Setting up Monitor mode on Azure Arc Connected machines – Wim Matthyssen

In this blog post, you’ll learn how to enable Monitor mode on the Azure Connected Machine agent to support restricted monitoring and security scenarios for your Azure Arc-enabled servers.

In a previous blog post, I explored how to customize the extension allowlist on the Azure Connected Machine agent for Azure Arc-enabled Windows Servers. I also discussed how you can allow multiple extensions at once, eliminating the need to configure each extension individually on every Arc-connected machine.

For many customers, Azure Arc is primarily used for monitoring and security scenarios. This allows you to monitor your servers with Azure Monitor and Microsoft Sentinel, as well as secure them with Microsoft Defender for Cloud.

Instead of manually adding all the required extensions through a customized allowlist, you can now simply configure the Azure Connected Machine Agent in Monitor mode on these servers.

Let me explain in more detail. Modes are pre-defined configurations of security controls, extension allowlists, and guest configurations maintained by Microsoft. These modes simplify the setup and ensure consistency across Azure Arc-enabled servers.

Currently, the Azure Connected Machine agent supports two modes:

• Full mode, which is the default (config.mode property), enables the agent’s full functionality, allowing unrestricted use of extensions and remote management
• Monitor mode applies a Microsoft-managed extension allowlist, ensuring only approved extensions are used. It also disables remote connectivity to reduce exposure to potential threats and turns off the machine configuration agent to prevent unwanted configuration changes.

💡 It’s important to know that in full mode, anyone with the appropriate RBAC role in Azure can, for example, execute Azure Automation Runbooks on Azure Arc-enabled machines by adding them to a Hybrid Worker Group. This enables them to launch scripts in the System context, granting full control over the machine if desired.

As you can see, Monitor mode is specifically designed for restricted monitoring and security scenarios, often used on Tier 0 machines, such as Domain Controllers or servers handling sensitive data

It ensures that your Azure Arc-enabled servers meet security and compliance requirements while still allowing you to leverage Azure Monitor, Microsoft Sentinel, and Defender for Cloud.

When Monitor mode is enabled, only certain extensions are whitelisted and added to the allowlist. Additionally, in this configuration, script executions, such as Azure Automation Runbooks, can no longer be run on the Arc-enabled machine.

In this blog post, I will show you how to enable Monitor mode on your Arc-connected machines running both Windows and Linux.

Table of Contents

Azure prerequisites

• An Azure subscription is required, and preferably more than one if you plan to follow the Cloud Adoption Framework (CAF) enterprise-scale architecture. This includes a connectivity and/or management subscription, as well as at least one Azure Arc subscription (landing zone) for deploying your Arc-related resources.
• At least one Windows Server machine, whether physical or virtual, running Windows Server 2016 or later, should be part of your hybrid environment and already onboarded into Azure Arc.
• At least one Linux server, either physical or virtual, running a supported distribution like Ubuntu 24.04.2 LTS, should be part of your hybrid environment and already onboarded to Azure Arc.
• An Administrator account (or on Linux, the root account) with sufficient rights is required on both the Azure Arc-enabled Windows Server and the Linux server to locally configure the Azure Connected Machine agent using PowerShell, Bash, and other necessary tools. This ensures you have the necessary permissions to install, configure, and manage the agent on both systems effectively.

Enable Monitor mode on an Azure Arc-enabled Windows server

To enable Monitor mode on a Windows server, connect to the Arc-enabled Windows Server via RDP, ideally through a Jump Server, and open Windows PowerShell in administrator mode.

Then, type the following command to enable Monitor mode:

azcmagent config set config.mode monitor

You can then validate if the mode and all settings have been applied correctly by typing the following command:

You can also validate specific settings on the server itself, such as checking if Guest Configuration is disabled. To do so, open Run, type services.msc, and then look for Guest Configuration Arc Service. Check if its status is set to Disabled.

You can also check which extensions are installed to validate that only the required extensions are being used. Only the MDE.Windows and AzureMonitorWindowsAgent extensions should be enabled. To do so, run the following command:

You can also check the enabled extensions in the Azure Portal by navigating to the Azure Arc page, selecting the server, and then going to Extensions. There, you can see which extensions have a status of Succeeded.

You can also delete any extensions that were previously installed and are now in a Failed state due to enabling Monitor mode, such as the WindowsPatchExtension in my example.

💡 Keep in mind that while in Monitor mode, you cannot modify the extension allowlist or blocklist. If you need to change either list, you must switch the agent back to Full mode and then specify your own allowlist and blocklist. If you’d like to learn how to create your own custom allowlist, you can check out my previous blog post.

Enable Monitor mode on an Azure Arc-enabled Linux server

To enable Monitor mode on an Arc-enabled Linux server, first connect to the server via SSH. While you can do this using a terminal, I prefer using PuTTY on Windows.

Simply open PuTTY, enter the server’s IP address or hostname, select SSH as the connection type, and click Open. Then, log in using your username and password or an SSH key.

Once connected, switch to the root user by running:

Type the following command to enable Monitor mode for the Linux Azure Connected Machine agent:

azcmagent config set config.mode monitor

You can then validate if Monitor mode has been successfully applied by running the following command:

Validate Configuration Mode in the Azure Portal

You can also validate the Configuration mode setting (Monitor or Full) via the Azure Portal.

Simply go to the Azure Arc page, open Machines, select the Server Object, and click on JSON View.

There, you can review the configMode and extensionsAllowList properties to confirm the current configuration.

Customizing the Arc Onboarding script with Monitor mode enabled for Windows servers

For large-scale automated deployments, Monitor Mode can be seamlessly integrated into the Azure Arc onboarding PowerShell script (OnboardingScript.ps1), which you can manually generate from the Azure Arc menu.

This integration helps streamline and automate the onboarding process across multiple machines or environments, ensuring Monitor Mode is consistently applied during deployment.

Below is an example of how to implement this by adding a line of code to OnboardingScript.ps1 to enable Monitor Mode:

& "$env:ProgramW6432\AzureConnectedMachineAgent\azcmagent.exe" config set config.mode monitor;

Customizing the Arc Onboarding script with Monitor mode enabled for Linux servers

Just like with large-scale automated deployments on Windows Server, Monitor Mode can be seamlessly integrated into the Azure Arc onboarding Bash script (OnboardinScript.sh) for Linux servers. You can manually generate this script from the Azure Arc menu in the Azure portal.

Below is an example of how to implement this by adding a line of code to OnboardingScript.sh to enable Monitor Mode:

sudo azcmagent config set config.mode monitor;

Change the agent back to full mode and the default settings

In certain scenarios, switching the Azure Connected Machine agent from Monitor mode back to Full mode is necessary to unlock additional capabilities. While Monitor Mode provides lightweight monitoring with a restricted set of extensions, Full Mode allows for advanced management features.

One key reason to switch is the need to use extensions that are not included in the preferred extension allow-list enforced by Monitor Mode. Additionally, Full mode is required to enable remote connectivity features such as SSH and Windows Admin Center. If you need to enforce compliance and manage configurations at scale using Machine Configuration, switching to Full Mode is also essential.

To switch the agent back to Full mode and reset the preferred extension allow-list along with other settings to their default values, run the following commands:

💡 These commands will work not only on a Windows Server but also on a Linux server to restore Full mode and reset all settings to their default values.

azcmagent config set config.mode full
azcmagent config clear "extensions.allowlist"
azcmagent config set incomingconnections.enabled true
azcmagent config set guestconfiguration.enabled true

Conclusion

As a Hybrid Cloud or IT Administrator, if your primary goal is to use Azure Arc for monitoring and security purposes, specifically to collect logs from connected systems, it’s important to configure the Azure Connected Machine Agent appropriately, either before or after deployment, by enabling Monitor Mode.

This ensures a lightweight setup focused solely on monitoring and security, while limiting other management capabilities.

I hope the steps and configurations outlined in this blog post help you maintain secure, monitoring-friendly, and well-managed Arc deployments.

If you have any questions or suggestions about this blog post, feel free to reach out to me on X (@wmatthyssen) or leave a comment. I’ll be happy to assist!