Azure Arc with Defender for cloud

Deploying external server to Defender for Cloud

Deploying those servers can be done with the following methods:

  • Using Azure Arc-enabled servers (recommended)
  • From Defender for Cloud’s pages in the Azure portal

And this is the reason we are talking about Arc as an onboarding tools.

See more here

But as many use Azure for your VMs and once you do, you will have some troubles on connecting to some services that are supposed to be used for outside Azure servers, one of them being Azure Arc.

The error?

Add your server to Azure Arc, define RSGs, operating system version and connection type

And generate the script based on these parameters

When you onboard your resource to Arc and download the script, you will get this warning statement, what a huge bummer.

Why this happens?

For a couple of reason and one of them being

VM extensions

Extensions are compact programs that offer automation and post-deployment setup for Azure virtual machines. (VMs). Numerous extensions for VM configuration, monitoring, security, and utility apps are available on the Azure platform. The installation process is made simpler by publishers who take a program and wrap it in an extension.

The agent for Azure Arc-enabled servers cannot handle VM extensions that have already been deployed to the VM, despite the fact that they support many of the same extensions as Azure VMs. So, you have to remove them. or IMDS IP

This IP is commonly used with all Cloud providers and in Azure it will give the VM the following Metadata information: the SKU, storage, network configurations, and upcoming maintenance events and more

So it it will check your Azure VM licensing and activation, this is the reason the blocking is meant for Evaluation purposes only. The following is one thing, you will surely see when you boot the VM for the first time.

See more from Learn


For Google

How to “fix” it?

Open you VM in Azure portal and choose Extensions from the left-hand pane. If the VM has any installed extensions, choose each one separately, then choose Uninstall.

Then run the following commands inside the VM.

Stopping the service

And the firewall block

And happy times!

And the server will magically appear in the portal

Defender for Cloud view

It takes some time for the server to be seen inside Defender for Cloud inventory.

If you open the server, you will those recommendations (Azure policies) that you should be compliant with based on the resource type

Testing it out

Because it is not a virus and contains no pieces of viral code, it is safe to spread.
It is also brief and easy to construct using a standard text editor because it is solely made up of readable ASCII characters.

As long as the file begins with the first 68 of the following characters and is precisely 68 bytes long, any antivirus program that supports the EICAR test file should be able to identify it in any file:


Read more from Eicar here,

You can down an test malware file here

Or with this

Once you download (just download, don’t have to run anything) the file and disable Defender for Endpoint and Antivirus or exclude the location that the file will be downloaded to, you will see this inside Defender for Cloud

Under alerts under the server, you can see the different alerts

And the details for the alerts and event Threat Information for Eicar

And it will be clearly saying that it’s not a real threat which is kind of funny.


How cool is that, testing things out in the comfort of your own Azure tenant. Don’t have to go far from home to achieve this.

There is also other good news for the masses, masses meaning many SQL in this sentence. You can also onboard all your SQL-servers at scale with Azure Policy

Happy times and happy Easter to all!

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *