Azure Requirements

Getting DMC connected to Azure requires three things: a Service Principal for authentication, an RBAC role assignment that controls what DMC can access, and, if you want software inventory, network dependencies, or SQL detection, guest VM access. Work through each section in order. The Service Principal is shared across all Azure scan types.

Create a Service Principal

DMC authenticates to Azure using a Service Principal (an App Registration in Microsoft Entra ID). You will enter these four values into DMC when configuring an Azure scan:

CredentialWhere to find itFormat
Tenant IDApp Registration Overview page: Directory (tenant) IDUUID
Client IDApp Registration Overview page: Application (client) IDUUID
Client SecretCertificates & secrets, created in step 4 belowString
Subscription IDSubscriptions: Overview pageUUID

Open App registrations

Sign in to the Azure Portal ↗. Navigate to Microsoft Entra ID > App registrations > New registration.

Register the application

Enter a name (for example, DMC-Scanner). Under Supported account types, select Accounts in this organizational directory only. Leave Redirect URI blank. Click Register.

Copy your Tenant ID and Client ID

On the app registration Overview page, copy both values:

  • Application (client) ID: this is the Client ID you enter into DMC
  • Directory (tenant) ID: this is the Tenant ID you enter into DMC

Create a client secret

Navigate to Certificates & secrets > New client secret. Enter a description (for example, DMC Scan Key) and set an expiry that covers your scan duration. Click Add.

Copy the secret Value immediately after creation. Azure only displays it once. If you navigate away first, you will need to delete the secret and create a new one.

Copy your Subscription ID

Navigate to Subscriptions, select the subscription you want to scan, and copy the Subscription ID from the Overview page.

Choose an RBAC role

The Service Principal needs a role assignment at the subscription or resource group level. Your choice here determines whether DMC can use Managed Run Command for guest data collection, which is the easiest and most network-friendly option.

The Recommended option (Reader + Virtual Machine Contributor) unlocks Managed Run Command, the only guest access method that requires no network connectivity to your VMs, no guest OS credentials, and no per-VM configuration. If your security team will allow it, this is the right choice.

RoleScopeEnables
ReaderSubscription or Resource Group(s)VM discovery, Azure Monitor metrics, network interfaces, Resource Inventory
Virtual Machine ContributorSubscription or Resource Group(s)Managed Run Command: guest scripts execute through the Azure control plane

With both roles assigned, DMC uses Managed Run Command for all guest data collection. This means:

  • No direct network connection from the DMC host to target VMs
  • No SSH keys, WinRM passwords, or per-VM credentials to manage
  • No WinRM setup, PowerShell remoting, or SSH configuration on VMs
  • Works with VMs in isolated networks, private VNets, or behind NSGs

The only additional requirement is a Storage SAS URI. See Set up guest VM access below.

Virtual Machine Contributor is a broad role that grants full VM management permissions. If your security team requires least-privilege access, use the Custom role tab instead.

To assign in the Azure Portal: navigate to the target Subscription (or Resource Group) > Access control (IAM) > Add role assignment. Assign each role and select your App Registration as the member.

Reader only

RoleScopeEnables
ReaderSubscription or Resource Group(s)VM discovery, Azure Monitor metrics, network interfaces, Resource Inventory

Reader-only access gives DMC everything it needs to collect VM configuration, Azure Monitor performance metrics, and Resource Inventory. Managed Run Command is not available with this role. Guest-level data (software inventory, network dependencies, SQL detection) requires direct SSH or WinRM access to each VM.

Choose this option if you have direct SSH or WinRM connectivity to your VMs and prefer not to grant Run Command permissions. See the guest VM access section below for WinRM and SSH setup.

Custom role

A custom role gives DMC exactly the permissions it needs for Managed Run Command, without the broader management permissions that come with Virtual Machine Contributor.

Open custom role creation

Navigate to your target Subscription > Access control (IAM) > Add > Add custom role.

Define the role

Enter a name (for example, DMC Scanner Role). Set Baseline permissions to Start from scratch.

Add permissions

Add the following permissions:

PermissionPurpose
*/readVM discovery, Azure Monitor metrics, network interfaces, Resource Inventory
Microsoft.Compute/virtualMachines/runCommand/actionExecute Managed Run Command on target VMs
Microsoft.Compute/virtualMachines/runCommands/readRead Run Command execution results
Microsoft.Compute/virtualMachines/runCommands/writeCreate Run Command resources during scan
Microsoft.Compute/virtualMachines/runCommands/deleteClean up Run Command resources after scan
Microsoft.Compute/disks/readRead managed disk details
Microsoft.Compute/virtualMachines/vmSizes/readLook up VM size (vCPUs, memory)
Microsoft.Network/networkInterfaces/readRead NIC and IP configuration
Microsoft.Resources/subscriptions/resourceGroups/readList and read resource groups
Microsoft.Insights/metrics/readRead Azure Monitor performance metrics
Microsoft.Authorization/permissions/readCheck RBAC permissions per resource group before scanning

Alternatively, create the role using this JSON definition (replace <your-subscription-id>):

{
  "Name": "DMC Scanner Role",
  "Description": "Allows DMC to read resources and execute Run Commands on VMs",
  "Actions": [
    "*/read",
    "Microsoft.Compute/virtualMachines/runCommand/action",
    "Microsoft.Compute/virtualMachines/runCommands/read",
    "Microsoft.Compute/virtualMachines/runCommands/write",
    "Microsoft.Compute/virtualMachines/runCommands/delete",
    "Microsoft.Compute/disks/read",
    "Microsoft.Compute/virtualMachines/vmSizes/read",
    "Microsoft.Network/networkInterfaces/read",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Insights/metrics/read",
    "Microsoft.Authorization/permissions/read"
  ],
  "NotActions": [],
  "AssignableScopes": [
    "/subscriptions/<your-subscription-id>"
  ]
}

The */read permission covers all resource types and is required for Azure Resource Inventory. If you are not running Resource Discovery scans, you can replace it with the specific permissions you need.

Assign to the Service Principal

Navigate to Access control (IAM) > Add role assignment, select the custom role, and assign it to your App Registration.

How DMC checks permissions: Before scanning, DMC queries the Azure Authorization API to check role assignments per resource group. If the Service Principal has Run Command permissions, DMC uses Managed Run Command automatically. If only Reader is assigned, guest scans fall back to direct SSH or WinRM. If neither is available, DMC collects Azure Monitor metrics and VM configuration only and marks the scan as partial.

Network requirements

The DMC host needs outbound HTTPS access to Azure APIs. Direct connectivity to VMs is only required when using WinRM or SSH. Managed Run Command routes through the Azure control plane and requires no VM network access at all.

SourceDestinationPortRequired for
DMC hostmanagement.azure.com, login.microsoftonline.com443All scan types: ARM API and authentication
DMC host<region>.metrics.monitor.azure.com443All scan types: Azure Monitor metrics
DMC host*.blob.core.windows.net443Managed Run Command only: retrieves guest script output from Azure Blob Storage
DMC hostVM private IPs5986 / 5985WinRM guest access only
DMC hostVM private IPs22SSH guest access only

Set up guest VM access

Guest VM access lets DMC collect software inventory, network dependencies, and SQL Server instances from inside each VM. If you chose Recommended above, use Managed Run Command, which requires no VM-side setup. If you chose Reader only, configure WinRM or SSH on each target VM.

If no guest access method is available, DMC collects Azure Monitor metrics and VM configuration only and marks the scan as partial.

Managed Run Command

Managed Run Command executes collection scripts on VMs through the Azure control plane. There is no inbound connection from the DMC host to the VM. Azure routes everything through the VM Agent already running on the machine.

RequirementDetails
RBACVirtual Machine Contributor role or custom role with runCommand/action. See Choose an RBAC role above.
Azure VM AgentMust be installed and running on each target VM, installed by default on all Azure Marketplace images
Storage SAS URIA container-level SAS URI for an Azure Blob Storage container, required for DMC to capture guest script output (see below)
NetworkOutbound HTTPS (port 443) from the DMC host to Azure APIs and *.blob.core.windows.net only

Why a SAS URI? The Azure Run Command API has a 4 KB stdout limit. DMC writes guest collection script output to a blob in your storage container and reads it back. The SAS URI grants write access without requiring storage account keys.

The SAS URI must be container-level (not account-level) with Read, Write, and Create permissions, and must remain valid for the full duration of the scan.

If the SAS URI does not include the Delete permission, DMC will not automatically clean up blobs after the scan. Delete the container contents manually after the scan to avoid ongoing storage costs.

To generate a SAS URI in the Azure Portal:

Create or select a storage account

Navigate to Storage accounts. Use an existing account or create one in a region accessible to the DMC host. Check the account's Networking settings to confirm the DMC host IP is not blocked.

Create a container

Navigate into the storage account > Containers > + Container. Enter a name (for example, dmc-output), set access level to Private, and click Create.

Generate the SAS token

Navigate into the container and click Shared access tokens. Set permissions to Read, Write, Create (add Delete if you want DMC to auto-clean blobs). Set the expiry to cover your scan duration. Click Generate SAS token and URL, then copy the Blob SAS URL: this is the SAS URI you enter into DMC.

Windows WinRM

DMC connects to Windows VMs via WinRM/PSRP on port 5986 (HTTPS), falling back to 5985 (HTTP). This requires direct network connectivity from the DMC host to each VM and per-VM configuration.

If your VMs are reachable through the Azure network, consider using Managed Run Command instead, which requires none of the per-VM setup described below.

Credential and group requirements

Account or groupMinimum requiredPurpose
Domain Admin or Local AdminInteractive login rightsRequired to collect system settings, software inventory, active processes, and network dependencies
Remote Management UsersGroup membershipEnables WinRM connections for remote data collection
Performance Monitor UsersGroup membershipAllows performance data collection via WMI
Performance Log UsersGroup membershipEnables performance logging access via WMI

Being a Local Admin or Domain Admin does not automatically include membership in Remote Management Users, Performance Monitor Users, or Performance Log Users. Verify group membership before running DMC. Usernames can be entered as user/domain or user@domain.com. Both formats are supported.

Enable PowerShell Remoting

Run the following commands as Administrator on each target Windows VM:

Enable PSRemoting

Enable-PSRemoting -force

Enable AllowRemoteShellAccess

Set-WSManInstance -ResourceURI winrm/config/winrs -ValueSet @{AllowRemoteShellAccess="true"}

Disable PowerShell Constrained Language Mode

DMC does not support Constrained Language Mode. Check and disable it if enabled:

Check current mode

$ExecutionContext.SessionState.LanguageMode

If the output is FullLanguage, no change is needed. If it shows ConstrainedLanguage, proceed to the next step.

Disable Constrained Language Mode

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine

Fix UAC token filtering

Even with the correct group memberships, UAC token filtering can silently block DMC from collecting data. Check and disable it if active:

Check the current setting

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy

A value of 0 (or a missing key) means filtering is active. Proceed to the next step.

Disable UAC token filtering

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

For more detail, see Remediating access issues.

Least-privilege account setup

If you prefer not to use a full admin account, the following group memberships are the minimum required:

GroupPurposeAlternative
Remote Management UsersEnables WinRM connectionsWinRMRemoteWMIUsers_
Performance Monitor UsersAllows performance data collection via WMIRequired: no alternative
Performance Log UsersEnables performance logging via WMIRequired: no alternative

For Windows Server 2008 and 2008 R2, ensure WMF 3.0 (Windows Management Framework) is installed before running DMC.

Linux SSH

DMC connects to Linux VMs via SSH on port 22. This requires direct network connectivity from the DMC host to each VM and a user account with the right permissions.

If your VMs are reachable through the Azure network, consider using Managed Run Command instead, which requires no SSH configuration, no key distribution, and no sudoers setup.

Authentication

MethodFields required
PasswordUsername and password
SSH keyUsername, private key file (RSA, Ed25519, or ECDSA), and optional passphrase

Only OpenSSH format private keys are supported. PuTTY .ppk format keys must be converted to OpenSSH format first. See Creating SSH keys for use with DMC.

Passwordless sudo requirements

The scan account needs passwordless sudo access to the following commands on each target VM:

CommandPurposeFull path
netstat or ssNetwork connection analysis/usr/bin/netstat, /usr/bin/ss
psProcess information/usr/bin/ps
lsFile system listing/usr/bin/ls

Add an entry like the following to /etc/sudoers on each target VM (replace username with your scan account):

username ALL=(ALL) NOPASSWD: /usr/bin/netstat, /usr/bin/ss, /usr/bin/ps, /usr/bin/ls

NOPASSWD is required. DMC runs commands non-interactively over SSH. Also add Defaults:username !requiretty to the sudoers file to allow remote command execution without a TTY session.

On Red Hat and some other distributions, commands may be in different paths than the defaults above. Find the correct path with command -v netstat (or the command name) and use that path in the sudoers file. Verify your configuration works without a TTY: ssh username@host sudo id

Supported guest operating systems

Azure Monitor metrics and VM configuration are collected for all VMs regardless of guest OS. Guest-level data (software inventory, network dependencies, SQL detection) requires one of the following supported operating systems:

Operating systemGuest-level support
Windows Server 2008 R2 and aboveFull: metrics, software inventory, network dependencies, SQL detection
Ubuntu 16.04 LTS and aboveFull
Red Hat Enterprise Linux 7 and aboveFull
CentOS 7 and aboveFull
SUSE Linux Enterprise Server 12 and aboveFull
© 2025 Altra Technologies