How to Configure Azure Arc on Windows Server 2025

How to Configure Azure Arc on Windows Server 2025

Azure Arc extends Azure management capabilities to infrastructure running outside of Azure — including on-premises Windows Server machines, servers in other clouds, and edge environments. By installing the Azure Connected Machine agent on a Windows Server 2025 machine, you project that server into Azure as an Arc-enabled server resource. This enables you to apply Azure Policy, use Microsoft Defender for Cloud, deploy the Azure Monitor Agent via Arc extensions, manage SQL Server instances through Arc-enabled SQL Server, and gain a unified view of all your hybrid infrastructure through the Azure Portal. This tutorial walks through the complete process of onboarding a Windows Server 2025 machine to Azure Arc, from prerequisites through to verifying and extending the managed server.

Prerequisites

• Windows Server 2025 machine (physical or virtual) with outbound internet access
• Azure subscription with at least Contributor role on the target resource group
• Azure Resource Group created to hold Arc resources (e.g., rg-arc-servers)
• Log Analytics Workspace in Azure (recommended for monitoring)
• Outbound HTTPS (port 443) access to Azure endpoints: *.his.arc.azure.com, *.guestconfiguration.azure.com, management.azure.com, login.microsoftonline.com
• PowerShell 5.1 or PowerShell 7.4+ with administrative privileges on the target server
• Az PowerShell module installed, or Azure CLI available

Step 1: Prepare Azure Resources and Permissions

Before connecting the server, create the necessary Azure resources and ensure the service principal or user account has the correct permissions:

# Install the Az PowerShell module if not present
Install-Module -Name Az -Force -AllowClobber -Scope CurrentUser

# Connect to Azure
Connect-AzAccount

# Set the target subscription
Set-AzContext -SubscriptionId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

# Create a resource group for Arc servers (if it doesn't exist)
New-AzResourceGroup -Name "rg-arc-servers" -Location "eastus"

# Register required resource providers (only needed once per subscription)
Register-AzResourceProvider -ProviderNamespace "Microsoft.HybridCompute"
Register-AzResourceProvider -ProviderNamespace "Microsoft.GuestConfiguration"
Register-AzResourceProvider -ProviderNamespace "Microsoft.HybridConnectivity"

# Verify provider registration status
Get-AzResourceProvider -ProviderNamespace "Microsoft.HybridCompute" | 
    Select-Object ProviderNamespace, RegistrationState

Step 2: Download and Install the Azure Connected Machine Agent

The Azure Connected Machine agent (AzureConnectedMachineAgent.msi) is the core component that establishes the connection between your server and Azure Arc. Download and install it on the target Windows Server 2025 machine:

# Download the Connected Machine agent installer
Invoke-WebRequest `
    -Uri "https://aka.ms/AzureConnectedMachineAgent" `
    -OutFile "$env:TEMPAzureConnectedMachineAgent.msi"

# Verify the download completed
Get-Item "$env:TEMPAzureConnectedMachineAgent.msi" | Select-Object Name, Length, LastWriteTime

# Install the agent silently
Start-Process msiexec.exe `
    -ArgumentList "/i $env:TEMPAzureConnectedMachineAgent.msi /l*v $env:TEMPazcmagent-install.log /quiet /norestart" `
    -Wait

# Verify the service was installed and is running
Get-Service himds | Select-Object Name, Status, StartType

# Verify the azcmagent binary is available
azcmagent --version

The Hybrid Instance Metadata Service (HIMDS) is the agent’s core service. It must be in a Running state before proceeding.

Step 3: Connect the Server to Azure Arc

Use azcmagent connect to onboard the server to Azure Arc. You can authenticate interactively using a device code or non-interactively using a service principal:

# Option A — Interactive connection using device code authentication
azcmagent connect `
    --resource-group "rg-arc-servers" `
    --tenant-id "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" `
    --location "eastus" `
    --subscription-id "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

# Option B — Non-interactive connection using a service principal (for automation)
# First create a service principal with Azure Connected Machine Onboarding role
$sp = New-AzADServicePrincipal -DisplayName "arc-onboarding-sp" `
    -Role "Azure Connected Machine Onboarding" `
    -Scope "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-arc-servers"

$clientSecret = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto(
    [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($sp.PasswordCredentials.SecretText))

# Connect using service principal credentials
azcmagent connect `
    --service-principal-id $sp.AppId `
    --service-principal-secret $clientSecret `
    --resource-group "rg-arc-servers" `
    --tenant-id "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" `
    --location "eastus" `
    --subscription-id "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" `
    --cloud "AzureCloud"

Upon successful connection, the agent reports the server’s resource ID in Azure:

# Verify current connection status
azcmagent show

# Check the agent log for detailed status
Get-Content "C:ProgramDataAzureConnectedMachineAgentLogazcmagent.log" -Tail 50

Step 4: Verify the Server in the Azure Portal

Navigate to the Azure Portal and confirm the onboarded server appears under Azure Arc:

# From PowerShell — verify the Arc machine resource exists
Connect-AzAccount
Get-AzConnectedMachine -ResourceGroupName "rg-arc-servers"

# Get detailed status of the connected machine
Get-AzConnectedMachine -Name "WIN-SERVER2025-01" -ResourceGroupName "rg-arc-servers" | 
    Select-Object Name, Status, OsName, AgentVersion, Location

# Check agent connectivity status from the server itself
azcmagent check

In the Azure Portal, navigate to Azure Arc → Servers. Your Windows Server 2025 machine should appear with a Connected status, showing its OS, agent version, and resource group.

Step 5: Apply Azure Policy to Arc-Enabled Servers

Azure Policy allows you to enforce compliance standards and audit configurations across Arc-enabled servers. Assign a built-in policy initiative to your Arc server resource group:

# List available built-in policy definitions related to Arc servers
Get-AzPolicyDefinition | Where-Object {$_.Properties.DisplayName -like "*Connected Machine*"} |
    Select-Object Name, @{N="DisplayName";E={$_.Properties.DisplayName}}

# Assign the "Configure Windows machines to run Azure Monitor Agent" policy
$definition = Get-AzPolicyDefinition | 
    Where-Object {$_.Properties.DisplayName -eq "Configure Windows machines to run Azure Monitor Agent"}

New-AzPolicyAssignment `
    -Name "deploy-ama-arc-windows" `
    -DisplayName "Deploy Azure Monitor Agent on Arc Windows Servers" `
    -Scope "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-arc-servers" `
    -PolicyDefinition $definition `
    -IdentityType "SystemAssigned" `
    -Location "eastus"

# Trigger a compliance evaluation
Start-AzPolicyComplianceScan -ResourceGroupName "rg-arc-servers"

Step 6: Enable Microsoft Defender for Cloud via Arc

Microsoft Defender for Cloud can be enabled on Arc-enabled servers by enabling the Defender for Servers plan and installing the MDE extension through Arc:

# Enable Defender for Servers Plan 2 on the subscription
Set-AzSecurityPricing -Name "VirtualMachines" -PricingTier "Standard"

# Install the Microsoft Defender for Endpoint extension on the Arc server
New-AzConnectedMachineExtension `
    -Name "MDE.Windows" `
    -ResourceGroupName "rg-arc-servers" `
    -MachineName "WIN-SERVER2025-01" `
    -Location "eastus" `
    -Publisher "Microsoft.Azure.AzureDefenderForServers" `
    -ExtensionType "MDE.Windows" `
    -TypeHandlerVersion "1.0" `
    -AutoUpgradeMinorVersion

# Check extension provisioning state
Get-AzConnectedMachineExtension `
    -ResourceGroupName "rg-arc-servers" `
    -MachineName "WIN-SERVER2025-01" | 
    Select-Object Name, ProvisioningState, TypeHandlerVersion

Step 7: Deploy Azure Monitor Agent via Arc Extension

The Azure Monitor Agent (AMA) collects performance metrics, event logs, and custom logs from Arc-enabled servers and forwards them to your Log Analytics Workspace:

# Install Azure Monitor Agent extension on the Arc server
New-AzConnectedMachineExtension `
    -Name "AzureMonitorWindowsAgent" `
    -ResourceGroupName "rg-arc-servers" `
    -MachineName "WIN-SERVER2025-01" `
    -Location "eastus" `
    -Publisher "Microsoft.Azure.Monitor" `
    -ExtensionType "AzureMonitorWindowsAgent" `
    -TypeHandlerVersion "1.0" `
    -AutoUpgradeMinorVersion

# Create a Data Collection Rule (DCR) to define what to collect
$workspaceId = (Get-AzOperationalInsightsWorkspace `
    -ResourceGroupName "rg-monitoring" -Name "law-production").CustomerId

# Associate the DCR with the Arc server using the Azure CLI
az monitor data-collection rule association create `
    --name "dcr-arc-win-servers" `
    --resource "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-arc-servers/providers/Microsoft.HybridCompute/machines/WIN-SERVER2025-01" `
    --rule-id "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-monitoring/providers/Microsoft.Insights/dataCollectionRules/dcr-windows-perf"

Step 8: Arc-Enabled SQL Server

If SQL Server is installed on the Arc-enabled Windows Server 2025 machine, it is automatically detected and projected as an Arc-enabled SQL Server resource:

# Check if SQL Server is detected by the Arc agent
azcmagent show | Select-String "sql"

# Install the SQL Server Arc extension manually if needed
New-AzConnectedMachineExtension `
    -Name "WindowsAgent.SqlServer" `
    -ResourceGroupName "rg-arc-servers" `
    -MachineName "WIN-SERVER2025-01" `
    -Location "eastus" `
    -Publisher "Microsoft.AzureData" `
    -ExtensionType "WindowsAgent.SqlServer" `
    -TypeHandlerVersion "1.0" `
    -AutoUpgradeMinorVersion

# View Arc-enabled SQL Server instances in the resource group
Get-AzResource -ResourceGroupName "rg-arc-servers" `
    -ResourceType "Microsoft.AzureArcData/sqlServerInstances"

Conclusion

Azure Arc transforms Windows Server 2025 machines — wherever they run — into first-class Azure resources. By installing the Azure Connected Machine agent and connecting it to your Azure subscription, you gain centralised visibility, policy enforcement, security monitoring through Defender for Cloud, and observability through Azure Monitor, all from a single Azure Portal pane. The extensions model allows additional capabilities such as MDE, AMA, and SQL Server management to be deployed and lifecycle-managed centrally without requiring direct access to individual servers. For organisations running hybrid or multi-cloud infrastructure alongside Azure, Azure Arc provides the management consistency and governance tooling that reduces operational overhead and strengthens the security posture of every connected server.