AMA doc updates (#1554)

Co-authored-by: JamJarchitect <53943045+JamJarchitect@users.noreply.github.com> Co-authored-by: Sacha Narinx <Springstone@users.noreply.github.com> Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> Co-authored-by: Linda Karin Elsie Petersson <38290892+lvlindv@users.noreply.github.com> Co-authored-by: brsteph <96074545+brsteph@users.noreply.github.com> Co-authored-by: Paul Grimley <25264573+paulgrimley@users.noreply.github.com>
Azure · Jan 31, 2024 · a80bb9f · a80bb9f
1 parent 8d1c1e5
commit a80bb9f
Show file tree

Hide file tree

Showing 7 changed files with 148 additions and 11 deletions.
diff --git a/docs/wiki/ALZ-AMA-FAQ.md b/docs/wiki/ALZ-AMA-FAQ.md
@@ -0,0 +1,43 @@
+## In this Section
+
+- [What to do if you have a need for a feature that is not in AMA, not GA, and not available in an alternative solution?](#What-to-do-if-you-have-a-need-for-a-feature-that-is-not-in-AMA,-not-GA,-and-not-available-in-an-alternative-solution?)
+- [Migration guidance for existing customers?](#Migration-guidance-for-existing-customers?)
+
+- [Why do I need an User-Assigned Managed Identity?](#Why-do-I-need-a-User-Assigned-Managed-Identity?)
+- [Why do I need Data Collection Rules?](#Why-do-I-need-Data-Collection-Rules?)
+- [Custom Policies and Assignments](#Custom-Policies-and-Assignments)
+- [MMA deprecation vs Legacy Solutions in Log Analytics Workspace](#MMA-deprecation-and-Legacy-Solutions-in-Log-Analytics-Workspace)
+
+---
+
+## What to do if you have a need for a feature that is not in AMA, not GA, and not available in an alternative solution?
+
+The ALZ team will assess solutions for parity ongoing. Please review the AMA parity Gaps table [here](./ALZ-AMA-Update#table-ama-parity-status) for the latest updates and guidance.
+
+If you have any additional questions or concerns, please do not hesitate to raise a support ticket for further assistance.
+
+## Migration guidance for existing customers?
+
+Currently the ALZ Portal Accelerator Deployment has been updated. Brownfield migration guidance and Bicep and Terraform updates are to follow in short-term.
+
+## Why do I need a User-Assigned Managed Identity?
+
+Managed identity must be enabled on Azure virtual machines, as this is required for authentication.
+
+A user-assigned Managed identity is recommended for large-scale deployments, as you can create a user-assigned managed identity once and share it across multiple VMs, which means it's more scalable than a system-assigned managed identity. If you use a user-assigned managed identity, you must pass the managed identity details to Azure Monitor Agent via extension settings, which we do automatically through ARM/ Policy. Running the ALZ Portal Accelerator will create a User Assigned Managed Identity for each subscription that was selected.
+
+## Why do I need Data Collection Rules?
+
+A data collection rule (DCR) is a configuration that defines the data collection process in Azure Monitor. A DCR specifies what data should be collected and where to send that data. As part of the current deployment 3 DCRs are created to collect data for VM Insights, Change Tracking and Defender for SQL.
+
+## Custom Policies and Assignments
+
+Our intention is to use Built-in Policies, however there are scenarios where custom policies are deployed to provide additional flexibility. For example, Built-In policies may contain certain hardcoded default values, or assign highly privileged roles, that conflict with ALZ principles.
+
+## MMA deprecation and Legacy Solutions in Log Analytics Workspace
+
+It's important to highlight that while MMA deprecation is in August 2024, this doesn't necessarily impact the Legacy Solutions in Log Analytics. The following Solutions are still deployed as part of the current version:
+
+- Sentinel: Is only deployed through ALZ, which is still achieved by deploying the Solution. We don't deploy additional configurations. Consult [AMA migration for Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate) for more information.
+- Change Tracking: Aside from the solution being deployed in Log Analytics, we deploy the new components like DCRs and policies to enable Change Tracking through AMA.
+
diff --git a/docs/wiki/ALZ-AMA-Update.md b/docs/wiki/ALZ-AMA-Update.md
@@ -0,0 +1,85 @@
+## Introduction
+
+### Deprecation
+The Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA), is on a deprecation path and won't be supported after August 31, 2024. Any new data centers brought online after January 1 2024 will not support the Log Analytics agent. If you use the Log Analytics agent to ingest data to Azure Monitor, migrate to the new Azure Monitor agent prior to that date.
+
+Portal Accelerator has been updated and new ALZ deployments will use AMA exclusively. We are working on bringing this update to Bicep and Terraform in the short-term. Additional Brownfield guidance for adopting AMA in existing environments will also be made available. 
+
+### Timing
+The migration from MMA to AMA has been a mayor project across multiple teams within Microsoft. ALZ held off on implementing AMA up to this point to ensure that a good feature set was available across all the different solutions. While there still are a few gaps, which are detailed below, we feel that the current AMA configuration is ready to be implemented in ALZ.
+
+## Strategy
+1. Include AMA for Greenfield customers using the portal deployment.
+2. Brownfield adoption guidance. This will include:
+    - Implementation guidance
+    - Breaking changes
+    - Cleanup guidance
+    - Quick reference to public documentations for migration guidance for individual solutions
+3. Include AMA for Greenfield and Brownfield customers using either a Bicep or Terraform deployment.
+
+## Table: AMA parity status
+
+
+| Service                                                                   | What it does                         | Status | Parity |
+| ------------------------------------------------------------------------- | ------------------------------------ |--------|---------------|
+| Agent health | Monitors agent heartbeat  | Deprecating. You can query the heartbeat. AMBA already has an Alert Rule for this.  | N/A|
+| Sentinel | Security information and event management | Public Preview - Migrated to AMA | Windows Firewall Logs (Private preview), Application and service logs|
+| Change Tracking | This feature tracks changes in virtual machines hosted in Azure, on-premises, other clouds | GA - Migrated to AMA | Parity|
+| Azure Monitor --> VM Insights | Monitoring VMs | GA - Migrated to AMA | Parity |
+| Update Management | Manages VM patches and updates | GA - Migrated to Azure Update Management (AUM) that does not require an agent  | |
+| SQL Vulnerability Assessment Solution | Helps discover, track, and remediate potential database vulnerabilities | GA - Migrated to AMA and is now part of Microsoft Defender for SQL | Parity|
+| SQL Advanced Thread Protection Solution | Detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases | GA - Migrated to AMA and is now part of Microsoft Defender for SQL | Parity|
+| SQL Assessment Solution | Identifies possible performance issues and evaluates that your SQL Server is configured to follow best practices. | GA - Now part of SQL best practices assessment. | Current ALZ Status 'Removed' due to LAW deployment constraint with ALZ design principles (requires LAW per subscription), ALZ team will work with relevant product team to address|
+| MDfC for Servers | Provide server protections through Microsoft Defender for Endpoint or extended protection with just-in-time network access, file integrity monitoring, vulnerability assessment, and more. | GA (See parity column for detail) - Migrated to MDC (Agentless) | Features in development: FIM, Endpoint protection discovery recommendations, OS Misconfigurations (ASB recommendations). Features on backlog: Adaptive Application controls |
+| MDfC for SQL Server Virtual Machines | Protect your entire database estate with attack detection and threat response for the most popular database types in Azure to protect the database engines and data types, according to their attack surface and security risks. | GA - Migrated to MDC (Agentless) | |
+
+
+## Summary of changes to ALZ Code and Policies
+
+### Removed ARM resources.
+- Agent Health: Deprecated.
+- Change Tracking (Automation account)
+- Update Management (Automation account)
+- VM Insights (Legacy solution/ MMA)
+- SQL Assessment (Legacy solution)
+- Sql Vulnerability Assessment (Legacy solution)
+- Sql Advanced Threat Protection (Legacy solution)
+
+### Removed Azure Policy Assignments
+- PolicySetDefinition: Enable Azure Monitor for Virtual Machine Scale Sets / Legacy - Enable Azure Monitor for Virtual Machine Scale Sets
+- PolicySetDefinition: Enable Azure Monitor for VMs / Legacy - Enable Azure Monitor for VMs
+
+## New ARM Resources
+- Resource group for each subscription containing User Assigned Managed Identity.
+    - Default name: rg-ama-prod-001
+- User Assigned Managed Identity
+    - Name: id-ama-prod-<region>-001
+- Data collection rules
+    - dcr-changetracking-prod-<region>-001
+    - dcr-defendersql-prod-<region>-001
+    - dcr-vminsights-prod-<region>-001
+
+## New Custom Policy Definitions
+- Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines.
+    - Windows: /providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15
+    - Linux: /providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15
+    - Windows: /providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46
+    - Linux: /providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46
+- Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace
+    - Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR
+    - Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace
+    - Configure SQL Virtual Machines to automatically install Azure Monitor Agent
+    - Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace
+    - Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL
+- Deploy User Assigned Managed Identity for VM Insights
+
+## New Policy Assignments
+- Enable Azure Monitor for VMSS with Azure Monitoring Agent(AMA) 
+- Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) 
+- Enable Azure Monitor for Hybrid VMs with AMA 
+- Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines.
+- Deploy User Assigned Managed Identity for VM Insights
+- Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace
+- Enable Change Tracking and Inventory for Arc-enabled virtual machines
+- Enable Change Tracking and Inventory for virtual machines
+- Enable ChangeTracking and Inventory for virtual machine scale sets
diff --git a/docs/wiki/ALZ-Deprecated-Services.md b/docs/wiki/ALZ-Deprecated-Services.md
@@ -39,3 +39,4 @@ Policies being deprecated:
 - Removed `ActivityLog` Solution as an option to be deployed into the Log Analytics Workspace, as this has been superseded by the Activity Log Insights Workbook, as documented [here.](https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log-insights)
 - Removed `Service Map` solution as an option to be deployed, as this has been superseded by VM Insights, as documented [here.](https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log-insights) Guidance on migrating and removing the Service Map solution can be found [here.](https://learn.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-migrate-from-service-map)
 
+- Due to Microsoft Monitor Agent (MMA) planned for deprecation (August 2024) we have started to remove MMA from our reference implementations starting with the ALZ Portal (https://aka.ms/alz/portal) and following this will start to remove MMA from Bicep and Terraform before the planned deprecation date. Please see [Fixme] link for more details.
diff --git a/docs/wiki/ALZ-Policies-FAQ.md b/docs/wiki/ALZ-Policies-FAQ.md
@@ -16,9 +16,11 @@ To view the current list of GitHub issues related to diagnostic settings, please
 
 > **UPDATE** New built-in Diagnostic Settings policies and initiatives will be landing in early CY2024. As a heads-up we will begin deprecating all our custom diagnostic settings policies, and changing our default assignment to leverage the associated built-in initiative for Log Analytics (as the target) - additional options will include targeting Event Hubs or Storage accounts.
 
-### Azure Monitor Agent (May 2023)
+### Microsoft Monitoring Agent (MMA) Deprecation and Azure Monitor Agent (AMA) (January 2024)
 
-Similarly, as Microsoft Monitor Agent (MMA) is on a deprecation path, Azure Monitor Agent (AMA) is the recommended replacement and there are a number of requests to support AMA specific policies. AMA is currently in preview, and we are working with the product group to ensure that the policies are updated as soon as possible. Some policies are ready, however, the initiative to activate all components is still being worked on.
+Similarly, as Microsoft Monitoring Agent (MMA) is on a deprecation path (August 2024), Azure Monitor Agent (AMA) is the recommended replacement and there are a number of requests to support AMA specific policies (**NOTE**: Some features are going agentless thus not requiring an agent, see [Table: AMA parity status](./ALZ-AMA-Update#table-ama-parity-status) following link for more detail).
+
+**Update January 2024** We have been working on the removal of MMA from ALZ and the first step in the overall removal process is to update the ALZ Portal reference implementation (greenfield deployments) which has now been updated. Our next step is to work on the deployment to Terraform and Bicep reference implementations which requires significant investment to minimise impact to existing customers and providing clear guidance for the transition. For more details please see [Azure Monitor Agent Update](./ALZ-AMA-Update.md).
 
 ### Azure Database for MariaDB (Jan 2024)
 

diff --git a/docs/wiki/FAQ.md b/docs/wiki/FAQ.md
@@ -157,15 +157,7 @@ The Management Group Names/IDs created via the ALZ Portal Accelerator Deployment
 
 ## Why hasn't Azure landing zones migrated to the Azure Monitor Agent yet?
 
-Great question! Don't worry we are aware of this required migration and change to Azure landing zones with the Log Analytics Agent (Microsoft Monitoring Agent - MMA) being retired in August 2024 as detailed here: [Migrate to Azure Monitor Agent from Log Analytics agent](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-migration).
-
-We are working hard internally with the Azure Monitor Product Group (PG) to ensure everything that Azure landing zones requires and gets from the Log Analytics Agent (Microsoft Monitoring Agent - MMA) approach today is covered and has a path for migration to the Azure Monitor Agent (AMA) approach. This has been underway for sometime and continues to progress.
-
-The AMA agent brings a number of new concepts, resources and changes to existing integrations with other services, such as Microsoft Defender for Cloud, that all require validation by each of the associated PGs as well as the Azure landing zone team, prior to migrating to AMA from MMA.
-
-We will, when ready, provide Azure landing zones specific migration guidance that supports existing and to be created PG documentation. We will also make the relevant changes to each of the implementation options (Portal, Bicep, Terraform) to support the migration, especially for greenfield scenarios.
-
-> We have an existing GitHub Issue ([#1055](https://github.com/Azure/Enterprise-Scale/issues/1055)) opened for this feature request. Please feel free to give it a 👍 or add a comment.
+**Update January 2024** We have been working on the removal of MMA from ALZ and the first step in the overall removal process is to update the ALZ Portal reference implementation (greenfield deployments) which has now been updated. Our next step is to work on the deployment to Terraform and Bicep reference implementations which requires significant investment to minimise impact to existing customers and providing clear guidance for the transition. For more details please see [Azure Monitor Agent Update](./ALZ-AMA-Update.md).
 
 ### What if we are not ready to make the switch and migrate, right now?
 

diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
@@ -1,6 +1,7 @@
 ## In this Section
 
 - [Updates](#updates)
+  - [AMA Update for the Portal Accelerator](#AMA-Update-for-the-Portal-Accelerator)
   - [🔃 Policy Refresh Q2 FY24](#-policy-refresh-q2-fy24)
   - [January 2024](#january-2024)
   - [December 2023](#december-2023)
@@ -38,6 +39,16 @@ This article will be updated as and when changes are made to the above and anyth
 
 Here's what's changed in Enterprise Scale/Azure Landing Zones:
 
+### AMA Update for the Portal Accelerator
+
+The Azure Monitor Agent (AMA) is the new way to collect and send data to Azure Monitor. The Log Analytics agent, or the Microsoft Monitoring Agent (MMA), will no longer be supported after August 2024. To adapt to this change, the ALZ Portal Accelerator has been updated to use AMA instead of MMA.
+
+This update currently applies to Greenfield Portal Deployment Scenarios. Brownfield guidance as well as Bicep and Terraform updates to follow in short-term.
+
+We are happy to announce that we have added a new section in the documentation for AMA. Please visit [ALZ AMA Update](./ALZ-AMA-Update) for a detailed overview of the changes made to the ARM templates and Policies, as well as the deprecated policy assignments.
+
+> **IMPORTANT** We've added an ALZ AMA FAQ with important information about key changes in AMA. Please read the [ALZ AMA FAQ](./ALZ-AMA-FAQ) for more information.
+
 ### 🔃 Policy Refresh Q2 FY24
 
 Yes, the Q2 Policy Refresh has been delayed due to a light past quarter and some very important initiatives that we feel had to make it into this refresh.

diff --git a/docs/wiki/_Sidebar.md b/docs/wiki/_Sidebar.md
@@ -37,6 +37,9 @@
   * [Policies included in Azure landing zones reference implementations](./ALZ-Policies)
   * [Migrate Azure landing zones custom policies to Azure built-in policies](./Migrate-ALZ-Policies-to-Built%E2%80%90in)
   * [Updating Azure landing zones custom policies to latest](./Update-ALZ-Custom-Policies-to-Latest)
+* MMA Deprecation Guidance
+  * [Azure Monitor Agent Update](./ALZ-AMA-Update)
+  * [AMA FAQ](./ALZ-AMA-FAQ)
 * [Contributing](./ALZ-Contribution-Guide)
   * [Reporting Bugs](./ALZ-Contribution-Guide#reporting-bugs)
   * [Feature Requests](./ALZ-Contribution-Guide#feature-requests)