Log Analytics Agent-based Azure Management Services: Shut down starting 28 February 2025
Overview The legacy Log Analytics (LA) agent, which has played a critical role in transferring data logs for software and applications to Azure, was deprecated on August 31, 2024. Subsequently, all Azure services and solutions relying on the Log Analytics agent for data collection are also being phased out. This transition ensures a seamless shift to more robust replacement products, enhancing continuity, security, and performance for customers' IT estates. Two of the Azure Automation solutions provided management of machines using the LA agent namely, Azure Automation Update Management for streamline software update deployment & Azure Change Tracking & Inventory for tracking changes and inventory for in-guest environments. These agent-based services were also deprecated on 31 st August 2024. Over the last 6 months, these solutions were maintained, giving customers time to move their management processes to the replacement products. In order to ensure a security posture of the customer environments, these LA agent-based solutions will be completely shut down starting 28 th February 2025. You may encounter your existing patching jobs fail and staleness in the changes data in the log analytics workspace after this date. Following captures further details on the impact to operations for the machines that continue to be on these solutions and provides additional guidance. What will change after 28 th February 2025? a) You will not be able to access both Azure Automation Update Management & Azure Change Tracking & Inventory enabled with the LA agent from the Azure Portal. b) For Azure Automation Update Management, no new periodic assessments or patching data corresponding to configured machines will be populated. c) For Change Tracking & Inventory with LA agent, no new changes or inventory logs will be captured. Note: Historical data for the last 30 days will continue to be available in LA workspace and can be directly queried from the LA tables LA workspace table Purpose ConfigurationData To obtain inventory logs for auditing and compliance needs ConfigurationChange To obtain logs corresponding to the changes made in customer environment Update To query periodic assessments and patched updates data for pending updates view What next? If you have any machines configured with legacy version of above-mentioned services, please use one of the following available methods to migrate to replacements products – Product Service Product Migration Guidance Azure Change Tracking & Inventory with LA agent a) Migrate to Azure Monitoring Agent (AMA) version of Change Tracking & Inventory – Using Azure Portal Using PowerShell b) If you have enabled File Integrity monitoring (FIM) with LA agent & managing it via Change Tracking & Inventory experience, here are the available options to migrate to - Move to Change Tracking & Inventory with AMAfor enhanced insights for data types including Files, Registry Keys, Software, Windows Services, Linux Daemons, File content changes. Move to FIM with MDE (part of Defender for Servers Plan 2) Azure Automation Update Management Migrate to Azure Update Manager (Does not rely on AMA) Using Azure Portal Using Runbook scripts Additionally, you can refer to these instructions to disable LA agent from your environment. Please feel free to reach out to us on aumpm@microsoft.com for any queries or feedback.Azure Change Tracking & Inventory: Simplified onboarding to manage in-guest changes on Azure Arc VMs
Explore new Azure native few clicks onboarding experience for Change Tracking & Inventory on Azure Arc servers, streamlining in-guest change management operations, while strengthening your adaptive cloud strategy.Azure Automation is revising Service and Subscription Limits
Starting 7 th January 2025, Azure Automation will be revising its Service and Subscription limits to ensure fair distribution of cloud resources across all customers. This change is another step towards improving the reliability and performance of the service while optimizing resource utilization. Since the resource requirements vary across organizations and evolve over time, we are empowering customers to configure their quotas based on actual usage. Revised limits The current Service and Subscription limits for Azure Automation can be found here. To start with, we are revising the limits for two resources: Maximum number of Automation accounts in a subscription in a region. Maximum number of concurrent running jobs at the same instance of time per Automation account You will get an error message when you exceed the limits mentioned below: Resource Limit Notes Maximum number of Automation accounts in a subscription in a region 10 2 1 Enterprise and CSP subscriptions would be able to create accounts in any of the regions supported by the service. Pay-as-you-go, Sponsored, MSDN, MPN, Azure Pass subscriptions can create Automation accounts in any of the regions supported by the service. Free trial, Azure for Student, Azure in Open subscriptions can create only one Automation account per region per subscription. Allowed list of regions: EastUS, EastUS2, WestUS, NorthEurope, SoutheastAsia, and JapanWest2 Maximum number of concurrent running jobs at the same instance of time per Automation account per region 50 10 5 Enterprise and CSP subscriptions Pay-as-you-go, Sponsored, MSDN, MPN, Azure Pass subscriptions Free trial, Azure for Student, Azure in Open subscriptions Frequently asked questions When will the new limits come into effect? New limits would be effective starting 7 th January 2025 across all commercial regions. Your patience during the transition period is appreciated. How do I check my current resource usage? You will be able to check your usage of Automation accounts and concurrently running jobs through Quotas service on Azure portal or while creating a support request under the category ‘Service and Subscription limits (Quotas)’. Quotas service on Azure portal will be enabled once deployment starts in January 2025. My current usage is more than the revised limits. What should I do? Rest assured that your current usage of both resources - Automation accounts and concurrent running jobs - will be honored and will not be impacted. For example, consider you are an Enterprise customer. Your new limit is 10 Automation accounts and current usage is 12 accounts. Even though your usage is higher than the new limit, your usage of 12 accounts would be honored and then considered as your new limit. When you exceed the new limit of 12 accounts, you would get an error. I need more resources than my current limits. What should I do? You will get complete control to request for quota increase and decrease based on your changing business requirements. Once the changes are deployed in January 2025, you will be able to check your current usage, current limit and request for quota changes by creating a support request under the category ‘Service and Subscription limits (Quotas)’ for ‘Azure Automation’. Detailed steps to request for quota changes would be shared once deployment starts in January 2025. Please feel free to reach out to askazureautomation@microsoft.com for any questions or feedback.Rehosting On-Premises Process Automation when migrating to Azure
Many enterprises seek to migrate on-premises IT infrastructure to cloud for cost optimization, scalability, and enhanced reliability. During modernization, key aspect is to transition automated processes from on-premises environments, where tasks are automated using scripts (PowerShell or Python) and tools like Windows Task Scheduler or System Center Service Management Automation (SMA). This blog showcases successful transitions of customer automated processes to the cloud with Azure Automation, emphasizing script re-use and modernization through smart integrations with complementing Azure products. Using runbooks in PowerShell or Python, the platform supports PowerShell versions 5.1, and PowerShell 7.2. To learn more, click here. Additionally, Azure Automation provides seamless certificate authentication with managed identity, eliminating the need to manage certificates and credentials while rehosting. Azure Automation safeguards the keys and passwords by wrapping the encryption key with the customer-managed key associated to key vault. Integration with Azure Monitor coupled with Automation’s native job logs equip the customers with advanced monitoring and error/failure management. Azure Automation platform efficiently manages long-running scripts in the cloud or on-premises with resource limits options with Hybrid runbook worker. Hybrid runbook worker also equips you to automate workloads off-Azure while utilizing the goodness of Azure Automation runbooks. Rehosting on-premises operations with minimal effort covers scenarios listed below. Additional efforts involve modernizing scripts for cloud-native management of secrets, certificates, logging, and monitoring. – State configuration management - Monitor state changes in the infrastructure and generate insights/alerts for subsequent actions. Build, deploy and manage resources - Deploy virtual machines across a hybrid environment using runbooks. This is not entirely serverless and requires relatively higher manual effort in rehosting. Periodic maintenance - to execute tasks that need to be performed at set timed intervals like purging stale data or reindex a SQL database. Checking for orphaned computer and users in Active Directory Windows Update notifications Respond to alerts - Orchestrate a response when cost-based (e.g. VM cost consumption), system-based, service-based, and/or resource utilization alerts are generated. Specifically, here are some of the scenarios of managing state configuration of M365 suite where our customer rehosted the on-premises PowerShell script to cloud with Azure Automation Scenarios for State Configuration Management of M365 Suite User Permission & access control management Mailbox alerts configuration Configuring SharePoint sites availability Synchronizing Office 365 with internal applications Example: Rehosting User Permission & access control management in M365 mailboxes Here is how one of the customers rehosted a heavy monolithic PowerShell script to Azure. The objective of the job was to identify – List of shared mailboxes --> list of permissions existing for these mailboxes --> users & groups mapped to the mailboxes --> list of permissions granted (& modified overtime) to these users/groups --> Final output with a view of Mailbox Id, Groups, Users, Permissions provided, Permissions modified (with timestamps). 1. Shared mailboxes credentials ########################################### # Get Shared Mailboxes ########################################### $forSharedMailboxes = @{ Properties = "GrantSendOnBehalfTo" RecipientTypeDetails = "SharedMailbox" ResultSize = "Unlimited" } $sharedMailboxes = Get-EXOMailbox @forSharedMailboxes 2. Obtain shared Mailbox permissions ########################################### # Get Shared Mailbox Permissions ########################################### $sharedMailboxesPermissions = foreach ($sharedMailbox in $sharedMailboxes) { # ------------------------------------------------------------------------------------------------------- # Get Send As Permissions # ------------------------------------------------------------------------------------------------------- try { $forTheSharedMailbox = @{ Identity = $sharedMailbox.Identity ResultSize = "Unlimited" } $recipientPermissions = @(Get-EXORecipientPermission @forTheSharedMailbox) $recipientPermissions = $recipientPermissions.Where({ $_.Trustee -ne "NT AUTHORITY\SELF" }) $recipientPermissions = $recipientPermissions.Where({ $_.Trustee -notlike "S-1-5-21*" }) if ($recipientPermissions) { foreach ($recipientPermission in $recipientPermissions) { [SharedMailboxPermission]@{ MailboxDisplayName = $sharedMailbox.DisplayName MailboxEmailAddresses = $sharedMailbox.EmailAddresses MailboxId = $sharedMailbox.Id MailboxUserPrincipalName = $sharedMailbox.UserPrincipalName Permission = $recipientPermission.AccessRights PermissionExchangeObject = $recipientPermission.Trustee } } } } catch { Write-Warning ("Getting send as permissions for $($sharedMailbox.Identity).") continue } 3. User & groups mapped to the mailboxes ########################################### # Get Entra and Exchange User Objects ########################################### $forEntraAndExchangeUserObjects = @{ Connection = $forTheSharedMailboxGovernanceSite Identity = $entraAndExchangeUserObjectListRelativeUrl } $userObjectsList = Get-PnPList @forEntraAndExchangeUserObjects $fromTheEntraAndExchangeUserObjectsList = @{ Connection = $forTheSharedMailboxGovernanceSite List = $userObjectsList PageSize = 5000 } $userObjectsListItems = (Get-PnPListItem @fromTheEntraAndExchangeUserObjectsList).FieldValues ########################################### # Get Entra and Exchange Group Objects ########################################### $forEntraAndExchangeGroupObjects = @{ Connection = $forTheSharedMailboxGovernanceSite Identity = $entraAndExchangeGroupObjectListRelativeUrl } $groupObjectsList = Get-PnPList @forEntraAndExchangeGroupObjects $fromTheEntraAndExchangeGroupObjectsList = @{ Connection = $forTheSharedMailboxGovernanceSite List = $groupObjectsList PageSize = 5000 } $groupObjectsListItems = (Get-PnPListItem @fromTheEntraAndExchangeGroupObjectsList).FieldValues 4. List of permissions granted (& modified overtime) to these users/groups # ---------------------------------------- # Get Full Access Permissions # ------------------------------------- try { $forTheSharedMailbox = @{ Identity = $sharedMailbox.Identity ResultSize = "Unlimited" } $mailboxPermissions = @(Get-EXOMailboxPermission @forTheSharedMailbox) $mailboxPermissions = $mailboxPermissions.Where({ $_.User -ne "NT AUTHORITY\SELF" }) $mailboxPermissions = $mailboxPermissions.Where({ $_.User -notlike "S-1-5-21*" }) if ($mailboxPermissions) { foreach ($mailboxPermission in $mailboxPermissions) { [SharedMailboxPermission]@{ MailboxDisplayName = $sharedMailbox.DisplayName MailboxEmailAddresses = $sharedMailbox.EmailAddresses MailboxId = $sharedMailbox.Id MailboxUserPrincipalName = $sharedMailbox.UserPrincipalName Permission = $mailboxPermission.AccessRights PermissionExchangeObject = $mailboxPermission.User } } } } catch { Write-Warning ("Getting full access permissions for $($sharedMailbox.Identity).") continue } # ------------------------------------------------------------------------------------------------------- # Get Send On Behalf Of Permissions # ------------------------------------------------------------------------------------------------------- $grantSendOnBehalfToPermissions = @($sharedMailbox.GrantSendOnBehalfTo) $grantSendOnBehalfToPermissions = $grantSendOnBehalfToPermissions.Where({ $_ -notlike "S-1-5-21*" }) if ($grantSendOnBehalfToPermissions) { foreach ($grantSendOnBehalfToPermission in $grantSendOnBehalfToPermissions) { [SharedMailboxPermission]@{ MailboxDisplayName = $sharedMailbox.DisplayName MailboxEmailAddresses = $sharedMailbox.EmailAddresses MailboxId = $sharedMailbox.Id MailboxUserPrincipalName = $sharedMailbox.UserPrincipalName Permission = "SendOnBehalfOf" PermissionExchangeObject = $grantSendOnBehalfToPermission } } } } As the customer modernized from On-premises to Azure via Azure Automation, the following list captures the aspects that have to be updated. The changes were mostly an improvement in terms of experience offered by Azure Automation leveraging smart integrations with other Azure capabilities and little to no reliance on custom scripts. Setup Logging & Monitoring methods - In On prem setup, customers authored custom scripts for logging, which was no more needed with Azure Automation. Customers utilized in-portal Azure Monitor integration to forward logs to Azure monitor, quey logs, and set up alerts for insights. Handling certificate authentication – Managed Identity based authentication provides improved means to store secrets and passwords without doing regular updates to code credentials. Azure Automation supports both PS script and in-built portal experience to configure Managed Identity Storing passwords and security keys – Key Vault integration with Azure Automation helped the customers to transition this on-prem experience seamlessly. The sample PS script below is recommended to enable Key Vault integration. Install-Module -Name Microsoft.PowerShell.SecretManagement -Repository PSGallery -Force Install-Module Az.KeyVault -Repository PSGallery -Force Import-Module Microsoft.PowerShell.SecretManagement Import-Module Az.KeyVault $VaultParameters = @{ AZKVaultName = $vaultName SubscriptionId = $subID } Register-SecretVault -Module Az.KeyVault -Name AzKV -VaultParameters $VaultParameters If you are currently utilizing Azure Automation for rehosting such light weight environment agnostic operations from on-prem to cloud or want to know more details, please reach out to us on askazureautomation@microsoft.com.Azure Automation: A Comprehensive Recap of 2022 and What's Coming
Looking Back and Moving Forward: A Comprehensive Recap of 2022 and a Sneak Peek into What's Coming Next. Discover the key highlights and accomplishments of the past year and an update on the exciting developments to watch out for in the future.
