Azure Requirements
Getting DMC connected to Azure requires three things: a Service Principal for authentication, an RBAC role assignment that controls what DMC can access, and, if you want software inventory, network dependencies, or SQL detection, guest VM access. Work through each section in order. The Service Principal is shared across all Azure scan types.
Create a Service Principal¶
DMC authenticates to Azure using a Service Principal (an App Registration in Microsoft Entra ID). You will enter these four values into DMC when configuring an Azure scan:
| Credential | Where to find it | Format |
|---|---|---|
| Tenant ID | App Registration Overview page: Directory (tenant) ID | UUID |
| Client ID | App Registration Overview page: Application (client) ID | UUID |
| Client Secret | Certificates & secrets, created in step 4 below | String |
| Subscription ID | Subscriptions: Overview page | UUID |
Open App registrations¶
Sign in to the Azure Portal ↗. Navigate to Microsoft Entra ID > App registrations > New registration.
Register the application¶
Enter a name (for example, DMC-Scanner). Under Supported account types, select Accounts in this organizational directory only. Leave Redirect URI blank. Click Register.
Copy your Tenant ID and Client ID¶
On the app registration Overview page, copy both values:
- Application (client) ID: this is the Client ID you enter into DMC
- Directory (tenant) ID: this is the Tenant ID you enter into DMC
Create a client secret¶
Navigate to Certificates & secrets > New client secret. Enter a description (for example, DMC Scan Key) and set an expiry that covers your scan duration. Click Add.
Copy the secret Value immediately after creation. Azure only displays it once. If you navigate away first, you will need to delete the secret and create a new one.
Copy your Subscription ID¶
Navigate to Subscriptions, select the subscription you want to scan, and copy the Subscription ID from the Overview page.
Choose an RBAC role¶
The Service Principal needs a role assignment at the subscription or resource group level. Your choice here determines whether DMC can use Managed Run Command for guest data collection, which is the easiest and most network-friendly option.
The Recommended option (Reader + Virtual Machine Contributor) unlocks Managed Run Command, the only guest access method that requires no network connectivity to your VMs, no guest OS credentials, and no per-VM configuration. If your security team will allow it, this is the right choice.
Reader + Virtual Machine Contributor¶
| Role | Scope | Enables |
|---|---|---|
Reader | Subscription or Resource Group(s) | VM discovery, Azure Monitor metrics, network interfaces, Resource Inventory |
Virtual Machine Contributor | Subscription or Resource Group(s) | Managed Run Command: guest scripts execute through the Azure control plane |
With both roles assigned, DMC uses Managed Run Command for all guest data collection. This means:
- No direct network connection from the DMC host to target VMs
- No SSH keys, WinRM passwords, or per-VM credentials to manage
- No WinRM setup, PowerShell remoting, or SSH configuration on VMs
- Works with VMs in isolated networks, private VNets, or behind NSGs
The only additional requirement is a Storage SAS URI. See Set up guest VM access below.
Virtual Machine Contributor is a broad role that grants full VM management permissions. If your security team requires least-privilege access, use the Custom role tab instead.
To assign in the Azure Portal: navigate to the target Subscription (or Resource Group) > Access control (IAM) > Add role assignment. Assign each role and select your App Registration as the member.
Reader only¶
| Role | Scope | Enables |
|---|---|---|
Reader | Subscription or Resource Group(s) | VM discovery, Azure Monitor metrics, network interfaces, Resource Inventory |
Reader-only access gives DMC everything it needs to collect VM configuration, Azure Monitor performance metrics, and Resource Inventory. Managed Run Command is not available with this role. Guest-level data (software inventory, network dependencies, SQL detection) requires direct SSH or WinRM access to each VM.
Choose this option if you have direct SSH or WinRM connectivity to your VMs and prefer not to grant Run Command permissions. See the guest VM access section below for WinRM and SSH setup.
Custom role¶
A custom role gives DMC exactly the permissions it needs for Managed Run Command, without the broader management permissions that come with Virtual Machine Contributor.
Open custom role creation¶
Navigate to your target Subscription > Access control (IAM) > Add > Add custom role.
Define the role¶
Enter a name (for example, DMC Scanner Role). Set Baseline permissions to Start from scratch.
Add permissions¶
Add the following permissions:
| Permission | Purpose |
|---|---|
*/read | VM discovery, Azure Monitor metrics, network interfaces, Resource Inventory |
Microsoft.Compute/virtualMachines/runCommand/action | Execute Managed Run Command on target VMs |
Microsoft.Compute/virtualMachines/runCommands/read | Read Run Command execution results |
Microsoft.Compute/virtualMachines/runCommands/write | Create Run Command resources during scan |
Microsoft.Compute/virtualMachines/runCommands/delete | Clean up Run Command resources after scan |
Microsoft.Compute/disks/read | Read managed disk details |
Microsoft.Compute/virtualMachines/vmSizes/read | Look up VM size (vCPUs, memory) |
Microsoft.Network/networkInterfaces/read | Read NIC and IP configuration |
Microsoft.Resources/subscriptions/resourceGroups/read | List and read resource groups |
Microsoft.Insights/metrics/read | Read Azure Monitor performance metrics |
Microsoft.Authorization/permissions/read | Check RBAC permissions per resource group before scanning |
Alternatively, create the role using this JSON definition (replace <your-subscription-id>):
{
"Name": "DMC Scanner Role",
"Description": "Allows DMC to read resources and execute Run Commands on VMs",
"Actions": [
"*/read",
"Microsoft.Compute/virtualMachines/runCommand/action",
"Microsoft.Compute/virtualMachines/runCommands/read",
"Microsoft.Compute/virtualMachines/runCommands/write",
"Microsoft.Compute/virtualMachines/runCommands/delete",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/virtualMachines/vmSizes/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/metrics/read",
"Microsoft.Authorization/permissions/read"
],
"NotActions": [],
"AssignableScopes": [
"/subscriptions/<your-subscription-id>"
]
}The */read permission covers all resource types and is required for Azure Resource Inventory. If you are not running Resource Discovery scans, you can replace it with the specific permissions you need.
Assign to the Service Principal¶
Navigate to Access control (IAM) > Add role assignment, select the custom role, and assign it to your App Registration.
How DMC checks permissions: Before scanning, DMC queries the Azure Authorization API to check role assignments per resource group. If the Service Principal has Run Command permissions, DMC uses Managed Run Command automatically. If only Reader is assigned, guest scans fall back to direct SSH or WinRM. If neither is available, DMC collects Azure Monitor metrics and VM configuration only and marks the scan as partial.
Network requirements¶
The DMC host needs outbound HTTPS access to Azure APIs. Direct connectivity to VMs is only required when using WinRM or SSH. Managed Run Command routes through the Azure control plane and requires no VM network access at all.
| Source | Destination | Port | Required for |
|---|---|---|---|
| DMC host | management.azure.com, login.microsoftonline.com | 443 | All scan types: ARM API and authentication |
| DMC host | <region>.metrics.monitor.azure.com | 443 | All scan types: Azure Monitor metrics |
| DMC host | *.blob.core.windows.net | 443 | Managed Run Command only: retrieves guest script output from Azure Blob Storage |
| DMC host | VM private IPs | 5986 / 5985 | WinRM guest access only |
| DMC host | VM private IPs | 22 | SSH guest access only |
Set up guest VM access¶
Guest VM access lets DMC collect software inventory, network dependencies, and SQL Server instances from inside each VM. If you chose Recommended above, use Managed Run Command, which requires no VM-side setup. If you chose Reader only, configure WinRM or SSH on each target VM.
If no guest access method is available, DMC collects Azure Monitor metrics and VM configuration only and marks the scan as partial.
Managed Run Command¶
Managed Run Command executes collection scripts on VMs through the Azure control plane. There is no inbound connection from the DMC host to the VM. Azure routes everything through the VM Agent already running on the machine.
| Requirement | Details |
|---|---|
| RBAC | Virtual Machine Contributor role or custom role with runCommand/action. See Choose an RBAC role above. |
| Azure VM Agent | Must be installed and running on each target VM, installed by default on all Azure Marketplace images |
| Storage SAS URI | A container-level SAS URI for an Azure Blob Storage container, required for DMC to capture guest script output (see below) |
| Network | Outbound HTTPS (port 443) from the DMC host to Azure APIs and *.blob.core.windows.net only |
Why a SAS URI? The Azure Run Command API has a 4 KB stdout limit. DMC writes guest collection script output to a blob in your storage container and reads it back. The SAS URI grants write access without requiring storage account keys.
The SAS URI must be container-level (not account-level) with Read, Write, and Create permissions, and must remain valid for the full duration of the scan.
If the SAS URI does not include the Delete permission, DMC will not automatically clean up blobs after the scan. Delete the container contents manually after the scan to avoid ongoing storage costs.
To generate a SAS URI in the Azure Portal:
Create or select a storage account¶
Navigate to Storage accounts. Use an existing account or create one in a region accessible to the DMC host. Check the account's Networking settings to confirm the DMC host IP is not blocked.
Create a container¶
Navigate into the storage account > Containers > + Container. Enter a name (for example, dmc-output), set access level to Private, and click Create.
Generate the SAS token¶
Navigate into the container and click Shared access tokens. Set permissions to Read, Write, Create (add Delete if you want DMC to auto-clean blobs). Set the expiry to cover your scan duration. Click Generate SAS token and URL, then copy the Blob SAS URL: this is the SAS URI you enter into DMC.
Windows WinRM¶
DMC connects to Windows VMs via WinRM/PSRP on port 5986 (HTTPS), falling back to 5985 (HTTP). This requires direct network connectivity from the DMC host to each VM and per-VM configuration.
If your VMs are reachable through the Azure network, consider using Managed Run Command instead, which requires none of the per-VM setup described below.
Credential and group requirements
| Account or group | Minimum required | Purpose |
|---|---|---|
| Domain Admin or Local Admin | Interactive login rights | Required to collect system settings, software inventory, active processes, and network dependencies |
| Remote Management Users | Group membership | Enables WinRM connections for remote data collection |
| Performance Monitor Users | Group membership | Allows performance data collection via WMI |
| Performance Log Users | Group membership | Enables performance logging access via WMI |
Being a Local Admin or Domain Admin does not automatically include membership in Remote Management Users, Performance Monitor Users, or Performance Log Users. Verify group membership before running DMC. Usernames can be entered as user/domain or user@domain.com. Both formats are supported.
Enable PowerShell Remoting
Run the following commands as Administrator on each target Windows VM:
Enable PSRemoting¶
Enable-PSRemoting -forceEnable AllowRemoteShellAccess¶
Set-WSManInstance -ResourceURI winrm/config/winrs -ValueSet @{AllowRemoteShellAccess="true"}Disable PowerShell Constrained Language Mode
DMC does not support Constrained Language Mode. Check and disable it if enabled:
Check current mode¶
$ExecutionContext.SessionState.LanguageModeIf the output is FullLanguage, no change is needed. If it shows ConstrainedLanguage, proceed to the next step.
Disable Constrained Language Mode¶
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachineFix UAC token filtering
Even with the correct group memberships, UAC token filtering can silently block DMC from collecting data. Check and disable it if active:
Check the current setting¶
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicyA value of 0 (or a missing key) means filtering is active. Proceed to the next step.
Disable UAC token filtering¶
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /fFor more detail, see Remediating access issues.
Least-privilege account setup
If you prefer not to use a full admin account, the following group memberships are the minimum required:
| Group | Purpose | Alternative |
|---|---|---|
| Remote Management Users | Enables WinRM connections | WinRMRemoteWMIUsers_ |
| Performance Monitor Users | Allows performance data collection via WMI | Required: no alternative |
| Performance Log Users | Enables performance logging via WMI | Required: no alternative |
For Windows Server 2008 and 2008 R2, ensure WMF 3.0 (Windows Management Framework) is installed before running DMC.
Linux SSH¶
DMC connects to Linux VMs via SSH on port 22. This requires direct network connectivity from the DMC host to each VM and a user account with the right permissions.
If your VMs are reachable through the Azure network, consider using Managed Run Command instead, which requires no SSH configuration, no key distribution, and no sudoers setup.
Authentication
| Method | Fields required |
|---|---|
| Password | Username and password |
| SSH key | Username, private key file (RSA, Ed25519, or ECDSA), and optional passphrase |
Only OpenSSH format private keys are supported. PuTTY .ppk format keys must be converted to OpenSSH format first. See Creating SSH keys for use with DMC.
Passwordless sudo requirements
The scan account needs passwordless sudo access to the following commands on each target VM:
| Command | Purpose | Full path |
|---|---|---|
netstat or ss | Network connection analysis | /usr/bin/netstat, /usr/bin/ss |
ps | Process information | /usr/bin/ps |
ls | File system listing | /usr/bin/ls |
Add an entry like the following to /etc/sudoers on each target VM (replace username with your scan account):
username ALL=(ALL) NOPASSWD: /usr/bin/netstat, /usr/bin/ss, /usr/bin/ps, /usr/bin/lsNOPASSWD is required. DMC runs commands non-interactively over SSH. Also add Defaults:username !requiretty to the sudoers file to allow remote command execution without a TTY session.
On Red Hat and some other distributions, commands may be in different paths than the defaults above. Find the correct path with command -v netstat (or the command name) and use that path in the sudoers file. Verify your configuration works without a TTY: ssh username@host sudo id
Supported guest operating systems¶
Azure Monitor metrics and VM configuration are collected for all VMs regardless of guest OS. Guest-level data (software inventory, network dependencies, SQL detection) requires one of the following supported operating systems:
| Operating system | Guest-level support |
|---|---|
| Windows Server 2008 R2 and above | Full: metrics, software inventory, network dependencies, SQL detection |
| Ubuntu 16.04 LTS and above | Full |
| Red Hat Enterprise Linux 7 and above | Full |
| CentOS 7 and above | Full |
| SUSE Linux Enterprise Server 12 and above | Full |

