This chapter covers Azure Arc for Servers, a foundational technology for hybrid and multi-cloud management in the Azure ecosystem. For the AZ-104 exam, understanding Azure Arc is essential because it appears in the 'Manage identities and governance' domain (objective 1.2) and is tested in approximately 5-10% of exam questions. You will need to know how to onboard servers, manage them via Azure Policy, and troubleshoot connectivity. This chapter provides the depth you need to answer questions confidently and avoid common traps.
Jump to a section
Imagine you run a company with offices in Chicago, London, and Tokyo. Each office has its own local IT team and servers, but you want to manage all of them from a single dashboard in your New York headquarters. Azure Arc for Servers is like giving each server a universal remote that connects back to your central control room. The remote doesn't move the server; it just sends a signal. Specifically, you install a small agent on each server (like pairing a remote with a TV). This agent establishes an outbound HTTPS connection to Azure Arc, using a unique resource ID and certificate. The agent then polls Azure Arc every 30 seconds for policy assignments, configurations, or commands. When you assign an Azure Policy or enable Defender for Cloud from the Azure portal, the agent receives the policy definition and applies it locally using PowerShell DSC (Desired State Configuration) or a custom script extension. The server itself remains wherever it is—on-premises, in another cloud—but from Azure's perspective, it appears as an Azure resource with its own resource ID, tags, and management capabilities. You can even use Azure RBAC to control who can manage it. The key is that the connection is always outbound from the server to Azure, so no inbound ports need to be opened through firewalls. This is critical for security. If the connection drops, the server continues operating with its last known policy state until the next successful poll.
What is Azure Arc for Servers?
Azure Arc for Servers is a service that extends Azure Resource Manager (ARM) to any server running outside of Azure—on-premises, in other public clouds (AWS, GCP), or at the edge. It allows you to manage these servers as if they were native Azure VMs, using Azure management tools like Azure Policy, Microsoft Defender for Cloud, Azure Monitor, and Update Management. The server becomes a 'hybrid machine' resource in Azure, with a consistent resource ID, location, tags, and RBAC permissions.
Why Does Azure Arc Exist?
Organizations often have a mix of environments—some workloads remain on-premises due to compliance, latency, or cost reasons. Before Azure Arc, managing these servers required separate tools, inconsistent policies, and manual processes. Azure Arc unifies management by projecting non-Azure servers into the Azure control plane. This enables centralized governance, security, and monitoring without migrating the server.
How It Works Internally
Azure Arc for Servers relies on the Azure Connected Machine agent. This agent is installed on each target server (Windows or Linux). The installation process registers the server with Azure Arc, creating a resource of type Microsoft.HybridCompute/machines in your Azure subscription. The agent communicates with Azure using outbound HTTPS (port 443) to the following endpoints:
- *.arc.azure.com
- *.his.arc.azure.com
- *.guestconfiguration.azure.com
- *.data.mcr.microsoft.com (for extensions)
The agent uses Azure AD authentication with a managed identity. During onboarding, you can use an interactive device login, a service principal, or a managed identity if the server is already in Azure. The agent polls Azure Arc every 30 seconds for changes to policy assignments, guest configuration assignments, and extension requests. This is called the 'heartbeat' interval.
Key Components, Values, and Defaults
Azure Connected Machine Agent: Version 1.0 or later. Installed via script or manual download.
Onboarding Methods:
- Interactive: azcmagent connect --subscription-id <id> --resource-group <rg> --location <region>
- Service principal: azcmagent connect --service-principal-id <id> --service-principal-secret <secret> --tenant-id <tenant> --subscription-id <id> --resource-group <rg> --location <region>
- At scale: Using Azure Policy with 'Deploy prerequisites to enable Azure Arc' initiative.
- Default Polling Interval: 30 seconds. Configurable via registry or configuration file.
- Supported Operating Systems:
- Windows Server 2012 R2, 2016, 2019, 2022 (including Server Core)
- Ubuntu 16.04, 18.04, 20.04, 22.04 LTS
- CentOS 7, 8
- RHEL 7, 8
- SUSE Linux Enterprise Server 12 SP2+, 15 SP1+
- Debian 10, 11
- Oracle Linux 7, 8
- Extensions: Azure Arc supports VM extensions like Custom Script, Dependency Agent (for Azure Monitor), Log Analytics Agent, and Azure Policy Guest Configuration. These are deployed via Azure Arc and run locally.
- Network Requirements: Outbound HTTPS to the endpoints listed above. No inbound ports required. If using a proxy, configure the agent with --proxy parameter.
- Resource Limits: Up to 10,000 hybrid machines per subscription per region (soft limit, can be increased).
Configuration and Verification Commands
After installation, verify the agent status:
- azcmagent show – displays machine details, status (Connected/Disconnected), and agent version.
- azcmagent status – shows connection status and last heartbeat time.
To view the hybrid machine in Azure CLI:
az connectedmachine list --resource-group <rg>To check connectivity:
azcmagent checkTo disconnect a server:
azcmagent disconnectInteraction with Related Technologies
Azure Policy: You can assign Azure Policy definitions to hybrid machines. The agent applies Guest Configuration policies (e.g., enforce Windows Defender, audit installed software). Policies are evaluated every 30 seconds.
Microsoft Defender for Cloud: Enables threat detection, vulnerability assessment, and just-in-time access for hybrid servers.
Azure Monitor: Collects logs and performance data via the Log Analytics agent or Dependency Agent.
Update Management: Uses Azure Automation to schedule updates on hybrid machines.
Azure RBAC: Assign roles to users/groups for hybrid machines, e.g., 'Hybrid Machine Contributor' to allow restart or extension management.
Important Exam Details
The agent must be installed manually or via script; it is not automatically deployed.
Servers must have outbound internet access to Azure endpoints. If a firewall blocks certain endpoints, the agent will fail to connect.
The agent uses Azure AD authentication; a service principal is required for non-interactive onboarding at scale.
Azure Arc does not migrate the server; it only manages it. The server remains in its original location.
If the agent loses connectivity for more than 30 days, the resource may be automatically removed (soft delete).
You can assign tags and resource locks to hybrid machines just like Azure VMs.
Azure Arc supports both Windows and Linux, but not all extensions are available for both (e.g., Custom Script Extension is available for both, but Dependency Agent is only for Windows and Linux via separate packages).
Install the Azure Connected Machine Agent
Download the agent from the Microsoft Download Center or use a script. For Windows, run the .msi file; for Linux, use the package manager (e.g., apt, yum). The agent installs to `C:\Program Files\AzureConnectedMachineAgent` on Windows or `/opt/azcmagent` on Linux. During installation, it creates a local service account (Windows: `NT SERVICE\AzureConnectedMachineAgent`) or runs as a daemon (Linux: `azcmagent`). The agent registers with Windows Firewall (if enabled) to allow outbound HTTPS.
Authenticate and Register with Azure Arc
Run `azcmagent connect` with appropriate parameters. The agent opens a browser for interactive login (device code) or uses a service principal for non-interactive. It authenticates with Azure AD and obtains a token. The agent then creates a resource of type `Microsoft.HybridCompute/machines` in the specified Azure subscription and resource group. A unique resource ID is assigned. The agent stores the connection certificate locally.
Establish Heartbeat and Polling
After registration, the agent starts a heartbeat process. Every 30 seconds, it sends an HTTPS request to `*.arc.azure.com` with its status and receives any pending assignments (policies, extensions). The heartbeat includes the machine name, agent version, and last policy compliance state. If the server is disconnected, the agent retries every 30 seconds. After 30 days of no heartbeat, the resource is marked as 'Disconnected' and may be deleted.
Assign Azure Policy or Extensions
In the Azure portal, assign a policy (e.g., 'Audit Log Analytics agent deployment') to the hybrid machine. The policy is evaluated by Azure Policy service, which generates a compliance state. The agent receives the policy assignment during the next poll (within 30 seconds). For Guest Configuration policies, the agent downloads a DSC configuration and applies it locally. For VM extensions, the agent downloads the extension package from Microsoft Container Registry and installs it.
Monitor and Manage from Azure
Once onboarded, the hybrid machine appears in the Azure portal under 'Azure Arc > Servers'. You can view its properties, add tags, assign RBAC roles, and enable Defender for Cloud. Use Azure Monitor to collect logs by deploying the Log Analytics agent extension. The machine can also be included in Update Management schedules. All actions are recorded in the Azure Activity Log.
Scenario 1: Centralized Compliance for On-Premises Servers
A financial services company has 500 on-premises Windows servers that must comply with PCI DSS. They use Azure Arc to assign Guest Configuration policies that enforce encryption settings, audit user rights, and ensure antivirus is running. The policies are evaluated every 30 seconds, and non-compliant servers are flagged in Azure Policy. The IT team can view compliance dashboards and remediate issues remotely. In production, they onboard servers gradually using a service principal and a PowerShell script. The main challenge is ensuring all servers have outbound internet access to Azure endpoints; they configure a proxy for servers in isolated networks.
Scenario 2: Multi-Cloud Server Management
A tech startup runs workloads across AWS EC2 and on-premises VMware. They use Azure Arc to manage all Linux servers from a single pane of glass. They deploy the Log Analytics agent via Arc extensions to collect syslog data into a Log Analytics workspace, enabling unified monitoring and alerting. They also use Azure Update Management to patch both sets of servers. A common issue is that the Azure Connected Machine agent on AWS instances must be updated manually; they automate this with a cron job. Performance is not impacted because the agent is lightweight (uses ~50MB RAM).
Scenario 3: Edge Device Management in Retail
A retail chain has 1,000 point-of-sale (POS) systems running Windows 10 IoT Enterprise at store locations. They use Azure Arc to manage these devices centrally, deploying custom scripts via Custom Script Extension to update POS software. They also use Azure Policy to enforce local security policies. The challenge is that store networks often have limited bandwidth; the agent's 30-second polling is configurable to 5 minutes to reduce traffic. When a store loses internet connectivity, the devices continue operating with the last known policy state, but compliance reports become stale. The team monitors the 'Disconnected' status and uses a dashboard to identify offline stores.
What AZ-104 Tests on Azure Arc for Servers
The exam objective 1.2 includes 'Manage Azure Arc-enabled servers'. Specifically, you should know:
How to onboard a server (interactive vs. service principal)
How to assign Azure Policy to hybrid machines
How to deploy VM extensions
How to verify connectivity and agent status
The difference between Azure Arc and Azure Migrate
Common Wrong Answers and Why Candidates Choose Them
'Azure Arc requires inbound port 443 to be open.' Many candidates think the agent listens for connections, but it only makes outbound connections. The exam may present a scenario where a firewall blocks inbound traffic, and the wrong answer says this prevents Arc. The correct answer is that outbound is sufficient.
'Azure Arc migrates the server to Azure.' Candidates confuse Arc with Azure Migrate. Arc does not move the server; it only manages it in place.
'Azure Arc requires a domain join.' Not true. The agent uses Azure AD authentication, not Active Directory. A server can be workgroup-joined.
'You can only use Azure Policy with Arc after enabling Defender for Cloud.' Wrong. Azure Policy works independently of Defender for Cloud.
Specific Numbers and Terms to Memorize
Polling interval: 30 seconds (default).
Disconnect threshold: 30 days (resource marked Disconnected).
Agent name: Azure Connected Machine Agent.
Resource type: Microsoft.HybridCompute/machines.
Onboarding command: azcmagent connect.
Status check: azcmagent show.
Required endpoints: *.arc.azure.com, *.his.arc.azure.com, *.guestconfiguration.azure.com.
Edge Cases the Exam Loves to Test
Proxy servers: The agent supports HTTP/HTTPS proxies. You must configure the proxy during azcmagent connect with --proxy.
Private endpoints: Azure Arc supports private endpoints for hybrid machines, but only for certain endpoints. The exam may ask if you can use Azure Private Link; the answer is yes, but only for *.arc.azure.com and *.guestconfiguration.azure.com.
Multiple subscriptions: A single agent can only be connected to one subscription. To change subscriptions, you must disconnect and reconnect.
How to Eliminate Wrong Answers
If the question mentions moving a server to Azure, eliminate Arc (use Azure Migrate).
If the question mentions inbound ports, eliminate Arc (outbound only).
If the question mentions AD domain join, Arc does not require it.
If the question mentions automatic agent deployment, it is false; you must install manually or via policy.
Azure Arc for Servers extends Azure Resource Manager to any server outside Azure, enabling unified management.
The Azure Connected Machine agent is installed on each server and communicates outbound via HTTPS (port 443).
Onboarding can be done interactively (device login) or at scale using a service principal.
The agent polls Azure every 30 seconds for policy assignments, extensions, and configuration changes.
If the agent loses connectivity for more than 30 days, the resource is marked Disconnected and may be deleted.
Azure Arc does not migrate servers; it only manages them in place.
Common exam endpoints: *.arc.azure.com, *.his.arc.azure.com, *.guestconfiguration.azure.com.
Azure Policy and Defender for Cloud work with Arc-enabled servers without additional licensing for management (but Defender for Cloud requires Azure Defender plan).
These come up on the exam all the time. Here's how to tell them apart.
Azure Arc for Servers
Manages servers in place without migration
Requires agent installation on each server
Uses outbound HTTPS only
Supports Azure Policy, Defender for Cloud, etc.
Server remains in original location
Azure Migrate
Migrates servers to Azure (rehost, refactor, etc.)
Uses appliance-based discovery (no agent for discovery)
Requires inbound connectivity for replication
Focuses on assessment and migration
Server is moved to Azure
Mistake
Azure Arc requires the server to be joined to an Active Directory domain.
Correct
Azure Arc uses Azure AD for authentication, not on-premises AD. The server can be in a workgroup or domain-joined; it does not matter. The agent authenticates using a service principal or device login.
Mistake
Azure Arc migrates the server to Azure, so you no longer have the on-premises server.
Correct
Azure Arc does not migrate the server. It only manages it remotely. The server remains at its original location. Azure Migrate is the service for actual migration.
Mistake
The Azure Connected Machine agent requires inbound port 443 to be open.
Correct
The agent only makes outbound HTTPS connections to Azure. No inbound ports are required. This is a key security feature.
Mistake
You can only use Azure Policy with Azure Arc if you also enable Microsoft Defender for Cloud.
Correct
Azure Policy works independently. You can assign policies to Arc-enabled servers without enabling Defender for Cloud.
Mistake
Azure Arc can manage servers in a disconnected state indefinitely.
Correct
If the agent cannot communicate with Azure for more than 30 days, the resource is marked as 'Disconnected' and may be automatically deleted. The server itself continues running, but management stops.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The default polling interval is 30 seconds. This means the agent checks in with Azure Arc every 30 seconds to receive new policy assignments, extension requests, and configuration changes. You can modify this interval via the agent configuration file or registry, but the exam expects the default. If a server needs to reduce network traffic, you can increase the interval to up to 5 minutes.
Yes, but you need to configure outbound connectivity to Azure Arc endpoints. If the network has no internet access, you can use Azure Private Link to connect privately to Arc endpoints. Alternatively, you can set up a proxy server that forwards traffic to Azure. The agent must be able to reach *.arc.azure.com, *.his.arc.azure.com, and *.guestconfiguration.azure.com.
Azure Arc itself is free, but some features may require additional licenses. For example, using Microsoft Defender for Cloud with Arc-enabled servers requires an Azure Defender plan (paid). Azure Policy does not require additional licensing beyond the server's existing OS license. The agent itself is free to download and install.
Use a service principal with the `azcmagent connect` command in a script. First, create a service principal in Azure AD with the 'Azure Connected Machine Onboarding' role. Then run a script that iterates through a list of servers, installing the agent and connecting using the service principal credentials. Alternatively, use Azure Policy with the 'Deploy prerequisites to enable Azure Arc' initiative to automatically install the agent on machines.
If the agent stops, the server will not be able to communicate with Azure Arc. The server will continue running with its last known policy state, but no new policies or extensions will be applied. After 30 days of no heartbeat, the resource is marked as 'Disconnected' and may be automatically deleted. You can restart the agent service or reinstall it to restore connectivity.
Yes. Arc-enabled servers are Azure resources, so you can assign RBAC roles at the resource, resource group, or subscription level. For example, you can grant the 'Hybrid Machine Contributor' role to an operator to allow them to restart the server or deploy extensions. The roles are enforced when actions are attempted via Azure (e.g., portal, CLI), but not directly on the server itself.
Azure Arc provides a management plane for servers, while Hybrid Runbook Worker is a feature of Azure Automation that runs runbooks directly on a server. You can deploy the Hybrid Runbook Worker as an extension on an Arc-enabled server, but they are separate services. Arc does not require Automation; it is a broader management tool.
You've just covered Azure Arc for Servers — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?