as Arc device
   $RG = "YourResourceGroupName"
   
   #Define the region to use to register your server as Arc device
   #Do not use spaces or capital letters when defining region
   $Region = "eastus"
   
   #Define the tenant you will use to register your machine as Arc device
   $Tenant = "YourTenantID"
   
   #Define the proxy address if your Azure Local deployment accesses the internet via proxy
   $ProxyServer = "http://proxyaddress:port"
   

   Output

   Here's a sample output of the parameters:

   PS C:\Users\SetupUser> $Subscription = "<Subscription ID>"
   PS C:\Users\SetupUser> $RG = "myashcirg"
   PS C:\Users\SetupUser> $Tenant = "<Tenant ID>"
   PS C:\Users\SetupUser> $Region = "eastus"
   PS C:\Users\SetupUser> $ProxyServer = "<http://proxyserver:tcpPort>"
   

2. Connect to your Azure account and set the subscription. You'll need to open browser on the client that you're using to connect to the machine and open this page: https://microsoft.com/devicelogin and enter the provided code in the Azure CLI output to authenticate. Get the access token and account ID for the registration.

   PowerShell

   #Connect to your Azure account and Subscription
   Connect-AzAccount -SubscriptionId $Subscription -TenantId $Tenant -DeviceCode
   
   #Get the Access Token for the registration
   $ARMtoken = (Get-AzAccessToken -WarningAction SilentlyContinue).Token
   
   #Get the Account ID for the registration
   $id = (Get-AzContext).Account.Id   
   

   Output

   Here's a sample output of setting the subscription and authentication:

   PS C:\Users\SetupUser> Connect-AzAccount -SubscriptionId $Subscription -TenantId $Tenant -DeviceCode
   WARNING: To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code A44KHK5B5
   to authenticate.
   
   Account               SubscriptionName      TenantId                Environment
   -------               ----------------      --------                ----------- 
   guspinto@contoso.com AzureStackHCI_Content  <Tenant ID>             AzureCloud
   
   PS C:\Users\SetupUser> $ARMtoken = (Get-AzAccessToken).Token
   PS C:\Users\SetupUser> $id = (Get-AzContext).Account.Id
   

3. Finally run the Arc registration script. The script takes a few minutes to run.

   PowerShell

   #Invoke the registration script. Use a supported region.
   Invoke-AzStackHciArcInitialization -SubscriptionID $Subscription -ResourceGroup $RG -TenantID $Tenant -Region $Region -Cloud "AzureCloud" -ArmAccessToken $ARMtoken -AccountID $id -Proxy $ProxyServer
   

   If you're accessing the internet via a proxy server, you need to pass the -proxy parameter and provide the proxy server as http://<Proxy server FQDN or IP address>:Port when running the script.

   For a list of supported Azure regions, see Azure requirements.

   Output

   Here's a sample output of a successful registration of your machines:

   PS C:\Users\Administrator> Invoke-AzStackHciArcInitialization -SubscriptionID $Subscription -ResourceGroup $RG -TenantID $Tenant -Region $Region -Cloud "AzureCloud" -ArmAccessToken $ARMtoken -AccountID $id
   >>
   Configuration saved to: C:\Users\ADMINI~1\AppData\Local\Temp\bootstrap.json
   Triggering bootstrap on the device...
   Waiting for bootstrap to complete... Current Status: InProgress
   =========SNIPPED=========SNIPPED=============
   Waiting for bootstrap to complete... Current Status: InProgress
   Waiting for bootstrap to complete... Current Status: Succeeded
   Bootstrap succeeded.
   
   Triggering bootstrap log collection as a best effort.
   Version Response                                                    
   ------- --------                                                    
   V1      Microsoft.Azure.Edge.Bootstrap.ServiceContract.Data.Response
   V1      Microsoft.Azure.Edge.Bootstrap.ServiceContract.Data.Response
   
   
   PS C:\Users\Administrator>
   

4. After the script completes successfully on all the machines, verify that:

   1. Your machines are registered with Arc. Go to the Azure portal and then go to the resource group associated with the registration. The machines appear within the specified resource group as Machine - Azure Arc type resources.

      

Note

Once an Azure Local machine is registered with Azure Arc, the only way to undo the registration is to install the operating system again on the machine.

Assign required permissions for deployment

This section describes how to assign Azure permissions for deployment from the Azure portal.

1. In the Azure portal, go to the subscription used to register the machines. In the left pane, select Access control (IAM). In the right pane, select + Add and from the dropdown list, select Add role assignment.

   

2. Go through the tabs and assign the following role permissions to the user who deploys the instance:

   • Azure Stack HCI Administrator
   • Reader

3. In the Azure portal, go to the resource group used to register the machines on your subscription. In the left pane, select Access control (IAM). In the right pane, select + Add and from the dropdown list, select Add role assignment.

   

4. Go through the tabs and assign the following permissions to the user who deploys the instance:

   • Key Vault Data Access Administrator: This permission is required to manage data plane permissions to the key vault used for deployment.
   • Key Vault Secrets Officer: This permission is required to read and write secrets in the key vault used for deployment.
   • Key Vault Contributor: This permission is required to create the key vault used for deployment.
   • Storage Account Contributor: This permission is required to create the storage account used for deployment.

5. In the right pane, go to Role assignments. Verify that the deployment user has all the configured roles.

6. In the Azure portal go to Microsoft Entra Roles and Administrators and assign the Cloud Application Administrator role permission at the Microsoft Entra tenant level.

   

   Note

   The Cloud Application Administrator permission is temporarily needed to create the service principal. After deployment, this permission can be removed.

Next steps

After setting up the first machine in your instance, you're ready to deploy using Azure portal:

• Deploy using Azure portal.