Skip to content
/ arc-windowsattest Public

Software Assurance Attestation for Azure Arc Windows Servers

License

GPL-3.0 license
1 star 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cobeyerrett/arc-windowsattest

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
attestArcServers.ps1
attestArcServers.ps1
 
 
query.kusto
query.kusto
 
 
verifySAattestation.kusto
verifySAattestation.kusto
 
 

Repository files navigation

Software Assurance Attestation for Azure Arc Windows Servers

Description

The script uses the query.kusto file to get the list of Arc-enabled servers that are eligible for Software Assurance. The script then attests the servers by setting the softwareAssuranceCustomer property to true . It is based on the script published on Microsoft Learn .

The Set-Attestation function is used to attest the servers. The function takes the subscription ID, resource group name, machine name, and location as parameters. The function then sends a PUT request to the Azure Arc API endpoint to attest the server.

The script will get the list of Arc-enabled servers that are eligible for Software Assurance and attest the servers by setting the softwareAssuranceCustomer property to true .

Prerequisites

  • An Microsoft Entra ID tenant as well as an active Azure subscription.
  • Windows Server(s) already onboarded to the Azure ARC platform. Please check the Connected Machine agent prerequisites to ensure your servers are ready for onboarding.
  • The Microsoft Entra application ID and secret key for the service principal created above.

Azure rights required for the scripts to work

The following rights have to be delegated on the resource groups you plan on using to store the ESU licence objects as well as the resource groups containing the Azure ARC servers:

  • "Microsoft.HybridCompute/machines/*/read"
  • "Microsoft.HybridCompute/machines/*/write"

There is a custom role definition located in the Custom Roles folder in this repository that can be used to create a custom role with the required rights. Please check the Create a custom role using Azure PowerShell to create a custom role with the custom role definition.

Running the script

To run the script, open a Powershell (Ideally from CloudShell) window and run the following command:

  1. git clone https://github.com/cobeyerrett/arc-windowsattest.git
  2. .\arc-windowsattest\attestArcServers.ps1 -subscriptionId YOUR_SUBID -tenantId YOUR_TENANTID

Verification of Attestation

The attestation of the Windows SA licensing can be achieved by running the resource graph verifySAattestation.kusto KQL query in your environment.

Resources

Navigating the source code

This project has the following structure:

File/Folder Description
attestArcServers.ps1 Main powershell file to attest the Windows Software Assurance for Azure Arc connected machines
query.kusto The kusto (KQL) query to obtain the Arc-enabled Windows servers to attest
verifySAattestation.kusto The kusto (KQL) query to verify the Arc-enabled Windows servers have been attested

About

Software Assurance Attestation for Azure Arc Windows Servers

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages