Introduction
When Arc servers get onboarded, you control what tags are applied during the provisioning command. But operational details like maintenance windows, backup schedules, or environment classifications might not be known yet - and those missing tags may never get added later. A server without a maintenance window tag doesn't get patched. Missing backup schedule tags mean no backups. Forgot the environment tag? Your automation doesn't know if it's production or development.
This automated tag validation solution discovers which Arc servers are missing required operational tags and creates Microsoft Sentinel incidents so your team can fix them before operations break.
Microsoft Sentinel incident showing 6 Arc servers with missing operational tags like maintenance windows, environment, and cost center
Solution Overview
This Azure Arc tag validation solution uses Azure Resource Graph to discover all Arc-enabled Windows servers, validates them against your required tag list, and creates a single Microsoft Sentinel incident summarizing missing tags.
Technology Integration
- Azure Automation - PowerShell runbook with managed identity authentication
- Azure Resource Graph - Fast cross-subscription Arc server discovery
- Microsoft Sentinel - Centralized incident management for missing tags
- Azure RBAC - Secure permissions for Arc server discovery and Sentinel integration
The solution runs on a schedule, discovers all Azure Arc Windows servers across your tenant, validates required tags, and creates detailed reports directly in your security operations workflow.
Architecture & Automation Flow
The tag validation follows a four-step automated process:
- Discovery Phase - Azure Resource Graph queries all Arc Windows servers with pagination support
- Validation Phase - Each server evaluated against configurable required tag list
- Incident Creation - Single Sentinel incident created with summary information
- Detailed Reporting - HTML table added as incident comment with missing tag details
Key Features
🔍 Arc Server Discovery
Automatically discovers all Azure Arc-enabled Windows servers across subscriptions using Azure Resource Graph with pagination support for large environments.
✅ Tag Validation
Validates presence and non-empty values of configurable required tags, with detailed reporting of missing or empty tag values.
🚨 Centralized Incident Management
Creates single Microsoft Sentinel incident per validation scan with detailed HTML summary and actionable remediation guidance.
🤖 Automation Integration
PowerShell runbook execution with system-assigned managed identity, scheduled runs, and integration with existing automation workflows.
Technical Requirements
Azure Infrastructure
- Azure Automation Account with managed identity enabled
- Azure Arc-enabled Windows servers to monitor
- Microsoft Sentinel workspace for incident management
- PowerShell 7 runtime environment in Automation Account
What You Get
Complete solution package ready for deployment in your environment:
- PowerShell automation script for Arc server discovery and validation
- Azure Automation runbook with scheduled execution
- Microsoft Sentinel integration for incident management
- Step-by-step deployment guide with screenshots
Complete Implementation Guide
The full Azure Arc tag compliance solution includes:
- Complete Azure Automation Account setup with managed identity
- Custom RBAC role definitions and permission assignments
- PowerShell runbook script with configurable tag validation
- Microsoft Sentinel workspace integration configuration
- Automation variables setup and scheduling configuration
- PowerShell debugging steps and common error fixes
- HTML incident reporting templates and customization options
About the Author
🎯 Specializations
- Microsoft Defender XDR
- Microsoft Sentinel SIEM & SOAR
- Microsoft Entra ID (Azure AD)
- Microsoft Intune
- Azure Arc Services
- Azure Log Analytics
- Azure Automation
- Hybrid Cloud Management
