User-Assigned Identity-based Access for Machine Configuration Packages – Generally Available

Azure Machine Configuration remains committed to enabling greater security and simplicity in at-scale server management for all Azure customers. Machine Configuration (previously known as Azure Policy Guest Configuration) enables both built-in and custom configuration as code allowing you to audit and configure OS, app, and workload level settings at scale, both for machines running in Azure and hybrid Azure Arc-enabled servers.   

We are excited to announce the general availability of User Assigned Identities to privately access configuration packages stored in Azure Storage Blobs. This feature provides a simpler alternative to using Shared Access Signature (SAS) Tokens for anonymous access. 

What’s new? Custom Machine Configuration policy definitions can now have the option to reference the resource ID of a User Assigned Identity with Azure Storage Blob read permissions. Any Azure Virtual Machine already referenced by the identity can now privately access configuration packages in Azure Storage upon assignment of the Policy. With this release, you do not need to generate a SAS token to reference the url to a custom package in a custom Policy definition. With this feature, you can now block anonymous access in your Azure Storage accounts where your configuration packages are stored.  

Getting started 

For this feature to work successfully, you need to first need to: 

• Deploy the Machine Configuration extension at scale across all virtual machines by assigning the following policy initiative: Deploy prerequisites to enable machine configuration policies on virtual machines. See Guest Configuration - Azure Policy for more. 
• Ensure that all the Virtual Machines within the intended scope of your policy are all referenced by the User Assigned Identity with read permissions to the Storage Blob containing the package. See How to develop a custom machine configuration package to learn how to create and upload a custom package. 
• Download a minimum version of 4.6.0 of the Guest Configuration Powershell Module to successfully use cmdlets to author a managed identity-based Machine Configuration policy.
• Follow the guidance in our official documentation on how to develop a custom machine configuration package.

In order to generate the Azure Policy definition using our Guest Configuration Powershell Module, you can pass in the managed identity resourceID into the New-GuestConfigurationPolicy cmdlet. You must include the local path of the package as a parameter to allow for package validation and hash generation.  Include the -ExcludeArcMachines flag in the cmdlet when referencing a User Assigned Identity. This flag ensures Azure Arc machines are not included in the applicability of the policy definition. The code snippet below provides an example on how to do this.

$PolicyConfig = @{ 
  PolicyId = '_My GUID_' 
  ContentUri = $contentUri 
  DisplayName = 'My deployment policy' 
  Description = 'My deployment policy' 
  Path = './policies/deployIfNotExists.json' 
  Platform = 'Windows'
  PolicyVersion = 1.0.0
  Mode = 'ApplyAndAutoCorrect' 

  # Required parameter for managed identity 
  LocalContentPath = "C:\Local\Path\To\Package" 

  # Required parameter for managed identity 
  ManagedIdentityResourceId = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}" 
}

New-GuestConfigurationPolicy @PolicyConfig -ExcludeArcMachines 

The metadata section of the resultant policy definition will look as follows: 

{
...
"metadata":
  {
    "category": "Guest Configuration",
    "version": "1.0.0",
    "requiredProviders": [ "Microsoft.GuestConfiguration" ],
    "guestConfiguration": {
        "name": "sampleName",
        "version": "1.0.0",
        "contentType": "Custom",
        "contentUri": "https://MyStorageAccount.blob.core.windows.net/MyContainer/MyPackage.zip",
        "contentHash": "HASHVALUE",
        "contentManagedIdentity": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName} "
  } ,
  ...
} 

You can now pass the file path of the policy definition as an argument in the New-AzPolicyDefinition cmdlet to upload your custom policy definition to Azure! With this feature you can take advantage of the simplicity of managed identities when deploying secure configurations! 

Feature Limitations

•  At this time, Arc machines do not support User Assigned Identities. This feature is currently only applicable to Azure Virtual Machines. 
• For the Azure VM to download the assigned package and apply the policy, the Guest Configuration Agent must be version 1.29.82.0 or higher for Windows and version 1.26.76.0 or higher for Linux. 
• To ensure successful enforcement, the generated Azure Policy definition must call the API version “2024-04-05" or later.

Learn more about Machine Configuration in the documentation.  

Please note that the use of Azure Machine Configuration on Azure Arc-enabled servers will incur a charge of $6/server/month. You only pay the charge once no matter how many machine configuration policies you apply to the server. If policies are assigned by Microsoft Defender for Servers Plan 2 or the policy is an Azure Security Benchmark, no charges will be incurred. Additionally, if Azure Change Tracking or Inventory Management are being used or the server is on Azure Stack HCI with Connected Machine agent version 1.13, no charges will be incurred.