Jump to content
Microsoft Windows Bulletin Board

Recommended Posts

Posted

Introduction

Hello everyone,

My name is Andrew Coughlin, and I am a Cloud Solutions Architect at Microsoft, specializing in Azure Infrastructure. In my role, I assist customers with utilizing Azure Migrate to transition their virtual machines from on-premises environments to Azure. Recently, I encountered an issue related to the setup of Azure Migrate, which arises when certain built-in policies are configured to deny compliance settings for storage account and key vault setup. These policies are designed to ensure that storage accounts and key vaults are deployed securely.

In this document, I will address the specific issue encountered and provide guidance on how to resolve it.

When setting up Azure Migrate, the process begins with creating a project. Once the project is established, you proceed to configure the discovery phase. There are three methods available for deploying this appliance: Hyper-V, VMware, or Physical servers. After selecting whether the servers are virtualized and identifying the platform, you will be presented with the following screens:

 

Next you will enter your appliance name and click Generate key. If you have any applicable policies:

 

If the settings are configured to "Deny," the deployment will fail, and the following message will be displayed:

 

Azure Migrate creates the following resources when you click generate key:

  • Storage Account
  • Key vault
  • Recovery Services Vault

At the time this article was written, it is not possible to customize any settings for these three resources during deployment via Azure Migrate. In the following section, we will discuss the supported method to address this issue. 

Determine which policies caused the failure (Portal)

  1. First click on the bell in the top right-hand corner.
  2. Click on Deployment validation failed.

 

  1. Expand the most recent validation failed operation.

NOTE: There may be multiple validation failures depending on the number of policies that denied Azure Migrate from creating the resources. Additionally, it may take several minutes for these operations to appear in the activity log.

 

  1. Click on any of the ‘deny’ Policy action, click on JSON.
  2. Scroll through the JSON until you find “policies”. Within the policies you will see, which policy prevented the resources from being created.  In this example we see a policy named “[Preview] Storage account public access should be disallowed”.

 

  1. Review each ‘Deny’ Policy action and note which policy denied the actions.
  2. Continue to Add Policy Exception.

Determine which policies caused the failure (Using Developer Tools)

Alternatively, you may utilize the developer tools within your browser to identify which policies are obstructing the deployment.

  1. Click on Settings within the browser.
  2. Click More Tools > Click Developer Tools.

 

  1. Click on Network.

 

  1. Type the appliance name and click Generate key.

 

  1. Click on the validate?api-version=XXXX-XX-XX.
  2. Click Response.
  3. Copy and paste the error into a text editor of your choice to read the policies that blocked the deployment.

 

  1. Continue to Add Policy Exception.

Add Policy Exception

We will need to temporarily add an exception to the policy. Once the discovery steps for Azure Migrate are complete, the exceptions can be removed. It is recommended to add the exception is solely for the resource group where Azure Migrate is being deployed, ensuring that all other resources continue to be monitored under these policies.

  1. Click on Azure Policy.
  2. Click on Compliance, ensure your scope is set at the right level of where you believe the policy is assigned to.
  3. Type storage.
  4. Click on the policy for public access should be disallowed.

 

  1. Click View assignment.

 

  1. Click Edit Assignment.
  2. Click on the … next to Exclusions.
  3. Select the subscription and resource group you want to exclude this policy from.
  4. Click Add to Selected Scope.
  5. Click Save.
  6. Click Review + save.

 

  1. Click Save.

 

  1. Keep in mind if there are multiple policies blocking this you will need to do Steps 1 – 13 for each policy that blocked part of the creation of the resources. Once you have done this for all policies, continue to Step 14.
  2. Once finished you can go back to the Azure Migrate – Discover page.
  3. Provide your appliance name again and click Generate.

 

  1. Once finished you should receive the Deployment succeeded. If not you will need to repeat the above steps to find out what prevented the deployment.

 

 

Remove Policy Exception

Now let’s go ahead and remove the exceptions as they are no longer needed once we have successful deployment.

  1. Click on Azure Policy.
  2. Click on Compliance, ensure your scope is set at the right level of where you believe the policy is assigned to.
  3. Type storage.
  4. Click on the policy you want to remove the exception for.

 

  1. Click Edit assignment.

 

  1. Click on the … next to Exclusions.
  2. Select the subscription and resource group you want to remove the exclude from.
  3. Click Remove next to the resource group.
  4. Click Review + save.

 

  1. Click Yes.

 

  1. Click Save.

 

  1. Once completed you will get an updated policy assignment message.

 

  1. Keep in mind if there are multiple policies blocking this you will need to do Steps 1 – 12 for each policy that you want to remove the exception for. Once you have done this for all policies you’re finished.

 

Conclusion

In response to inquiries about whether it is possible to pre-create the storage account, Key Vault, and Recovery Services vault, or create these resources after a failure based on the names Azure Migrate attempted to create, the short answer is that this practice is neither recommended nor supported. Pre-creating these resources may result in unexpected issues and is not advisable.

This article discussed the supported method for deploying Azure Migrate when policies are blocking the deployment of essential Azure Migrate resources. Thank you for reading this blog, and I hope it provides valuable assistance. I look forward to your next visit.

View the full article

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...