Getting Started with On-Demand Assessments
Assessments are available through the Services Hub to help you assess and optimize the availability, security, and performance of your on-premises, hybrid, and cloud Microsoft technology environments. These assessments use Microsoft Azure Log Analytics, which is designed to give you simplified IT and security management across your environment.
On average, it takes two hours to initially configure your environment to run an On-Demand Assessment. After you run an assessment you can review the recommendations in Azure Log Analytics. This will provide you with a prioritized list of recommendations, categorized across six focus areas. This allows you and your team to quickly understand risk levels, the health of your environments, act to decrease risk, and improve your overall IT health.
An offline copy of the On-Demand Assessment Setup Guide may be downloaded for reference.
Use the following checklist to ensure all steps in this section are completed before moving onto the next section.
On-Demand Assessments ingest their recommendations and supporting details into Azure Log Analytics. The Azure Log Analytics service requires an Azure subscription owned by the organization. If there is already an Azure subscription, then a customer representative (their registered email address) with the required Azure Log Analytics access and/or Azure Subscription access will need to be invited to the Services Hub workspace by the CSAM.
If there is no Azure subscription, Microsoft will sponsor one for the customer. The ideal owner for the sponsored subscription is the main point of contact IT professional that will be working with the assessment results. There are a couple of options to have a sponsored Azure subscription provisioned.
The preferred option is to share an organizational email address to be provisioned as owner of a no-cost Azure sponsorship with the organization's CSAM. Once the Azure sponsorship is created, an email with an invitation to activate the subscription will be sent to the provided organizational email address. Activate the Azure subscription through the link provided in the email. This account will be invited to the Services Hub workspace by the CSAM.
An alternative option is to request for one directly by creating a support ticket. Refer to the Reporting Services Hub issues documentation for assistance.
Customers can choose to use any Azure Subscription for this purpose as long as the user has the required Azure Subscription and/or Log Analytics role to perform the required actions. The Azure Subscription can be an EA or Pay-As-You-Go or trial azure subscriptions. Azure subscriptions created merely due to presence of Office 365 licenses cannot be used as they dont have active azure credits.
No-cost sponsored Azure subscriptions requested from Services Hub Support by default have a validity of 1 year. These subscriptions can be extended before expiry if needed in case of renewals. You can read more about the subscription offer details and how to manage these subscriptions in this Azure Rollover article.
If you don’t know the Azure owner or other roles of your Azure subscriptions, please follow this link: Role assignments in Azure Subscriptions.
Services Hub Registration
The user in your organization who is the Microsoft Azure subscription owner must be invited to the Services Hub workspace and complete their registration on the Services Hub. Additionally, if the assessment will include a Microsoft engineer lead delivery, then the Microsoft engineer must also be invited to the Services Hub workspace, and complete their registration on the Services Hub. Invites to the Services Hub can be initiated by your organization’s Services Administrator, existing Services Hub users, or your Microsoft representative. To enable users access to On-Demand Assessments in the Services Hub, your organization’s Services Administrator must grant these permissions by clicking the Health and Programs checkboxes in the Invite users dialog box.
- The CSAM invites customer and CE (for engineer led assessment deliveries). Log in to Services Hub using Microsoft Edge and go to Contract then Manage Users.
- Add customers' email addresses and CE with alias@Microsoft.com and ensure the Health and Programs options are selected to allow the user to see the assessment tab and create a remediation plan.
Linking of the Azure Subscription and Log Analytics workspace to Services Hub workspace
Log into Services Hub with the Azure subscription owner's credentials. In the Primary Navigation, click on IT Health then select On-Demand Assessments.
Click "Pre-Configure assessments."
- Select the desired Azure subscription from the list and choose next.
Organizations that have an Azure subscription but lack the required permissions will see:
Please work with your company's Services Admin, CSAM, or Support Account Coordinator to have the customer representative with the required permissions within Azure register on Services Hub and pre-configure your assessments. Organizations without an Azure subscription refer to Azure Subscriptions to get your Microsoft sponsored subscription.
- Choose the Azure Log Analytics workspace that the assessment(s) you choose will be enabled in or use "Create New" to create a dedicated workspace for the assessment(s) if desired. Then click next.
An Azure Log Analytics workspace may also be created from Azure using the steps documented in the How to Create new Azure Log Analytics Workspace from Azure article.
- At the conclusion of the linking process, click “View assessments."
If you have some policy definitions set up on Subscription, make sure you have allowed Microsoft.OperationalInsights and Microsoft.OperationsManagement resource types for linking to work. Select all checkboxes under these options.
Add the Assessments in Services Hub
To configure an assessment, go to Services Hub, IT Health, and On-Demand Assessments. Browse through the assessment catalog and click "Add Assessment" to add the assessment that best fits your organization’s needs.
Select an assessment of your choice from the list of available assessments and click on "Add Assessment."
The option changes from Add Assessment to View in Azure Log Analytics. You are now all set for the next steps.
Providing Access to Azure Log Analytics workspace
Granting access to the Log Analytics workspace to Microsoft personnel is necessary for CE led deliveries of On-Demand Assessments and must be completed by the Azure subscription owner. We recommend you add users as a Log Analytics Reader to grant @microsoft.com users access to your Azure Log Analytics workspace to view your assessments. They will not have access to your Azure subscription.
This step is not required for self-consumption of assessments without CE led delivery.
Provide access to the Log Analytics workspace by adding an account and granting access as follows: Azure Portal, then All Resources. Select the Azure Log analytics workspace linked in Linking of the Azure Subscription and Log Analytics workspace to Services Hub workspace.
Follow the steps indicated below to get to the access pane:From the Azure Log Analytics Portal, navigate the menu and select “Access control (IAM).” In the center of the dashboard, add a role assignment by click the blue “Add” button. In the right pane, choose a Role type from the dropdown and Select a role type. Click “Save” to add the role assignment.
A. Engineer should be given Log Analytics Reader
B. CSAM optionally should be given Log Analytics Reader
If the portal doesn't let you invite the email ID you are trying to add, your Azure Active Directory Global Administrator might have blocked Invite Guest Users feature. Please refer to the below article on Invite Guest users to your Azure AD.
To learn more about On-Demand Assessments, select the "Establish Connectivity to Azure Log Analytics" article in the Table of Contents.
For general feedback on the Resource Center or content, please submit your feedback to your Microsoft representative. For specific requests and content updates regarding the Services Hub, contact our Support Team to submit a case.