How to disable Azure Auto-Provision of Microsoft Monitor Agent to a specific resource or resource group?

Hello,

We currently have a conflict with SCOM 2019, which uses a specific version of MMA, and Azure Auto-provisioning, which pushes an updated version. Microsoft's recommendation is to disable Auto-provisioning to those resources, but after many back and forth with Microsoft support, they don't seem to have any idea how to do just that, so I turn to the community.

The source of the auto-provisioning is Log Analytics, this can be found in Microsoft Defender for Cloud -> Environment Settings -> At the subscription level, under Cloud Workload Protection -> Servers -> Settings. Having Log Analytics Agent enabled turns on auto-provisioning for Log Analytics for all resources in that subscription, this causes MMA to be installed and updated automatically.

We don't want to turn off this feature because this works great for our 100s of other resources, but for two specific cases, it needs to be turned off, and we can't figure out how.

When you enable monitoring, a policy is created, which checks among other things that MMA is installed and updated, but it is set to "AuditIfNotExit", nothing more. We tried adding the resource as an exemption to this policy, but it didn't do anything.

We're trying to find the mechanism by which Azure Auto-Provisioning for Log Analytics work, and how to add an exemption for two specific machines as it would already be mitigated.

Thank you for your time!