Azure Migrate Checklist

A security boundary is a discrete segment of the estate (for example, Production, DMZ or Test). Deploy one appliance per boundary and scope its discovery to that segment.

• Appliance access: inbound TCP 3389 for RDP.
• Server discovery (Windows / Linux): outbound 443 (HTTPS) & 5985 (WinRM). Linux also requires 22 (SSH).
• Windows servers – WinRM enabled (PowerShell ≥ 2.0) and WMI accessible.
• Linux servers – SSH enabled and the following commands available so the appliance can collect application data: list, tail, awk, grep, locate, head, sed, ps, print, sort, uniq.

Depending on the OS / package manager you may also need access to: rpm, snap, dpkg, yum, apt-cache, mssql-server.

VMware: the account must have Guest Operations rights. [Microsoft guidance][L2] explains how to assign them.

Hyper-V: either:

1. An account with Administrator access on every Hyper-V host, or
2. A Local/Domain account that is a member of Remote Management Users, Hyper-V Administrators, and Performance Monitor Users.

Windows: a (local or domain) account that is a member of Local Admins (Domain Admins also works).

Linux: a sudo user able to run ls and netstat or a user with CAP_DAC_READ_SEARCH & CAP_SYS_PTRACE on /bin/netstat and /bin/ls. If you use sudo, configure NOPASSWD so the commands run non-interactively.

For full discovery the account should be a member of the sysadmin server role.

If sysadmin is not possible a least-privileged script is available in Microsoft documentation – see [SQL custom login][L3].

Focus on Software Inventory and Performance errors and remediate before continuing.