Loading source
Pulling the file list, source metadata, and syntax-aware rendering for this listing.
Source from repo
Select, configure, and scale Azure compute resources—VMs, App Service, AKS, and Container Apps
Files
Skill
Size
Entrypoint
Format
Open file
Syntax-highlighted preview of this file as included in the skill package.
workflows/essential-machine-management/references/emm-enable-flow.md
1# EMM Enable Flow2Copilot-guided step-by-step workflow for enabling Essential Machine Management on a subscription. Copilot orchestrates each step, triggering the necessary CLI commands or API calls on behalf of the user.4## Quick Reference6| Property | Value |8| -------- | ----- |9| Resource type | `Microsoft.ManagedOps/ManagedOps` |10| Resource provider | `Microsoft.ManagedOps` |11| API version | `2025-07-28-preview` |12| Deployment scope | Subscription-level |13## Workflow Steps15### Step 1: Select Target Subscription17Ask the user which subscription to enable EMM for. Use MCP tools to list subscriptions if needed.19| MCP Tool | Purpose |21| -------- | ------- |22| `mcp_azure_mcp_subscription_list` | List available subscriptions |23Store the selected `subscriptionId` and `tenant` for all subsequent steps.25### Step 2: Validate User Role Assignments27Check that the current user has the 3 required roles on the target subscription. This requires two API calls: one to get the user's role assignments, and one to get all role definitions. Then compare the user's assigned permissions against the required roles.29**Step 2a: Get current user's object ID**31```bash33az rest --method GET --url "https://graph.microsoft.com/v1.0/me" --query id -o tsv34```35**Step 2b: Get user's role assignments on the subscription**37```text39GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=assignedTo('{objectId}')40```41> 💡 **Tip:** The `assignedTo` filter is self-scoped — it allows the user to query their own role assignments without needing `Microsoft.Authorization/roleAssignments/read`. However, a 403 will still occur if the user has no role on the subscription at all.43**Step 2c: Get all role definitions on the subscription**45```text47GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions?api-version=2022-04-0148```49**Step 2d: Join and check permissions**51For each role assignment, match `properties.roleDefinitionId` to the role definitions to resolve the role name and its `properties.permissions[]`. Then check whether the user's combined permissions cover all three required roles:53| Required Role | Key Permissions (actions) |55| ------------- | ------------------------ |56| Essential Machine Management Administrator | `Microsoft.ManagedOps/managedOps/*`, `Microsoft.Insights/dataCollectionRules/*`, `Microsoft.Monitor/accounts/*`, `Microsoft.OperationalInsights/workspaces/read`, `Microsoft.Security/pricings/*` |57| Managed Identity Operator | `Microsoft.ManagedIdentity/userAssignedIdentities/*/read`, `Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action` |58| Resource Policy Contributor | `Microsoft.Authorization/policyassignments/*`, `Microsoft.Authorization/policydefinitions/*`, `Microsoft.PolicyInsights/*` |59> 💡 **Tip:** If the user has **Owner** at subscription scope, they satisfy all required permissions. Check for these first as a fast path.61```text63Check result?64├─ All 3 roles covered → Proceed to Step 365├─ Owner found → All roles satisfied, proceed to Step 366└─ Missing roles → Inform user which roles are missing and how to assign them, then re-check67```68### Step 3: Select or Create a User-Assigned Managed Identity (UAMI)70Ask the user to provide an existing UAMI or create a new one. The UAMI must have **Contributor** on the target subscription.72Verify the UAMI's role using the same API pattern as Step 2, but filter by the UAMI's principal ID (object ID) instead of the user's:74```text76GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=assignedTo('{uamiPrincipalId}')77```78Check that at least one assignment resolves to the **Contributor** role definition.80> 💡 **Tip:** If the UAMI lacks the Contributor role, guide the user to assign it before proceeding.82Store the full UAMI resource ID: `/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<name>`84### Step 4: Select or Create Monitoring Workspaces86Ask the user for a **Log Analytics workspace** and an **Azure Monitor workspace**. Offer to create new ones if needed.88| Resource | CLI Command | Purpose |90| -------- | ----------- | ------- |91| Log Analytics workspace (list) | `az monitor log-analytics workspace list --subscription <subId> -o table` | List existing workspaces |92| Log Analytics workspace (create) | `az monitor log-analytics workspace create --workspace-name <name> --resource-group <rg> --subscription <subId> --location <location>` | Create new workspace |93| Azure Monitor workspace (list) | `az resource list --resource-type "Microsoft.Monitor/accounts" --subscription <subId> -o table` | List existing workspaces |94| Azure Monitor workspace (create) | `az resource create --resource-type "Microsoft.Monitor/accounts" --name <name> --resource-group <rg> --subscription <subId> --location <location> --properties "{}"` | Create new workspace |95> ⚠️ **Warning:** If workspaces are in a **different subscription** than the target:97> - Register `Microsoft.ManagedOps` RP in the workspace subscription98> - User needs **EMM Administrator** role on the workspace resource group99> - UAMI needs **Contributor** on the workspace resource group100Store both workspace resource IDs.102### Step 5: Configure Security Options104Ask the user about optional security add-ons.106| Feature | Default | Cost |108| ------- | ------- | ---- |109| Foundational CSPM | Always enabled | Free |110| Defender CSPM | Disabled | Paid |111| Defender for Cloud | Disabled | Paid |112Store user selections as `enabled` or `disabled`.114### Step 6: Register Resource Providers116Register required RPs on the target subscription before deployment.118```bash120az provider register --namespace Microsoft.ManagedOps --subscription <subscriptionId>121az provider register --namespace Microsoft.OperationsManagement --subscription <subscriptionId>122az provider register --namespace Microsoft.PolicyInsights --subscription <subscriptionId>123az provider register --namespace Microsoft.Insights --subscription <subscriptionId>124az provider register --namespace Microsoft.OperationalInsights --subscription <subscriptionId>125az provider register --namespace Microsoft.Monitor --subscription <subscriptionId>126az provider register --namespace Microsoft.ManagedIdentity --subscription <subscriptionId>127az provider register --namespace Microsoft.Security --subscription <subscriptionId>128```129> 💡 **Tip:** RP registration is idempotent — safe to run even if already registered.131### Step 7: Deploy EMM via ARM API133Submit the PUT request to enable EMM on the subscription.135```text137PUT /subscriptions/{subscriptionId}/providers/Microsoft.ManagedOps/managedOps/default?api-version=2025-07-28-preview138```139Request body:141```json143{144"properties": {145"desiredConfiguration": {146"defenderCspm": "<enabled|disabled>",147"defenderForServers": "<enabled|disabled>",148"changeTrackingAndInventory": {149"logAnalyticsWorkspaceId": "<log-analytics-workspace-resource-id>"150},151"userAssignedManagedIdentityId": "<uami-resource-id>",152"azureMonitorInsights": {153"azureMonitorWorkspaceId": "<azure-monitor-workspace-resource-id>"154}155}156}157}158```159Populate the request body with the values collected in previous steps.161### Step 8: Verify Enrollment163After deployment completes, confirm the subscription is enrolled.165```text167GET /subscriptions/{subscriptionId}/providers/Microsoft.ManagedOps/managedOps/default?api-version=2025-07-28-preview168```169```text171Deployment status?172├─ Succeeded → Report success to user. All existing VMs will be enrolled via policy remediation.173├─ In progress → Wait and re-check after a short interval.174└─ Failed → Read error details and route to Error Handling in the parent workflow.175```176## Disable EMM (Offboard)178To disable EMM for a subscription:180```text182DELETE /subscriptions/{subscriptionId}/providers/Microsoft.ManagedOps/managedOps/default?api-version=2025-07-28-preview183```184> ⚠️ **Warning:** Disabling reverts pricing to standard per-service rates, which may increase costs. Existing VM configurations are not removed.186## Error Handling188| Error | Cause | Remediation |190| ----- | ----- | ----------- |191| 403 on role check | User has no RBAC role assignment on the subscription (the `assignedTo` filter is self-scoped and does not require `roleAssignments/read`, but the user must have at least one role on the subscription) | Inform user they lack Owner or Contributor role on this subscription and cannot proceed with EMM enrollment |192| Missing required roles | User missing EMM Administrator, Managed Identity Operator, or Resource Policy Contributor | Guide user to assign missing roles, then re-validate |193| UAMI lacks Contributor | Managed identity missing Contributor role | Assign Contributor to the UAMI at subscription scope |194| RP registration failed | Insufficient permissions to register providers | User needs Contributor or Owner on the subscription |195| PUT deployment fails | ARM validation error | Check error details; verify all prerequisites met |196| Cross-subscription error | Workspace in different sub without RP/role setup | Register `Microsoft.ManagedOps` in workspace sub; assign roles on workspace RG |197