This chapter covers Azure Arc-Connected Machines in the context of Microsoft Defender for Cloud, a key topic for SC-200 exam objective 3.1 (Configure and manage cloud security). You will learn how Azure Arc extends Azure management and security controls to non-Azure servers, including on-premises, multicloud, and edge devices. Understanding Arc-connected machines is critical because approximately 10-15% of SC-200 exam questions touch on hybrid security management, and many candidates underestimate the complexity of agent deployment, authentication, and policy enforcement. This chapter provides the depth needed to answer scenario-based questions correctly.
Jump to a section
Imagine you manage a large estate with hundreds of different TV brands and models scattered across multiple buildings. Each TV has its own remote control, and you have to walk to each one to change channels or adjust settings. This is like managing servers on-premises and in other clouds without Azure Arc—each environment has its own management tools. Now, consider a universal remote that can control any TV, regardless of brand or model, as long as you install a small adapter on each TV. The adapter understands the universal remote's signals and translates them into the TV's specific commands. Azure Arc works similarly: you install the Azure Connected Machine agent (the adapter) on each non-Azure server. This agent connects back to Azure, allowing you to use Azure tools like Microsoft Defender for Cloud to manage security policies, just as the universal remote lets you control volume or input from a single device. The agent maintains a persistent outbound connection to Azure, so even if the server is behind a firewall or NAT, Azure can send commands (like installing an antivirus update) through this channel. You don't need to open inbound ports or change network configurations—the agent initiates all communication. This is critical for security because it reduces the attack surface. When you apply a Defender for Cloud recommendation to enable Microsoft Defender for Endpoint on an Arc-connected machine, the agent receives the instruction, downloads the required extension, and installs it locally, exactly like the universal remote sending an IR signal to change the TV's input source. The result: centralized security management across hybrid and multicloud environments, all from the Azure portal.
What is Azure Arc-Connected Machines?
Azure Arc is a bridge that extends Azure Resource Manager (ARM) control plane to any infrastructure outside of Azure. An Azure Arc-connected machine is a non-Azure server (Windows or Linux) that has the Azure Connected Machine agent installed, registering it as a resource in Azure. This allows you to apply Azure policies, deploy extensions, and enable monitoring and security services like Microsoft Defender for Cloud. Without Arc, these servers would be invisible to Azure management tools.
Why Arc Matters for Defender for Cloud
Microsoft Defender for Cloud provides unified security management across Azure, on-premises, and multicloud environments. For non-Azure servers, Defender for Cloud requires them to be either Azure Arc-connected or have the Log Analytics agent directly installed (legacy approach). Arc is the recommended method because it provides richer integration: it supports Azure Policy for guest configuration, extension management (e.g., deploying Microsoft Defender for Endpoint), and inventory tracking. The SC-200 exam tests your ability to enable Defender for Cloud plans for Arc-connected machines and troubleshoot connectivity issues.
How the Azure Connected Machine Agent Works
Registration: The agent establishes an outbound HTTPS connection to the Azure Arc service (https://dc.services.visualstudio.com, https://*.his.arc.azure.com, etc.). It authenticates using a managed identity (system-assigned or user-assigned). After registration, the machine appears as a resource in the Azure portal under Azure Arc > Servers.
Heartbeat: The agent sends a heartbeat every 5 minutes to Azure to indicate it is alive. If Azure does not receive heartbeats for 15 minutes, the machine status changes to "Disconnected". After 30 days of disconnection, the resource is automatically removed.
Policy and Extension Management: Azure Policy evaluates guest configuration policies on Arc machines using the Guest Configuration extension. When you assign a policy that requires installation of an extension (e.g., Microsoft Defender for Endpoint), Azure Arc triggers the agent to download and install the extension from the Microsoft Extension Repository. The agent supports extensions like:
- Microsoft Defender for Endpoint - Azure Monitor Agent (AMA) - Custom Script Extension - Key Vault VM Extension for certificate management 4. Security Scanning: For Defender for Cloud, the agent enables collection of security events, vulnerability assessment, and integration with Microsoft Defender for Endpoint. The Log Analytics agent (legacy) or Azure Monitor Agent (recommended) can be deployed as extensions to forward logs to Log Analytics workspaces.
Key Components and Defaults
Azure Connected Machine agent: Version 1.0 or later. Installed via script (Windows: .msi, Linux: .deb/.rpm) or using Azure Arc onboarding scripts from the portal.
Authentication: Uses Managed Identity (system-assigned by default) or service principal for onboarding. For proxy environments, the agent supports HTTP/HTTPS proxy configuration.
Network requirements: Outbound HTTPS (port 443) to specific Azure endpoints (see official list). No inbound ports required.
Supported operating systems: Windows Server 2012 R2+, Windows 10/11 (IoT), Ubuntu 16.04+, RHEL 7+, CentOS 7+, SUSE 12+, and others. Check official docs for the latest list.
Extension installation: Extensions are installed in the agent's extension directory (Windows: C:\Packages\Plugins, Linux: /var/lib/waagent).
Policy evaluation: Guest Configuration policies evaluate every 15 minutes by default.
Configuration and Verification Commands
To verify the agent status on a machine:
# Windows: Check service status
Get-Service -Name "AzureConnectedMachineAgent"
# Check agent version
(Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\AzureConnectedMachineAgent").Version# Linux: Check service status
sudo systemctl status azcmagent
# Check agent version
azcmagent showTo troubleshoot connectivity:
azcmagent checkThis command tests connectivity to required endpoints and returns pass/fail for each.
Interaction with Defender for Cloud
Once a machine is Arc-connected, you can enable Defender for Cloud plans (e.g., Defender for Servers) for that machine. The machine appears in Defender for Cloud's inventory under "Azure Arc machines". You can then:
Enable Microsoft Defender for Endpoint (MDE) unified agent via the MDE extension.
Deploy vulnerability assessment (Qualys or MDE TVM).
Apply regulatory compliance policies.
View security alerts and recommendations specific to the machine.
Important: For Defender for Cloud to fully manage Arc machines, the machine must have the Log Analytics agent (or Azure Monitor Agent) installed and configured to send logs to a Log Analytics workspace that is connected to Defender for Cloud. This is often done via the Azure Monitor Agent extension.
Connectivity and Proxy Configuration
Arc machines behind proxies require proxy configuration. The agent supports both HTTP and HTTPS proxies. Configure via:
# Windows (PowerShell as admin)
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\AzureConnectedMachineAgent" -Name "Proxy" -Value "http://proxy:8080"
Restart-Service AzureConnectedMachineAgent# Linux
sudo azcmagent config set proxy.http "http://proxy:8080"
sudo systemctl restart azcmagentIf the proxy requires authentication, the agent does not support credentials in the proxy URL; you must use a transparent proxy or configure network policies.
Common Exam Traps
Trap: Arc machines do not require inbound ports. The agent only initiates outbound connections. Candidates often think inbound rules are needed, but this is incorrect.
Trap: The agent uses a system-assigned managed identity by default, not a service principal. However, you can use a service principal for bulk onboarding.
Trap: Disconnected status after 15 minutes of no heartbeat, resource removal after 30 days. Know these numbers.
Trap: Arc machines can be managed by Azure Policy, but guest configuration policies require the Guest Configuration extension to be installed (automatically handled). Candidates may think policies apply without extensions.
Install Azure Connected Machine Agent
Begin by downloading and installing the agent on the target non-Azure server. For a single server, use the Azure portal: navigate to Azure Arc > Servers > Add > Generate script. This script installs the agent and registers the machine. For Windows, the script downloads an MSI and runs it with parameters for tenant ID, subscription, resource group, and location. For Linux, it downloads a shell script that adds the Microsoft repository and installs the azcmagent package. The script also creates a system-assigned managed identity for authentication. Ensure the machine meets OS and network requirements. After installation, the agent service starts automatically and attempts to connect to Azure. Verify with `Get-Service AzureConnectedMachineAgent` (Windows) or `systemctl status azcmagent` (Linux).
Verify Agent Connectivity and Registration
After installation, the agent sends a registration request to the Azure Arc metadata service. The request includes the machine's identity and metadata (OS, hostname, etc.). Azure validates the request and creates a corresponding resource in the specified resource group. The agent then begins sending heartbeats every 5 minutes. To verify, run `azcmagent show` on Linux or check the agent logs. In the Azure portal, go to Azure Arc > Servers and confirm the machine appears with status "Connected". If the status is "Disconnected", check network connectivity and agent logs. Use `azcmagent check` to test endpoints. Common issues: proxy not configured, firewall blocking outbound HTTPS, or incorrect tenant ID.
Enable Defender for Cloud for Arc Machine
In the Azure portal, open Microsoft Defender for Cloud. Under Environment settings, select the subscription containing the Arc machine. Ensure the Defender for Servers plan is enabled (Plan 1 or Plan 2). Then, go to Inventory and locate the Arc machine. It should appear with a resource type of "Microsoft.HybridCompute/machines". If it does not, ensure the machine is registered and the Log Analytics workspace is connected. For full protection, you need to install the Log Analytics agent (or Azure Monitor Agent) on the Arc machine. This can be done via the Azure Arc extensions blade: select the machine, go to Extensions, add the Log Analytics agent extension, specifying the workspace ID and key. Alternatively, you can use Azure Policy to automatically deploy the extension. Defender for Cloud will then start collecting security data and generating recommendations.
Deploy Microsoft Defender for Endpoint Extension
To enable Microsoft Defender for Endpoint (MDE) on the Arc machine, you must install the MDE extension. In the Azure portal, navigate to the Arc machine resource, select Extensions, and add the "Microsoft Defender for Endpoint" extension. The extension downloads and installs the MDE agent (Windows: senseinstaller.exe, Linux: mdatp). This agent communicates with the MDE cloud service for threat detection. After installation, the machine appears in Microsoft 365 Defender console. Defender for Cloud will show MDE integration status. If the extension fails to install, check that the machine has internet access to MDE endpoints (e.g., *.endpoint.security.microsoft.com). Also ensure the machine is not already running a third-party antivirus that conflicts. MDE Plan 1 or Plan 2 licensing is required.
Monitor and Manage via Defender for Cloud
Once the Arc machine is fully onboarded, you can monitor security posture from the Defender for Cloud dashboard. Under Recommendations, you'll see security findings for the machine, such as missing system updates, open ports, or vulnerability assessment results. Alerts from MDE or other integrated services appear under Security alerts. You can also apply regulatory compliance policies (e.g., NIST, CIS) to the Arc machine via Azure Policy. Defender for Cloud assesses the machine against these benchmarks. To remediate issues, you can use the Remediate button to trigger automatic fixes (e.g., install missing patches via update management). For incident response, you can initiate a live response session (if MDE is enabled) to investigate the machine. The SC-200 exam tests your ability to interpret these alerts and recommendations for Arc machines.
Enterprise Scenario 1: On-Premises Server Farm
A financial services company runs 500 Windows servers on-premises in a private cloud. Previously, they managed security via on-premises tools. To centralize security monitoring, they onboard these servers to Azure Arc using bulk scripts. They create a service principal with Contributor permissions on a dedicated resource group and run the onboarding script on each server. The IT team configures a transparent proxy for outbound connectivity. After onboarding, they enable Defender for Servers Plan 2, which includes MDE and vulnerability assessment. They deploy the Log Analytics agent extension via Azure Policy to all Arc machines. Now, security alerts and compliance reports appear in Defender for Cloud alongside Azure VMs. A challenge they faced: some legacy Windows Server 2012 R2 machines required the agent version 1.0 or later, and they had to update PowerShell to 4.0+ for the onboarding script. Also, they had to ensure that the machines could resolve the Arc service DNS names through internal DNS. Performance impact was minimal—agent CPU usage is typically less than 1%.
Scenario 2: Multicloud Environment
A retail company uses AWS EC2 instances and on-premises Linux servers. They want to unify security management under Defender for Cloud. They install the Azure Connected Machine agent on each AWS instance using the generated script. Because AWS instances are ephemeral, they use a user-assigned managed identity for consistent authentication across instance replacements. They configure the agent to use an HTTPS proxy in the AWS VPC. After registration, they enable Defender for Servers Plan 1 (which includes MDE for Linux). They deploy the Azure Monitor Agent extension to collect syslog and security events. One issue they encountered: the MDE extension for Linux requires specific kernel versions—they had to upgrade some Ubuntu 16.04 instances to 18.04. Another issue: the agent heartbeat sometimes fails due to AWS security group rules blocking outbound to specific Azure IP ranges. They resolved by using Azure service tags in the security group rules.
Scenario 3: Edge Devices in Retail Stores
A retail chain has 2,000 Windows 10 IoT devices at point-of-sale (POS) terminals in stores. These devices are not domain-joined and have limited connectivity (often behind NAT). They use Azure Arc to manage them as servers (Windows 10 IoT Enterprise is supported). The onboarding script is deployed via a management tool. The agent uses a system-assigned managed identity and connects through a store-level proxy. They enable Defender for Endpoint for these devices via the MDE extension. The challenge: the devices often go offline during store hours (no internet), causing the agent to show as disconnected. They configure a longer heartbeat interval (not configurable, but they accept the default). They also use Azure Policy to ensure the MDE extension is installed even if the device reconnects after a week. The security team monitors for alerts from these devices, such as suspicious PowerShell commands or USB device insertion. The main lesson: ensure the devices have reliable internet connectivity at least every 30 days to avoid automatic resource removal.
What SC-200 Tests on This Topic
The SC-200 exam objective 3.1 (Configure and manage cloud security) specifically includes: "Configure and manage Microsoft Defender for Cloud for hybrid and multicloud environments, including Azure Arc-enabled servers." Exam questions focus on:
Enabling Defender for Cloud plans for Arc machines
Deploying and configuring the Azure Connected Machine agent
Troubleshooting connectivity and agent health
Understanding the differences between Arc and non-Arc onboarding (Log Analytics agent direct)
Interpreting recommendations and alerts specific to Arc machines
Knowing the default timers (heartbeat 5 min, disconnect after 15 min, removal after 30 days)
Recognizing supported extensions (MDE, Log Analytics, Azure Monitor Agent)
Common Wrong Answers and Why
Wrong: Arc machines require inbound port 443. Many candidates think Azure needs to initiate connections. Reality: the agent only makes outbound connections; no inbound ports are needed.
Wrong: The agent uses a service principal by default. Candidates confuse onboarding methods. The default authentication is system-assigned managed identity, but a service principal can be used for bulk onboarding.
Wrong: Arc machines cannot be managed by Azure Policy. Some think policy applies only to Azure VMs. Actually, Azure Policy works on Arc machines, including guest configuration policies.
Wrong: Disconnected status occurs after 30 days. The exam tests the exact numbers: 15 minutes for disconnected, 30 days for resource removal.
Specific Values and Terms
Heartbeat interval: 5 minutes
Disconnected threshold: 15 minutes without heartbeat
Resource removal: 30 days after disconnection
Agent service name: AzureConnectedMachineAgent (Windows), azcmagent (Linux)
Extension directory: C:\Packages\Plugins (Windows), /var/lib/waagent (Linux)
Required endpoints: *.his.arc.azure.com, dc.services.visualstudio.com, etc.
Guest Configuration evaluation interval: 15 minutes
Edge Cases the Exam Loves
Proxy with authentication: The agent does not support authenticated proxies. If a proxy requires credentials, you must use a transparent proxy or allow the agent to bypass authentication.
Arc-enabled SQL Server: This is a separate resource type (Microsoft.AzureArcData/sqlServerInstances) but still requires the Azure Connected Machine agent. The exam may ask about enabling Defender for SQL on Arc machines.
Arc for Kubernetes: Not covered under objective 3.1, but may appear in other objectives. Know that Arc-enabled Kubernetes clusters also integrate with Defender for Cloud.
Manual extension installation vs. policy-driven: The exam may present a scenario where an extension fails to install. The likely cause is network restrictions or missing prerequisites (e.g., PowerShell version).
How to Eliminate Wrong Answers
If a question mentions opening inbound ports, it's almost certainly wrong for Arc.
If a question states that Arc machines cannot be managed by Defender for Cloud without the Log Analytics agent, that's true—but the Log Analytics agent can be deployed as an extension.
If a question gives a heartbeat interval other than 5 minutes, it's wrong.
If a question suggests using a user-assigned managed identity for a single machine (not bulk), it's less efficient; system-assigned is simpler.
Azure Arc extends Azure management to any non-Azure server using the Azure Connected Machine agent.
The agent sends a heartbeat every 5 minutes; status changes to Disconnected after 15 minutes of no heartbeat.
Arc machines are automatically removed from Azure after 30 days of disconnection.
No inbound ports are required; all communication is outbound HTTPS on port 443.
Default authentication is system-assigned managed identity; service principal is for bulk onboarding.
Defender for Cloud supports Arc machines with Defender for Servers plans, requiring the Log Analytics agent or Azure Monitor Agent extension.
The Microsoft Defender for Endpoint extension can be deployed on Arc machines for endpoint detection and response.
Guest Configuration policies evaluate every 15 minutes on Arc machines.
The agent supports Windows Server 2012 R2+, Windows 10/11 IoT, and major Linux distributions.
Proxy configuration is supported but not for authenticated proxies (transparent proxy required).
These come up on the exam all the time. Here's how to tell them apart.
Azure Arc-Connected Machines
Requires Azure Connected Machine agent
Registers as a resource in Azure Resource Manager
Supports Azure Policy, extensions, and Defender for Cloud integration
No inbound ports needed; outbound only
Recommended by Microsoft for hybrid management
Direct Log Analytics Agent (Legacy)
Requires Log Analytics agent (MMA/OMS)
No ARM resource; only sends data to Log Analytics workspace
Limited to Log Analytics and Defender for Cloud data collection
Requires outbound connectivity to workspace, no inbound needed
Legacy approach; not recommended for new deployments
Mistake
Azure Arc-connected machines require inbound firewall rules to allow Azure to communicate with them.
Correct
No inbound ports are needed. The Azure Connected Machine agent initiates all communication outbound over HTTPS (port 443) to Azure endpoints. Azure never initiates connections to the machine.
Mistake
The agent uses a service principal for authentication by default.
Correct
By default, the agent uses a system-assigned managed identity. A service principal can be used for bulk onboarding, but the default script creates a managed identity.
Mistake
If an Arc machine is disconnected for 15 minutes, the resource is automatically deleted.
Correct
After 15 minutes without a heartbeat, the status changes to 'Disconnected'. The resource is only automatically removed after 30 days of continuous disconnection.
Mistake
Arc machines can be managed by Azure Policy only if they have the Log Analytics agent installed.
Correct
Azure Policy can evaluate guest configuration on Arc machines using the Guest Configuration extension, which is automatically installed when needed. The Log Analytics agent is required for Defender for Cloud data collection, but not for all policies.
Mistake
The Azure Connected Machine agent supports both inbound and outbound communication.
Correct
The agent only supports outbound communication. It never listens on any port. This is a security feature to minimize attack surface.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The Azure Connected Machine agent requires outbound HTTPS (port 443) to specific endpoints. The critical ones are: *.his.arc.azure.com (metadata service), dc.services.visualstudio.com (telemetry), *.guestconfiguration.azure.com (guest config), and *.blob.core.windows.net (extension downloads). A full list is available in the official documentation. For Defender for Cloud, additional endpoints for Log Analytics (e.g., *.ods.opinsights.azure.com) and MDE (e.g., *.endpoint.security.microsoft.com) are needed. Use `azcmagent check` to validate connectivity.
You can deploy the Log Analytics agent as an extension on the Arc machine. In the Azure portal, go to the Arc machine resource, select Extensions, and add the Log Analytics agent extension. Provide the workspace ID and key. Alternatively, use Azure Policy to automatically deploy the extension to all Arc machines in a subscription. The extension installs the Microsoft Monitoring Agent (MMA) on Windows or OMS agent on Linux. This enables data collection for Defender for Cloud.
Yes, as long as the server can make outbound HTTPS connections to the required Azure endpoints. You may need to configure a proxy in the agent. The agent supports HTTP and HTTPS proxies via configuration. However, if the proxy requires authentication, the agent does not support credentials; you must use a transparent proxy or allow the agent to bypass authentication. Use `azcmagent config set proxy.http` to set the proxy.
After 30 days of continuous disconnection (no heartbeat), Azure automatically removes the Arc machine resource from the subscription. The machine will no longer appear in Azure Arc or Defender for Cloud inventory. To recover, you must reinstall and register the agent. The agent's local state is preserved, but the Azure resource must be recreated. This is why it's critical to ensure reliable connectivity.
Defender for Cloud can perform vulnerability assessment on Arc machines using either the integrated Qualys agent or Microsoft Defender Vulnerability Management (MDVM). For Qualys, you deploy the Qualys extension on the Arc machine. For MDVM, it is included with Defender for Servers Plan 2 and uses the MDE agent. The results appear in Defender for Cloud's recommendations. The SC-200 exam may ask which extension to deploy for vulnerability scanning.
Plan 1 includes Microsoft Defender for Endpoint (MDE) for endpoint detection and response, but not vulnerability assessment or just-in-time VM access. Plan 2 includes everything in Plan 1 plus vulnerability assessment (Qualys or MDVM), just-in-time VM access, and file integrity monitoring. For Arc machines, Plan 2 is required for full coverage. The exam may test which plan provides specific features.
Yes. There are built-in Azure Policy definitions to deploy the MDE extension to Arc machines. For example, 'Deploy Microsoft Defender for Endpoint on Azure Arc machines' ensures the extension is installed. You can also create custom policies. The extension is installed automatically when the policy is assigned. This is a common exam scenario: using policy to enforce security configurations.
You've just covered Azure Arc-Connected Machines in Defender — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?