Azure Security Center Monitoring Agent Deployment Options

Published 08-26-2019 09:36 AM 16.4K Views



Security Center  is segmented as a Cloud Security Posture Management (CSPM) and Cloud Workload protection Platform product (CWPP). CWPPs is defined by workload-centric security protection solutions, which are typically agent-based. To be able to protect IaaS VM's, on-premises servers and other clouds server’s security Center uses agent-based monitoring.


In this blogpost, we want to help you understand the options available to protect your resources and the advantages and disadvantages.


Types of Agents & Methods to Deploy


There are two types  of agents:

  1. Direct Agent (MMA Setup file)
  2. Log Analytics Agent extension

Direct agent:


The direct agent is a  standalone installation. This installation is an MSI\EXE file hence, organizations can leverage a deployment tool such as System Center Configuration Manager or other scripted way to deploy it.


To extend visibility and security center capabilities, we can install the agent on computers running outside of Azure, including resources running on-premises and in other clouds.

When installing the direct agent, we will need to supply two parameters:

  1. Workspace ID to connect the VM to your respective log analytics workspace
  2. Workspace secret key, for authentication

Here is how you obtain and install the Direct Agent from the Azure security center portal:







For additional details on how to extend visibility for resources running outside of Azure, please refer to the following links:

Onboard Windows Computers to Azure Security Center

Onboard Linux Computers to Azure Security Center


Log Analytics Agent Extension


The extension installs the Log Analytics agent on Azure virtual machines and enrolls virtual machines into an existing Log Analytics workspace.

For details on supported Windows and Linux operating systems, check out the following documents:


Methods to deploy the Log Analytics Agent extension


  1. Azure security center automatic provisioning - In reality, with auto provisioning, Security Center creates a new resource group and default workspace in that geolocation and connects the agent to that workspace. The naming convention for the workspace and resource group is:

Workspace: DefaultWorkspace-[subscription-ID]-[geo]

Resource Group: DefaultResourceGroup-[geo]


For additional details, read the data collection document.



  • The automatic installation process run every ~15mins, your resources are quickly secured
  • Automatic discovery of any new and existing VM’s - Any new or existing VM without the Log Analytics agent extension, will have it provisioned and connected.
  • Azure Security Center can automatically create a new workspace if you choose to use default workspace. However, you also have the option to use an existing workspace.
  • Data collected from Azure VMs will be stored in the workspace created by Security Center or the workspace specified.


  • Does not work with VMSS server (virtual machine scale set)
  • Does not support VM exclusion – if you do not want to install the agent on specific VM for some reason, this method will not let us, and it will try to install it time after time.


  1. Manual installation – you can only install the agent on single VM by opening log analytics relevant workspace, select one VM's and connect it to the workspace, by doing so you will install the extension on the VM.


  • Time to deploy - the installation process starts as soon as you click on the connect button.
  • VM Exclusion – flexibility and control to choose which resources you want to onboard and those you want to exclude


  • Does not support scalability, will need to deploy separately on each resource
  • No mechanism to discover new resources
  • Does not work with VMSS server (virtual machine scale set)


  1. Azure policy – you can assign a built-in policy at the management group, subscription, or resource group level that will deploy a new Log Analytics agent extension on a new resources.
    Log Analytics Agent Extension Policy DefinitionsLog Analytics Agent Extension Policy Definitions





    Below is an example of Linux policy assignment

    Linux Policy AssignmentLinux Policy Assignment



  • Automatic Discovery
  • Provisioning process is very quick (It is quick for the deployment, but the policy evaluation runs every 30 min, give or take :smiling_face_with_smiling_eyes:Visibility into agent compliance
  • Supports Virtual Machine Scale Sets (VMSS)


  • You will need to define a workspace within the policy assignment as a target workspace (Azure Security Center will not create the default workspace in this method)
  • Does not work for existing VM’s - only in a green field scenario.


4.ARM template – We can integrate the Log Analytics agent extension to a VM creation process by leveraging ARM template.


Template Example for Log analytics agent (MMA extension) installation of Windows VM, this part should integrate in VM deployment template:





  • Automated fashion
  • Virtual Machines are protected from the creation time
  • Full integration with your existing CI/CD tools.
  • If you have used ARM template before, it is very straightforward process


  • If you have never used ARM template, it requires expertise to build an ARM template

PowerShell installation - Link for example scripts


5. System Center Configuration (SCCM)



  • Deployment at large scale
  • Able to retrieve rich reports about installation status
  • Seamless process to update the agent



    6. SCOM Agent

  • If you already have an existing deployment of SCOM agents that are connected to a SCOM management serve, you can leverage the same agents and connect the SCOM management server to the log analytics workspace.

Benefits of Using the Log Analytics agent  extension


The recommended practice is to utilize the Log Analytics VM extension. The Log Analytics VM extension has the following advantages over using the Direct Agent:


  • The lifecycle of the VM extension can be managed through ARM templates, Azure CLI and PowerShell, including installing, updating and removal of the VM extension
    • Installing the Direct Agent requires interacting with the VM, manually or through an Enterprise Management Solution, like System Center Configuration Manager.
  • The Log Analytics VM extension will be automatically updated and will therefore always run the latest version of the agent


In this blogpost, we provided details on the options available to provide protection for your hybrid resources and the advantage and disadvantage. For more information on how Azure Security Center provides co visit our documentation below:

Azure Security Center Documentation


Kudos to @Yaniv Shasha for the great collaboration! :smile:








Occasional Visitor
Hi Cristhofer, Are there any functional differences between the MMA and LAA agents or is it the same agent, that are distributed differently? Regards Peter
Occasional Visitor
Hi Cristhofer, It seems to me that stuff is moving from ASC to Azure Monitor and Azure Policy. Is it the plan to move the on-boarding of VMs to Azure Policy instead of using ASC automatic provisioning? Regards Peter
Respected Contributor

Item 5 Advantages has a typo, no such word as tssso 

Version history
Last update:
‎Sep 21 2020 05:55 AM
Updated by: