Introduction to Azure Monitor for Windows Server 2019

Azure Monitor is Microsoft’s comprehensive monitoring service that collects, analyzes, and acts on telemetry data from Azure resources, on-premises servers, and hybrid environments. For Windows Server 2019 machines — whether on-premises, in Azure, or in other clouds — Azure Monitor can collect performance metrics, Windows Event Logs, IIS logs, custom application logs, and health state data through the Azure Monitor Agent (AMA). Collected data is stored in a Log Analytics Workspace where it can be queried using Kusto Query Language (KQL), visualized in Azure Monitor Workbooks, and used to trigger alerts and automated remediation via Azure Automation or Logic Apps. This guide covers deploying the Azure Monitor Agent, configuring data collection rules, writing KQL queries, and setting up alerts.

Prerequisites and Connectivity Requirements

Azure Monitor Agent on Windows Server 2019 requires outbound HTTPS (TCP 443) connectivity to the following Azure endpoints: global.handler.control.monitor.azure.com, .handler.control.monitor.azure.com, .monitoring.azure.com, and the Log Analytics workspace endpoint (ods.opinsights.azure.com). Ensure these are allowed through your firewall and proxy.

For Azure VMs running Windows Server 2019, the AMA can be installed as a VM extension directly from the Azure Portal. For on-premises or non-Azure servers, use Azure Arc to onboard the server to Azure first, then install AMA via the Azure Arc-connected machine extensions.

Onboarding an On-Premises Windows Server 2019 with Azure Arc

Azure Arc extends the Azure management plane to non-Azure servers, enabling you to manage, monitor, and govern them through the Azure Portal. To onboard a Windows Server 2019 machine to Azure Arc, generate an onboarding script from the Azure Portal. Navigate to Azure Arc > Servers > Add > Add multiple servers > Generate script (or Add a single server for a simple walkthrough).

Select the subscription, resource group, operating system (Windows), and region. Download the generated script (OnboardingScript.ps1). On the Windows Server 2019 machine, run the script as Administrator in an elevated PowerShell session:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process
.OnboardingScript.ps1

The script installs the Azure Arc Connected Machine Agent (azcmagent) and registers the server with your Azure subscription. The agent creates a managed identity for the server, enabling passwordless authentication to Azure services including Azure Monitor. After onboarding, the server appears in Azure Portal under Azure Arc > Servers.

Creating a Log Analytics Workspace

Log Analytics Workspaces are the storage and query engine for Azure Monitor data. Create one from the Azure Portal or via PowerShell:

Connect-AzAccount
New-AzResourceGroup -Name "monitoring-rg" -Location "East US"
New-AzOperationalInsightsWorkspace -ResourceGroupName "monitoring-rg" -Name "ws2019-monitoring-law" -Location "East US" -Sku "PerGB2018" -RetentionInDays 90

The PerGB2018 pricing tier charges per gigabyte of data ingested. Set retention to 90 days (the minimum for cost-efficiency; increase to 730 days for compliance requirements). Note the workspace ID and primary key from the portal — these are needed for legacy MMA agent configurations.

Installing Azure Monitor Agent via Data Collection Rule

The modern approach uses Data Collection Rules (DCR) to install AMA and define what data to collect. In the Azure Portal, navigate to Monitor > Data Collection Rules > Create. Configure the rule name, subscription, resource group, region, and platform type (Windows). On the Resources tab, add the Windows Server 2019 machine (either as an Azure VM or Arc-connected server). AMA installs automatically when the DCR is associated with the server.

On the Collect and Deliver tab, add data sources: Windows Event Logs (select specific event channels and severity levels), Performance Counters (CPU, memory, disk, network with configurable sampling interval), and IIS Logs for web servers. Set the destination to your Log Analytics Workspace. Review and create the DCR — AMA will be deployed to the target server within a few minutes.

Verify AMA is installed and running on the Windows Server 2019 machine:

Get-Service -Name "AzureMonitorAgent"

Querying Data with Kusto Query Language (KQL)

Once data flows into the Log Analytics Workspace, navigate to Monitor > Logs to write KQL queries. Common queries for Windows Server 2019 monitoring:

CPU utilization over the past hour:

Perf
| where ObjectName == "Processor" and CounterName == "% Processor Time" and InstanceName == "_Total"
| where TimeGenerated >= ago(1h)
| summarize avg(CounterValue) by bin(TimeGenerated, 5m), Computer
| render timechart

Available memory in megabytes:

Perf
| where ObjectName == "Memory" and CounterName == "Available MBytes"
| where TimeGenerated >= ago(4h)
| summarize avg(CounterValue) by bin(TimeGenerated, 5m), Computer
| render timechart

Windows Security events for failed logons (Event ID 4625):

SecurityEvent
| where EventID == 4625
| where TimeGenerated >= ago(24h)
| summarize count() by Computer, Account, IpAddress
| order by count_ desc

Services that have stopped unexpectedly (Event ID 7034):

Event
| where EventLog == "System" and EventID == 7034
| where TimeGenerated >= ago(7d)
| project TimeGenerated, Computer, RenderedDescription
| order by TimeGenerated desc

Creating Azure Monitor Alerts

Azure Monitor alerts trigger automated notifications or remediation actions when monitored conditions are met. Navigate to Monitor > Alerts > Create > Alert Rule. Select the Log Analytics Workspace as the signal source. Choose a signal type of Log (custom log query) and enter a KQL query like the CPU one above. Set the alert condition: for example, when Average CounterValue > 90 for 5 consecutive minutes.

Configure an Action Group to define what happens when the alert fires. Action Groups can send email, SMS, push notifications via the Azure mobile app, call a webhook (useful for PagerDuty or Teams integration), trigger an Azure Automation runbook for auto-remediation, or call an Azure Function. Assign severity (0=Critical, 1=Error, 2=Warning, 3=Informational, 4=Verbose) and a meaningful alert name and description.

Configuring Azure Monitor Workbooks

Azure Monitor Workbooks are interactive reports built from KQL queries, parameters, and visualizations. Navigate to Monitor > Workbooks > New to build a custom dashboard. Add a Query step, enter a KQL query, and choose a visualization type (time chart, bar chart, grid, map). Add a Text step for section headings and narrative context. Add Parameters to make the workbook interactive (e.g., a time range picker or computer name filter).

Save the workbook and pin it to your Azure Dashboard for quick access. Share it with the team by setting the workbook permissions in the Azure Portal. Pre-built workbooks for Windows VMs are available in the Workbooks gallery — look for the VM Insights workbooks which provide rich performance analysis views out of the box.