Connect your non-Azure machines to Security Center

Security Center can monitor the security posture of your non-Azure computers, but first you need to connect them to Azure.

You can connect your non-Azure computers in any of the following ways:

  • Using Azure Arc enabled servers (recommended)
  • From Security Center's pages in the Azure portal (Getting started and Inventory)

Each of these is described on this page.

Add non-Azure machines with Azure Arc

Azure Arc enabled servers is the preferred way of adding your non-Azure machines to Azure Security Center.

A machine with Azure Arc enabled servers becomes an Azure resource and appears in Security Center with recommendations like your other Azure resources.

In addition, Azure Arc enabled servers provides enhanced capabilities such as the option to enable guest configuration policies on the machine, deploy the Log Analytics agent as an extension, simplify deployment with other Azure services, and more. For an overview of the benefits, see Supported scenarios.

Learn more about Azure Arc enabled servers.

To deploy Azure Arc:

Tip

If you're onboarding machines running on AWS, Security Center's connector for AWS transparently handles the Azure Arc deployment for you. Learn more in Connect your AWS accounts to Azure Security Center.

Add non-Azure machines from the Azure portal

  1. From Security Center's menu, open the Getting started page.

  2. Select the Get started tab.

    Get Started tab in the Getting started page

  3. Below Add non-Azure servers, select Configure .

    Tip

    You can also open add machines from the inventory page's Add non-Azure servers button.

    Adding non-Azure machines from the asset inventory page

    A list of your Log Analytics workspaces is shown. The list includes, if applicable, the default workspace created for you by Security Center when automatic provisioning was enabled. Select this workspace or another workspace you want to use.

    You can add computers to an existing workspace or create a new workspace.

  4. Optionally, to create a new workspace, select Create new workspace.

  5. From the list of workspaces, select Add Servers for the relevant workspace. The Agents management page appears.

    From here, choose the relevant procedure below depending on the type of machines you're onboarding:

Onboard your Azure Stack VMs

To add Azure Stack VMs, you need the information on the Agents management page and to configure the Azure Monitor, Update and Configuration Management virtual machine extension on the virtual machines running on your Azure Stack.

  1. From the Agents management page, copy the Workspace ID and Primary Key into Notepad.
  2. Log into your Azure Stack portal and open the Virtual machines page.
  3. Select the virtual machine that you want to protect with Security Center.

    Tip

    For information on how to create a virtual machine on Azure Stack, see this quickstart for Windows virtual machines or this quickstart for Linux virtual machines.

  4. Select Extensions. The list of virtual machine extensions installed on this virtual machine is shown.
  5. Select the Add tab. The New Resource menu shows the list of available virtual machine extensions.
  6. Select the Azure Monitor, Update and Configuration Management extension and select Create. The Install extension configuration page opens.

    Note

    If you do not see the Azure Monitor, Update and Configuration Management extension listed in your marketplace, please reach out to your Azure Stack operator to make it available.

  7. On the Install extension configuration page, paste the Workspace ID and Workspace Key (Primary Key) that you copied into Notepad in the previous step.
  8. When you complete the configuration, select OK. The extension's status will show as Provisioning Succeeded. It might take up to one hour for the virtual machine to appear in Security Center.

Onboard your Linux machines

To add Linux machines, you need the WGET command from the Agents management page.

  1. From the Agents management page, copy the WGET command into Notepad. Save this file to a location that can be accessible from your Linux computer.
  2. On your Linux computer, open the file with the WGET command. Select the entire content and copy and paste it into a terminal console.
  3. When the installation completes, you can validate that the omsagent is installed by running the pgrep command. The command will return the omsagent PID. The logs for the Agent can be found at: /var/opt/microsoft/omsagent/<workspace id>/log/ It might take up to 30 minutes for the new Linux machine to appear in Security Center.

Onboard your Windows machines

To add Windows machines, you need the information on the Agents management page and to download the appropriate agent file (32/64-bit).

  1. Select the Download Windows Agent link applicable to your computer processor type to download the setup file.
  2. From the Agents management page, copy the Workspace ID and Primary Key into Notepad.
  3. Copy the downloaded setup file to the target computer and run it.
  4. Follow the installation wizard (Next, I Agree, Next, Next).
    1. On the Azure Log Analytics page, paste the Workspace ID and Workspace Key (Primary Key) that you copied into Notepad.
    2. If the computer should report to a Log Analytics workspace in Azure Government cloud, select Azure US Government from the Azure Cloud dropdown list.
    3. If the computer needs to communicate through a proxy server to the Log Analytics service, select Advanced and provide the URL and port number of the proxy server.
    4. When you've entered all of the configuration settings, select Next.
    5. From the Ready to Install page, review the settings to be applied and select Install.
    6. On the Configuration completed successfully page, select Finish.

When complete, the Microsoft Monitoring agent appears in Control Panel. You can review your configuration there and verify that the agent is connected.

For further information on installing and configuring the agent, see Connect Windows machines.

Verifying

Congratulations! Now you can see your Azure and non-Azure machines together in one place. Open the asset inventory page and filter to the relevant resource types. These icons distinguish the types:

ASC icon for non-Azure machine Non-Azure machine

ASC icon for Azure machine Azure VM

ASC icon for Azure Arc server Azure Arc enabled server

Next steps

This page showed you how to add your non-Azure machines to Azure Security Center. To monitor their status, use the inventory tools as explained in the following page: