mutemwamasheke details the new support for System Assigned Identities to enable secure, private access to configuration packages in Azure Machine Configuration, making it easier to manage and secure VMs and Arc-enabled servers.

System-Assigned Identity-based Access for Azure Machine Configuration Packages – GA on both Azure and Arc!

Azure Machine Configuration now supports System Assigned Identities for secure, private access to configuration packages stored in Azure Storage. This simplifies access management and enhances security for both Azure and Arc-enabled servers, superseding the previous reliance on Shared Access Signature (SAS) Tokens.

Background

Azure Machine Configuration (formerly Azure Policy Guest Configuration) allows at-scale auditing and configuration of OS, application, and workload settings across Azure and hybrid environments. This update improves the security model by letting VMs or Arc-enabled machines use their own system-assigned identities to fetch configuration packages from Azure Storage securely.

What’s New?

System Assigned Identity Support:
- Custom policy definitions can now use the system-assigned identity of a VM or Arc-enabled server.
- Machines with proper identity and Azure Storage Blob Data Reader permissions can access configuration packages privately.
- No more requirement for SAS tokens—enabling tighter storage account access controls.
- Feature is available across both Azure and Arc machines.
User Assigned Identity: Remains supported as an option for managed access.

Getting Started

To enable this feature:

Deploy the Machine Configuration Extension:
- Use the policy initiative: Deploy prerequisites to enable machine configuration policies on virtual machines
Enable System Assigned Identity:
- All VMs/Arc-enabled servers in your policy scope need system-assigned identity enabled.
- Grant Storage Blob Data Reader (or equivalent) permissions to the machine.
Use the Latest Guest Configuration PowerShell Module:
- Install at least version 4.10.0: Download module
- Author policies with managed identities.
Develop and Upload Your Custom Package:
- Follow the documentation to create and upload a policy package.

Author Policy Definitions:

Use New-GuestConfigurationPolicy @PolicyConfig -UseSystemAssignedIdentity for system identity support.

Example PowerShell configuration:

$PolicyConfig = @{
  PolicyId = '_My GUID_'
  ContentUri = 'https://yourstorageaccount.blob.core.windows.net/yourcontainer/package.zip'
  DisplayName = 'My deployment policy'
  Description = 'My deployment policy'
  Path = './policies/deployIfNotExists.json'
  Platform = 'Windows'
  PolicyVersion = 1.0.0
  Mode = 'ApplyAndAutoCorrect'
  LocalContentPath = "C:\Local\Path\To\Package"
}
New-GuestConfigurationPolicy @PolicyConfig -UseSystemAssignedIdentity

Example policy definition metadata:

"metadata": {
   "category": "Guest Configuration",
   "version": "1.0.0",
   "requiredProviders": [ "Microsoft.GuestConfiguration" ],
   "guestConfiguration": {
     "name": "TimeZone",
     "version": "1.0.0",
     "contentType": "Custom",
     "contentUri": "https://yourstorageaccount.blob.core.windows.net/yourcontainer/package.zip",
     "contentHash": "HASHVALUE",
     "contentManagedIdentity": "system"
   }
 }

Upload using New-AzPolicyDefinition in PowerShell.

Feature Limitations

Guest Configuration Agent: Requires version 1.29.98.0+ (Windows), 1.26.93.0+ (Linux)
API Version: Policy definition must use Azure Policy API version 2024-04-05 or later
Billing: Azure Arc servers incur a $6/server/month charge (waived under certain conditions—see documentation)

Useful Links

*Updated Aug 21, 2025

Author: mutemwamasheke*

This post appeared first on “Microsoft Tech Community”. Read the entire article here