Loading source
Pulling the file list, source metadata, and syntax-aware rendering for this listing.
Source from repo
Get Azure VM and VM Scale Set recommendations based on workload, performance, and budget needs.
Files
Skill
Size
Entrypoint
Format
Open file
Syntax-highlighted preview of this file as included in the skill package.
workflows/essential-machine-management/references/emm-enable-flow.md
1# EMM Enable Flow2Copilot-guided step-by-step workflow for enabling Essential Machine Management on a subscription. Copilot orchestrates each step, triggering the necessary CLI commands or API calls on behalf of the user.4## Quick Reference6| Property | Value |8| -------- | ----- |9| Resource type | `Microsoft.ManagedOps/ManagedOps` |10| Resource provider | `Microsoft.ManagedOps` |11| API version | `2025-07-28-preview` |12| Deployment scope | Subscription-level |13## Workflow Steps15### Step 1: Select Target Subscription17Ask the user which subscription to enable EMM for. Use MCP tools to list subscriptions if needed.19| MCP Tool | Purpose |21| -------- | ------- |22| `mcp_azure_mcp_subscription_list` | List available subscriptions |23Store the selected `subscriptionId` and `tenant` for all subsequent steps.25### Step 2: Validate User Role Assignments27Check that the current user has the 3 required roles on the target subscription. This requires two API calls: one to get the user's role assignments, and one to get all role definitions. Then compare the user's assigned permissions against the required roles.29**Step 2a: Get current user's object ID**31```bash33az rest --method GET --url "https://graph.microsoft.com/v1.0/me" --query id -o tsv34```35**Step 2b: Get user's role assignments on the subscription**37```text39GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=assignedTo('{objectId}')40```41> ๐ก **Tip:** The `assignedTo` filter is self-scoped โ it allows the user to query their own role assignments without needing `Microsoft.Authorization/roleAssignments/read`. However, a 403 will still occur if the user has no role on the subscription at all.43**Step 2c: Get all role definitions on the subscription**45```text47GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions?api-version=2022-04-0148```49**Step 2d: Join and check permissions**51For each role assignment, match `properties.roleDefinitionId` to the role definitions to resolve the role name and its `properties.permissions[]`. Then check whether the user's combined permissions cover all three required roles:53| Required Role | Key Permissions (actions) |55| ------------- | ------------------------ |56| Essential Machine Management Administrator | `Microsoft.ManagedOps/managedOps/*`, `Microsoft.Insights/dataCollectionRules/*`, `Microsoft.Monitor/accounts/*`, `Microsoft.OperationalInsights/workspaces/read`, `Microsoft.Security/pricings/*` |57| Managed Identity Operator | `Microsoft.ManagedIdentity/userAssignedIdentities/*/read`, `Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action` |58| Resource Policy Contributor | `Microsoft.Authorization/policyassignments/*`, `Microsoft.Authorization/policydefinitions/*`, `Microsoft.PolicyInsights/*` |59> ๐ก **Tip:** If the user has **Owner** at subscription scope, they satisfy all required permissions. Check for these first as a fast path.61```text63Check result?64โโ All 3 roles covered โ Proceed to Step 365โโ Owner found โ All roles satisfied, proceed to Step 366โโ Missing roles โ Inform user which roles are missing and how to assign them, then re-check67```68### Step 3: Select or Create a User-Assigned Managed Identity (UAMI)70Ask the user to provide an existing UAMI or create a new one. The UAMI must have **Contributor** on the target subscription.72Verify the UAMI's role using the same API pattern as Step 2, but filter by the UAMI's principal ID (object ID) instead of the user's:74```text76GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=assignedTo('{uamiPrincipalId}')77```78Check that at least one assignment resolves to the **Contributor** role definition.80> ๐ก **Tip:** If the UAMI lacks the Contributor role, guide the user to assign it before proceeding.82Store the full UAMI resource ID: `/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<name>`84### Step 4: Select or Create Monitoring Workspaces86Ask the user for a **Log Analytics workspace** and an **Azure Monitor workspace**. Offer to create new ones if needed.88| Resource | CLI Command | Purpose |90| -------- | ----------- | ------- |91| Log Analytics workspace (list) | `az monitor log-analytics workspace list --subscription <subId> -o table` | List existing workspaces |92| Log Analytics workspace (create) | `az monitor log-analytics workspace create --workspace-name <name> --resource-group <rg> --subscription <subId> --location <location>` | Create new workspace |93| Azure Monitor workspace (list) | `az resource list --resource-type "Microsoft.Monitor/accounts" --subscription <subId> -o table` | List existing workspaces |94| Azure Monitor workspace (create) | `az resource create --resource-type "Microsoft.Monitor/accounts" --name <name> --resource-group <rg> --subscription <subId> --location <location> --properties "{}"` | Create new workspace |95> โ ๏ธ **Warning:** If workspaces are in a **different subscription** than the target:97> - Register `Microsoft.ManagedOps` RP in the workspace subscription98> - User needs **EMM Administrator** role on the workspace resource group99> - UAMI needs **Contributor** on the workspace resource group100Store both workspace resource IDs.102### Step 5: Configure Security Options104Ask the user about optional security add-ons.106| Feature | Default | Cost |108| ------- | ------- | ---- |109| Foundational CSPM | Always enabled | Free |110| Defender CSPM | Disabled | Paid |111| Defender for Cloud | Disabled | Paid |112Store user selections as `enabled` or `disabled`.114### Step 6: Register Resource Providers116Register required RPs on the target subscription before deployment.118```bash120az provider register --namespace Microsoft.ManagedOps --subscription <subscriptionId>121az provider register --namespace Microsoft.OperationsManagement --subscription <subscriptionId>122az provider register --namespace Microsoft.PolicyInsights --subscription <subscriptionId>123az provider register --namespace Microsoft.Insights --subscription <subscriptionId>124az provider register --namespace Microsoft.OperationalInsights --subscription <subscriptionId>125az provider register --namespace Microsoft.Monitor --subscription <subscriptionId>126az provider register --namespace Microsoft.ManagedIdentity --subscription <subscriptionId>127az provider register --namespace Microsoft.Security --subscription <subscriptionId>128```129> ๐ก **Tip:** RP registration is idempotent โ safe to run even if already registered.131### Step 7: Deploy EMM via ARM API133Submit the PUT request to enable EMM on the subscription.135```text137PUT /subscriptions/{subscriptionId}/providers/Microsoft.ManagedOps/managedOps/default?api-version=2025-07-28-preview138```139Request body:141```json143{144"properties": {145"desiredConfiguration": {146"defenderCspm": "<enabled|disabled>",147"defenderForServers": "<enabled|disabled>",148"changeTrackingAndInventory": {149"logAnalyticsWorkspaceId": "<log-analytics-workspace-resource-id>"150},151"userAssignedManagedIdentityId": "<uami-resource-id>",152"azureMonitorInsights": {153"azureMonitorWorkspaceId": "<azure-monitor-workspace-resource-id>"154}155}156}157}158```159Populate the request body with the values collected in previous steps.161### Step 8: Verify Enrollment163After deployment completes, confirm the subscription is enrolled.165```text167GET /subscriptions/{subscriptionId}/providers/Microsoft.ManagedOps/managedOps/default?api-version=2025-07-28-preview168```169```text171Deployment status?172โโ Succeeded โ Report success to user. All existing VMs will be enrolled via policy remediation.173โโ In progress โ Wait and re-check after a short interval.174โโ Failed โ Read error details and route to Error Handling in the parent workflow.175```176## Disable EMM (Offboard)178To disable EMM for a subscription:180```text182DELETE /subscriptions/{subscriptionId}/providers/Microsoft.ManagedOps/managedOps/default?api-version=2025-07-28-preview183```184> โ ๏ธ **Warning:** Disabling reverts pricing to standard per-service rates, which may increase costs. Existing VM configurations are not removed.186## Error Handling188| Error | Cause | Remediation |190| ----- | ----- | ----------- |191| 403 on role check | User has no RBAC role assignment on the subscription (the `assignedTo` filter is self-scoped and does not require `roleAssignments/read`, but the user must have at least one role on the subscription) | Inform user they lack Owner or Contributor role on this subscription and cannot proceed with EMM enrollment |192| Missing required roles | User missing EMM Administrator, Managed Identity Operator, or Resource Policy Contributor | Guide user to assign missing roles, then re-validate |193| UAMI lacks Contributor | Managed identity missing Contributor role | Assign Contributor to the UAMI at subscription scope |194| RP registration failed | Insufficient permissions to register providers | User needs Contributor or Owner on the subscription |195| PUT deployment fails | ARM validation error | Check error details; verify all prerequisites met |196| Cross-subscription error | Workspace in different sub without RP/role setup | Register `Microsoft.ManagedOps` in workspace sub; assign roles on workspace RG |197