Deploying Azure Arc agent using PowerShell + AMA + Tagging

In this post, we take a closer look at how to deploy Azure Arc agents using PowerShell and tag them based on the Active Directory tiering level. Today we have at least 5 different ways how to get agents on our servers.


  • Administrator permissions
  • PowerShell remoting needs to be enabled
  • ConnectedMachine PowerShell module
  • Azure subscription
  • Resource Group
  • Internet connection

In this example, I’m going to connect my servers under the RG-PROD-IT-AZURE-ARC-WE Resource Group. You can create the Resource Group manually using the Azure portal or use the AZ PowerShell module.

We also query the local Active Directory during the agent installation to get the server tiering level and add the tiering as a tag.

Here is my sample Active Directory tree. I have two different servers, and both of them are under the TIER-1\Servers OU.

Tagging these serves from the Azure isn’t required directly but recommended. Tagging gives you extra information about that resource, and you can use that data in different scenarios.

Az.ConnectedMachine module installation

The first step is to install AZ.ConnectMachine PowerShell module from the PowerShell Gallery. If you already have the AZ module installed, then you don’t need to install it twice.

Azure connection

The next step is to connect Azure and change the connection context. This is only required if you have access to multiple subscriptions. If you have only one, then skip the Set-AzContext command.

Active Directory Query

This script also includes one function called Get-ADTieringLevel. I’m using the ADSISEARCHER type accelerator to query server OU. I can determine the tier level based on the OU and add it later as a resource tag.

PowerShell remote session

If you manage a bunch of servers, you don’t want to log on to every system and install the agent manually. In this example, I’m also using ToUpper() method because otherwise, the server names end up with lower letters in the Azure portal.

Agent installation

So now that we have the remote session up and running, we can gather the information from AD and run the Connect-AzConnectMachine cmdlet to do the onboarding.

You should the following out:

Session removal

After successful onboarding, we can remove the remote session.

Enable Azure Monitor Agent extension

The final step is to enable the new Azure Monitor Agent. This command takes a few minutes to run.

You should see the following output

If everything worked correctly, then from the Azure portal you see the following object and information.

Download the full script from here – AzureArc/Remote-AzureArcOnBoardingV2.ps1 at main · Kaidja/AzureArc (

Create Data Collection Rules for Azure Sentinel
Need more information?
Need more information?
  • This field is for validation purposes and should be left unchanged.