Getting started with On-Demand Assessments
Assessments are available through the Services Hub to help you assess and optimize the availability, security, and performance of your on-premises, hybrid, and cloud Microsoft technology environments. These assessments use Microsoft Azure Log Analytics, which is designed to give you simplified IT and security management across your environment.
Note
On average, it takes two hours to initially configure your environment to run an On-Demand Assessment. After you run an assessment you can review the recommendations in Azure Log Analytics. This will provide you with a prioritized list of recommendations, categorized across six focus areas. This allows you and your team to quickly understand risk levels, the health of your environments, act to decrease risk, and improve your overall IT health.
An offline copy of the On-Demand Assessment Setup Guide may be downloaded for reference.
Use the following checklist to ensure all steps in this section are completed before moving onto the next section.
Subscription
On-Demand Assessments ingest their recommendations and supporting details into Log Analytics. The Azure Log Analytics service requires an Azure subscription owned by the organization. If there is already an Azure subscription, then a customer representative (their registered email address) with the required Azure Log Analytics access and/or Azure Subscription access will need to be invited to the Services Hub workspace by the CSAM.
If there is no Azure subscription, Microsoft will sponsor one for the customer. The ideal owner for the sponsored subscription is the main point of contact IT professional that will be working with the assessment results. There are a couple of options to have a sponsored Azure subscription provisioned.
The preferred option is to share an organizational email address to be provisioned as owner of a no-cost Azure sponsorship with the organization's CSAM. Once the Azure sponsorship is created, an email with an invitation to activate the subscription will be sent to the provided organizational email address. Activate the Azure subscription through the link provided in the email. This account will be invited to the Services Hub workspace by the CSAM.
An alternative option is to request for one directly by creating a support ticket. Refer to the Reporting Services Hub issues documentation for assistance.
Note
Customers can choose to use any Azure Subscription for this purpose as long as the user has the required Azure Subscription and/or Log Analytics role to perform the required actions. The Azure Subscription can be an EA or Pay-As-You-Go or trial azure subscriptions. Azure subscriptions created merely due to presence of Office 365 licenses cannot be used as they don't have active azure credits.
Note
No-cost sponsored Azure subscriptions requested from Services Hub Support by default have a validity of 1 year. You can read more about the subscription offer details and any request to roll over your Azure Sponsored Subscription to an EA agreement or renewal reach out to your CSAM to understand your options.
Note
If you don’t know the Azure owner or other roles of your Azure subscriptions, please follow this link: Role assignments in Azure Subscriptions.
Services Hub Registration
The user in your organization who is the Microsoft Azure subscription owner must be invited to the Services Hub workspace and complete their registration on the Services Hub. Additionally, if the assessment will include a Microsoft engineer lead delivery, then the Microsoft engineer must also be invited to the Services Hub workspace, and complete their registration on the Services Hub. Invites to the Services Hub can be initiated by your organization’s Services Administrator, existing Services Hub users, or your Microsoft representative. To enable users access to On-Demand Assessments in the Services Hub, your organization’s Services Administrator must grant these permissions by clicking the Health and Programs checkboxes in the Invite users dialog box.
CSAM tasks
The CSAM invites customer and CSA (for engineer led assessment deliveries). Log in to Services Hub using Microsoft Edge and go to agreement then Manage Users.
Add customers' email addresses and CSA with [email protected] and ensure the Health and Programs options are selected to allow the user to see the assessment tab and create a remediation plan.
Linking of the Azure Subscription and Log Analytics workspace to Services Hub workspace
Log into Services Hub with the Azure subscription owner's credentials. In the Primary Navigation, click on IT Health then select On-Demand Assessments.
Click "Pre-Configure assessments."
- Select the desired Azure subscription from the list and choose next.
Organizations that have an Azure subscription but lack the required permissions will see:
Please work with your company's Services Admin, CSAM, or Support Account Coordinator to have the customer representative with the required permissions within Azure register on Services Hub and pre-configure your assessments. Organizations without an Azure subscription refer to Azure Subscriptions to get your Microsoft sponsored subscription.
- Choose the Azure Log Analytics workspace that the assessment(s) you choose will be enabled in or use "Create New" to create a dedicated workspace for the assessment(s) if desired. Then click next.
Note
An Azure Log Analytics workspace may also be created from Azure using the steps documented in the How to Create new Azure Log Analytics Workspace from Azure article.
- At the conclusion of the linking process, click “View assessments."
Note
If you have some policy definitions set up on Subscription, make sure you have allowed Microsoft.OperationalInsights and Microsoft.OperationsManagement resource types for linking to work. Select all checkboxes under these options.
Add the Assessments in Services Hub
To configure an assessment, go to Services Hub, IT Health, and On-Demand Assessments. Browse through the assessment catalog and click "Add Assessment" to add the assessment that best fits your organization’s needs.
Select an assessment of your choice from the list of available assessments and click on "Add Assessment."
The option changes from Add Assessment to View in Azure Log Analytics. You are now all set for the next steps.
Providing Access to Azure Log Analytics workspace
Granting access to the Log Analytics workspace to Microsoft personnel is necessary for CSA led deliveries of On-Demand Assessments and must be completed by the Azure subscription owner. We recommend you add users as a Log Analytics Reader to grant @microsoft.com users access to your Azure Log Analytics workspace to view your assessments. They will not have access to your Azure subscription.
Note
This step is not required for self-consumption of assessments without CSA led delivery.
Provide access to the Log Analytics workspace by adding an account and granting access as follows: Azure Portal, then All Resources. Select the Azure Log analytics workspace linked in Linking of the Azure Subscription and Log Analytics workspace to Services Hub workspace.
Follow the steps indicated below to get to the access pane:
From the Azure Log Analytics Portal, navigate the menu and select “Access control (IAM).” In the center of the dashboard, add a role assignment by click the blue “Add” button. In the right pane, choose a Role type from the dropdown and Select a role type. Click “Save” to add the role assignment.
A. Engineer should be given Log Analytics Reader
B. CSAM optionally should be given Log Analytics Reader
If the portal doesn't let you invite the email ID you are trying to add, your Azure Active Directory Global Administrator might have blocked Invite Guest Users feature. Please refer to the below article on Invite Guest users to your Azure AD.
To learn more about On-Demand Assessments, select the "Establish Connectivity to Azure Log Analytics" article in the Table of Contents.