Introduction
Are you managing a hybrid environment and need to quickly verify which servers are onboarded to Azure Arc? Here’s a practical PowerShell script that uses Azure Resource Graph to validate Arc onboarding status using Microsoft Defender XDR for Servers data.
The Challenge
Organizations often struggle with two common challenges when validating Azure Arc server onboarding:
- Using Get-AzConnectedMachine cmdlet requires prior knowledge of resource groups and subscriptions
- Checking servers across multiple subscriptions becomes time-consuming and complex
The Solution
By leveraging Azure Resource Graph, we can query Arc server status across all subscriptions at once. Here’s a PowerShell script that does exactly that:
<#
=================================================================================
DISCLAIMER:
This script is provided "as-is" with no warranties. Usage of this script is at
your own risk. The author is not liable for any damages or losses arising from
using this script. Please review the full legal disclaimer at:
https://kaidojarvemets.com/legal-disclaimer/
=================================================================================
#>
$DefenderNotOnboarded = Import-Csv -Path ".\DefenderNotOnboarded.csv" |
Select-Object -ExpandProperty ComputerDnsName
$Results = @()
$Total = $DefenderNotOnboarded.Count
$Current = 0
foreach ($Server in $DefenderNotOnboarded) {
$Current++
$PercentComplete = ($Current / $Total) * 100
Write-Progress -Activity "Checking Arc status" -Status "$Current of $Total servers" -PercentComplete $PercentComplete
$ServerShort = $Server.Split(".")[0]
# Azure Resource Graph query
$Query = @"
resources
| where type == 'microsoft.hybridcompute/machines'
| where name =~ '$ServerShort'
| project name, id
"@
# Execute the query
$ArcServer = Search-AzGraph -Query $Query
$Results += [PSCustomObject]@{
ServerName = $Server
ServerShortName = $ServerShort
ArcResourceId = if ($ArcServer.id) { $ArcServer.id } else { "Not found in Arc" }
}
}
Write-Progress -Activity "Checking Arc status" -Completed
$Results | Format-Table -AutoSize
# Count how many are missing
$MissingCount = ($Results | Where-Object { $PSItem.ArcResourceId -eq "Not found in Arc" }).Count
Write-Host "`nTotal servers missing from Arc: $MissingCount"
# Display servers missing from Arc
$Results | Where-Object { $PSItem.ArcResourceId -eq "Not found in Arc" }
How It Works
The script takes a CSV export from Microsoft Defender for Servers containing server names and uses Azure Resource Graph to query Arc status for each server. It shows progress with a PowerShell progress bar and outputs a clear table showing which servers are found in Arc and which are missing.
Resource Graph queries are much faster than traditional cmdlets and work across all your subscriptions without additional configuration. After running the script, you’ll have a clear list of servers missing from Arc, allowing you to investigate and plan your onboarding strategy.
Conclusion
Managing hybrid environments doesn’t have to be complex. By combining Microsoft Defender data with Azure Resource Graph queries, we can quickly identify gaps in our Arc coverage without dealing with subscription-specific cmdlets. This approach saves time and provides a reliable way to ensure all servers are properly connected to Azure Arc. Next time you need to validate your Arc deployment, give this script a try – you might be surprised by what you find.
Need help with your hybrid cloud projects or Azure Arc deployment? Feel free to reach out – I’m always happy to help organizations succeed in their hybrid cloud journey. Connect with me on LinkedIn or drop me an email.
