1# EMM Prerequisites
2 
3Requirements that must be met before enabling Essential Machine Management.
4 
5## Required Azure Resources
6 
7| Resource | Purpose |
8| -------- | ------- |
9| Log Analytics workspace | Collects log data from Change Tracking & Inventory |
10| Azure Monitor workspace | Collects metrics data from VM Insights |
11| User-assigned managed identity (UAMI) | Used to onboard and configure VMs in the subscription |
12 
13## Required User Roles
14 
15The user performing the enrollment must have these roles on the target subscription:
16 
17| Role | Description |
18| ---- | ----------- |
19| Essential Machine Management Administrator | Manages EMM resources, DCRs, monitor/workspace operations, security pricing |
20| Managed Identity Operator | Reads and assigns user-assigned identities |
21| Resource Policy Contributor | Creates/modifies resource policies, policy assignments, and exemptions |
22 
23### Cross-Subscription Workspace Scenario
24 
25If the Log Analytics or Azure Monitor workspace is in a **different subscription**:
26- The user must also have **Essential Machine Management Administrator** on the resource group of the workspace
27- The `Microsoft.ManagedOps` RP must be registered in the workspace subscription
28 
29## Required Managed Identity Roles
30 
31The user-assigned managed identity must have:
32 
33| Role | Scope |
34| ---- | ----- |
35| Contributor | Target subscription being enabled |
36 
37If workspaces are in a different subscription:
38- **Contributor** on the resource group of the Log Analytics workspace and/or Azure Monitor workspace
39 
40## EMM Administrator Permissions Detail
41 
42The Essential Machine Management Administrator role includes these actions:
43 
44```text
45Microsoft.Resources/deployments/*
46Microsoft.Insights/dataCollectionRules/read
47Microsoft.Insights/dataCollectionRules/write
48Microsoft.Monitor/accounts/write
49Microsoft.Monitor/accounts/read
50Microsoft.ManagedOps/managedOps/read
51Microsoft.ManagedOps/managedOps/write
52Microsoft.ManagedOps/managedOps/delete
53Microsoft.OperationsManagement/solutions/read
54Microsoft.OperationsManagement/solutions/write
55Microsoft.OperationalInsights/workspaces/read
56Microsoft.OperationalInsights/workspaces/sharedkeys/action
57Microsoft.OperationalInsights/workspaces/sharedkeys/read
58Microsoft.OperationalInsights/workspaces/listKeys/action
59Microsoft.Resources/subscriptions/resourceGroups/read
60Microsoft.Insights/metricAlerts/write
61Microsoft.Insights/metricAlerts/read
62Microsoft.Security/pricings/write
63Microsoft.Security/pricings/read
64```
65 
66## Resource Provider Registrations
67 
68The following RPs are registered automatically during the enable flow:
69 
70| Resource Provider | Purpose |
71| ----------------- | ------- |
72| `Microsoft.ManagedOps` | Core EMM resource provider |
73| `Microsoft.OperationsManagement` | Operations management solutions |
74| `Microsoft.PolicyInsights` | Policy compliance and remediation |
75| `Microsoft.Insights` | Monitoring and data collection rules |
76| `Microsoft.OperationalInsights` | Log Analytics workspaces |
77| `Microsoft.Monitor` | Azure Monitor workspaces |
78| `Microsoft.ManagedIdentity` | Managed identity operations |
79| `Microsoft.Security` | Defender for Cloud and CSPM |
80| `Microsoft.Resources` | ARM deployments |
81 
82## Validation Checklist
83 
84Before enabling EMM, verify:
85 
86- [ ] User has all 3 required roles on the subscription
87- [ ] UAMI exists and has Contributor on the subscription
88- [ ] Log Analytics workspace exists (or will be created)
89- [ ] Azure Monitor workspace exists (or will be created)
90- [ ] If cross-subscription workspaces: additional roles and RP registrations in place
91