Azure Machine Configuration now supports both System Assigned Identities for private access to configuration packages in Azure Storage, enhancing your cloud security and management.
Background: Azure Machine Configuration remains committed to enabling greater security and simplicity in at-scale server management for all Azure customers. Machine Configuration (previously known as Azure Policy Guest Configuration) enables both built-in and custom configuration as code allowing you to audit and configure OS, app, and workload level settings at scale, both for machines running in Azure and hybrid Azure Arc-enabled servers.
We are excited to announce generally available support for System Assigned Identities to privately access configuration packages stored in Azure Storage Blobs. This feature provides a simpler alternative to using Shared Access Signature (SAS) Tokens for anonymous access and is available for use across both Azure and Arc machines. This feature builds on top of our previously released support for User Assigned Identities.
Now you have the flexibility to use either User Assigned or System Assigned Managed Identities when granting private access to packages stored in Azure Storage. Learn more about our support for User Assigned Identities here: Securely store your Machine Configuration packages in Azure Storage using User Assigned Identities
What’s new?
Custom Machine Configuration policy definitions can now automatically use the System Assigned Identity of a Virtual Machine or Arc-enabled server with Azure Storage Blob read permissions. Any machine with system-assigned identity enabled and assigned the proper role can now privately access configuration packages in Azure Storage upon assignment of the Policy.
With this release, you do not need to generate a SAS token to reference the URL to a custom package in a custom Policy definition. With this feature, you can now block anonymous access in your Azure Storage accounts where your configuration packages are stored.
Getting started
For this feature to work successfully, you first need to:
- IMPORTANT: Deploy the Machine Configuration extension at scale across all virtual machines by assigning the following policy initiative: Deploy prerequisites to enable machine configuration policies on virtual machines. This a required onboarding step for Azure Machine Configuration in order to receive compliance reports.
- Ensure that all the Virtual Machines or Arc-enabled servers within the intended scope of your policy have system-assigned identity enabled and granted Storage Blob Data Reader (or equivalent) permissions on the Storage Blob containing the package. See How to develop a custom machine configuration package to learn how to create and upload a custom package.
- Download a minimum version of 4.10.0 of the Guest Configuration PowerShell Module to successfully use cmdlets to author a managed identity-based Machine Configuration policy.
- Follow the guidance in our official documentation on how to develop a custom machine configuration package.
In order to generate the Azure Policy definition using our Guest Configuration PowerShell Module, pass in the package path into the New-GuestConfigurationPolicy cmdlet. For system-assigned identities, use the -UseSystemAssignedIdentity flag instead of specifying a managed identity resource ID. You must still include the local path of the package as a parameter to allow for package validation and hash generation.
Example PowerShell snippet:
$PolicyConfig = @{
PolicyId = '_My GUID_'
ContentUri = 'https://yourstorageaccount.blob.core.windows.net/yourcontainer/package.zip;
DisplayName = 'My deployment policy'
Description = 'My deployment policy'
Path = './policies/deployIfNotExists.json'
Platform = 'Windows'
PolicyVersion = 1.0.0
Mode = 'ApplyAndAutoCorrect'
# Required for managed identity package authoring
LocalContentPath = "C:\Local\Path\To\Package"
}
New-GuestConfigurationPolicy @PolicyConfig -UseSystemAssignedIdentityExample Policy definition metadata snippet:
...
"metadata":
{
"category": "Guest Configuration",
"version": "1.0.0",
"requiredProviders": [ "Microsoft.GuestConfiguration" ],
"guestConfiguration": {
"name": "TimeZone",
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://yourstorageaccount.blob.core.windows.net/yourcontainer/package.zip",
"contentHash": "HASHVALUE",
"contentManagedIdentity": "system"
} ,
...
}You can now pass the file path of the policy definition as an argument in the New-AzPolicyDefinition cmdlet to upload your custom policy definition to Azure! With this feature you can take advantage of the simplicity of managed identities when deploying secure configurations.
Feature Limitations
- For the machine to download the assigned package and apply the policy, the Guest Configuration Agent must be version 1.29.98.0 or higher for Windows and 1.26.93.0 or higher for Linux.
- To ensure successful enforcement, the generated Azure Policy definition must call the API version 2024-04-05 or later.
Learn more about Machine Configuration in the documentation.
Please note that the use of Azure Machine Configuration on Azure Arc-enabled servers will incur a charge of $6/server/month. You only pay the charge once no matter how many machine configuration policies you apply to the server. If policies are assigned by Microsoft Defender for Servers Plan 2 or the policy is an Azure Security Benchmark, no charges will be incurred. Additionally, if Azure Change Tracking or Inventory Management are being used or the server is on Azure Stack HCI with Connected Machine agent version 1.13, no charges will be incurred.
Microsoft