Scenario
A small business runs several on‑premises servers but has no centralised management solution such as SCCM, Group Policy, or Ansible. The IT team wants a free, secure, cloud‑based way to manage these servers remotely without exposing them to the internet or setting up a VPN.
Azure Arc provides exactly this: a lightweight agent that connects on‑premises servers to Azure, allowing centralised management, remote access, and governance all at zero cost for basic server onboarding.
Your task is to onboard six servers (Windows and Linux) to Azure Arc using PowerShell remoting and SSH, then manage them securely from the Azure portal.
Lab Objectives
By the end of this lab, you will be able to:
- Register Azure resource providers and create a service principal for secure onboarding.
- Onboard multiple Windows servers using PowerShell remoting.
- Configure SSH key‑based authentication for Linux servers.
- Onboard Linux servers using a custom wrapper script.
- Use Windows Admin Center in Azure to manage Windows servers remotely.
- Use Azure CLI to SSH into Linux servers securely via Azure Arc.
Prerequisites
- Azure subscription with a valid payment method
- PowerShell 7 installed on the admin workstation
- Azure CLI installed on the admin workstation
- Three Linux servers with:
- PowerShell 7
- SSH enabled
- Three Windows servers (two Desktop Experience, one Server Core)
- Windows 10 admin workstation with PowerShell 7
- Internet connectivity from all servers
Register Azure Resource Providers
Azure Arc requires specific resource providers to be enabled.
- In the Azure portal, go to Subscriptions → Resource Providers.
- Register the required providers for Azure Arc (e.g.,
Microsoft.HybridCompute,Microsoft.GuestConfiguration).
Verification
All required providers show as Registered.
Create a Service Principal for Secure Onboarding
Use a service principal instead of a user account for improved security.
- Go to Microsoft Entra ID → App Registrations → New Registration.
- Name the service principal.
- Create a Client Secret and copy it securely.
- Assign the service principal the role:
Azure Connected Machine Onboarding
at the Resource Group level.
Verification
The service principal appears with the correct role assignment.
Create an Azure Arc Resource Group
Organise all Arc‑connected machines in one place.
- Create a new Resource Group.
- Select your region.
Verification
The Resource Group appears in the Azure portal.
Prepare Windows Servers for PowerShell Remoting
Enable WinRM so the admin workstation can push scripts remotely.
On the Windows 10 admin PC:
- Start the WinRM service:
Start-Service WinRM - Allow all trusted hosts:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force - Test connectivity:
Invoke-Command -ComputerName winserver01 -ScriptBlock { hostname }
Verification
The remote server returns its hostname.
Generate the Azure Arc Windows Onboarding Script
Download the onboarding script from Azure.
- Go to Azure Arc → Machines → Add → Script (Multiple Servers).
- Select:
- Resource Group
- Region
- OS: Windows
- Public endpoint
- Service principal created earlier
- Download the PowerShell script.
- Insert the service principal secret into the script.
Verification
The script contains your tenant ID, client ID and secret.
Onboard Multiple Windows Servers Using PowerShell Remoting
Push the script to all Windows servers in parallel.
- Create a text file containing the server names (
servers.txt). - Run:
Invoke-Command -ComputerName (Get-Content .\servers.txt) -FilePath .\OnboardingScript.ps1
Verification
All Windows servers appear in Azure Arc → Machines.
Configure SSH Key‑Based Authentication for Linux Servers
Prepare Linux servers for automated onboarding.
- Generate SSH keys on the admin workstation.
- Copy the public key to each Linux server:
cat ~/.ssh/id_rsa.pub | ssh user@servername "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
- Test passwordless SSH:
ssh user@servername
Verification
SSH connects without prompting for a password.
Generate the Azure Arc Linux Onboarding Script
Download the Linux onboarding script.
- In Azure Arc, choose Add → Script (Linux).
- Select:
- Resource Group
- Region
- Public endpoint
- Service principal
- Download the
.shscript.
Verification
The script contains the correct tenant and service principal details.
Use a Wrapper Script to Onboard Linux Servers
PowerShell cannot run the Linux script directly, so use a wrapper (the one used for this lab can be viewed in the YouTube video linked in the last step of this lab).
Your wrapper script should:
- Loop through each Linux server
- Copy the onboarding script to the server
- Set execute permissions
- Run the script using
sudo - Delete the script afterwards
Run the wrapper script from the admin workstation.
Verification
All Linux servers appear in Azure Arc → Machines.
Enable Windows Admin Center for Windows Servers
Manage Windows servers directly from the Azure portal.
- Assign the role:
Windows Admin Center Administrator Login
to your admin group. - Open any Windows Arc‑connected machine.
- Install the Windows Admin Center extension.
Verification
You can RDP, manage services, view event logs, and run PowerShell directly from the browser.
Use Azure CLI to SSH into Linux Servers
Securely access Linux servers without exposing SSH to the internet.
Instructions
- Log in to Azure CLI:
az login --tenant <tenantID>
- Connect to a Linux Arc server:
az ssh arc --resource-group rg-azure-arc --name nameofserver
Verification
You are connected to the Linux server via Azure Arc using SSH.
Conclusion
In this lab, you successfully onboarded six on‑premises servers to Azure Arc using PowerShell remoting and SSH. You configured secure access using a service principal, deployed the Arc agent to Windows and Linux servers, and used Azure tools like Windows Admin Center and Azure CLI to manage them remotely.
This solution provides a zero‑cost, secure, and flexible way to manage servers without VPNs, firewalls, or complex infrastructure, ideal for small businesses or hybrid environments.
