1# Essential Machine Management (EMM) Workflow
2 
3Routes EMM-related requests to the appropriate reference based on user intent.
4 
5## Overview
6 
7Essential Machine Management simplifies onboarding and configuration of management for Azure VMs and Arc-enabled servers at the subscription level. When enabled, all VMs in a subscription are automatically enrolled with a curated set of monitoring, security, and operations features.
8 
9> ⚠️ **Warning:** EMM is currently in **public preview**.
10 
11## Routing
12 
13```text
14User intent?
15├─ Enable / onboard / enroll subscription for EMM
16│  └─ Copilot-guided (default) → Load [EMM Enable Flow](references/emm-enable-flow.md)
17│
18├─ User explicitly asks for portal guidance
19│  └─ Load [EMM Enable Flow (Portal)](references/emm-enable-flow-portal-guidance.md)
20│
21├─ What is EMM / features / pricing / tiers
22│  └─ Load [EMM Overview](references/emm-overview.md)
23│
24├─ Prerequisites / permissions / roles / managed identity
25│  └─ Load [EMM Prerequisites](references/emm-prerequisites.md)
26│
27├─ View enrolled subscriptions / browse / status
28│  └─ See "Browse Enrolled Subscriptions" below
29│
30├─ Offboard / disable EMM for a subscription
31│  └─ See "Offboard a Subscription" below
32│
33└─ Troubleshoot EMM issues
34   └─ See "Troubleshooting" below
35```
36 
37| Signal | Reference |
38| ------ | --------- |
39| "enable EMM", "onboard subscription", "enroll VMs", "set up machine management" | [EMM Enable Flow](references/emm-enable-flow.md) |
40| User explicitly mentions "portal", "Azure portal", "portal UI" | [EMM Enable Flow (Portal)](references/emm-enable-flow-portal-guidance.md) |
41| "what is EMM", "features", "pricing", "tiers", "what does EMM include" | [EMM Overview](references/emm-overview.md) |
42| "permissions", "roles", "prerequisites", "managed identity for EMM" | [EMM Prerequisites](references/emm-prerequisites.md) |
43 
44> ⚠️ **Important:** Only route to the portal guide when the user explicitly mentions "portal". All other enable requests use the Copilot-guided flow.
45 
46## Browse Enrolled Subscriptions
47 
48Query the EMM resource on each subscription to check enrollment status:
49 
50```text
51GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.ManagedOps/managedOps/default?api-version=2025-07-28-preview
52```
53 
54| Response | Meaning |
55| -------- | ------- |
56| `200` with `provisioningState: Succeeded` | Subscription is enrolled |
57| `200` with `provisioningState: Failed` | Enrollment attempted but failed — check error details |
58| `404` | Subscription is not enrolled |
59 
60When enrolled, the response includes:
61- **SKU/tier** — e.g. Essential
62- **Enabled services** — Azure Monitor Insights, Update Manager, Change Tracking, Policy & Machine Configuration, Defender CSPM, Defender for Servers
63- **UAMI** — the user-assigned managed identity resource ID
64- **Workspaces** — Log Analytics and Azure Monitor workspace resource IDs
65- **Created by / date** — who enrolled and when (in `systemData`)
66 
67To scan multiple subscriptions, use `mcp_azure_mcp_subscription_list` to list available subscriptions, then query each one. Report results as a table:
68 
69```text
70| Subscription | Status | SKU | Services Enabled |
71```
72 
73## Offboard a Subscription
74 
75To disable EMM for a subscription, follow the "Disable EMM (Offboard)" section in [EMM Enable Flow](references/emm-enable-flow.md).
76 
77> ⚠️ **Warning:** When you disable a subscription, machines no longer use consolidated pricing. Pricing reverts to standard per-service pricing which may increase costs. Existing VM configurations are not removed — disable unneeded services manually.
78 
79## Troubleshooting
80 
81For common EMM issues, refer to the official documentation:
82- [Troubleshoot Essential Machine Management (Preview)](https://learn.microsoft.com/en-us/azure/operations/configuration-enrollment-troubleshoot)
83 
84Common issues include:
85- Missing role assignments (EMM Administrator, Managed Identity Operator, Resource Policy Contributor)
86- Resource provider `Microsoft.ManagedOps` not registered in the subscription
87- UAMI lacking Contributor permission on the subscription
88- Cross-subscription workspace access requires additional RP registration
89 
90## Error Handling
91 
92| Error | Cause | Remediation |
93| ----- | ----- | ----------- |
94| Permission denied during enable | User lacks required roles | Assign EMM Administrator, Managed Identity Operator, and Resource Policy Contributor roles |
95| UAMI role check fails | Managed identity lacks Contributor | Assign Contributor role to the UAMI at subscription scope |
96| RP not registered | `Microsoft.ManagedOps` not registered | Register via `Register-AzResourceProvider -ProviderNamespace "Microsoft.ManagedOps"` |
97| Cross-subscription workspace error | Workspace in different sub without RP registration | Register `Microsoft.ManagedOps` in the workspace subscription and assign EMM Administrator on the workspace resource group |
98| Deployment fails | ARM template validation error | Check deployment link in browse view for detailed error; verify all prerequisites |
99