Microsoft Engage Center (Services Hub) Assessments

  • Article

Assessments are available through the Microsoft Engage Center to help you assess and optimize the availability, security, and performance of your on-premises, hybrid, and cloud Microsoft technology environments. These assessments use Microsoft Azure Log Analytics, which is designed to give you simplified IT and security management across your environment.

Access assessments

To gain access to assessments, a CSM needs to assign the "Assessment User" role to a Microsoft Entra Group.

Get started with assessments

For more information, see Get Started with On-Demand Assessments.

Azure subscriptions

On-Demand Assessments ingest their recommendations and supporting details into Azure Log Analytics. The Azure Log Analytics service requires your organization to own an Azure subscription.

If your organization currently has an Azure subscription, your CSAM needs to invite a customer representative with the required Azure Log Analytics access and/or Azure Subscription access needs to be invited to the Microsoft Engage Center.

Provide access to Microsoft Engage Center

Your organization's Microsoft Azure subscription owner must:

  • Be added to Microsoft Engage Center
  • Complete their registration on Microsoft Engage Center

Users can gain access to Services Hub in two ways:

For more information on user access, see Quick Start for General Users.

Provide access to Azure Log Analytics workspace

Granting Microsoft personnel access to your Log Analytics workspace is necessary for CSA-led deliveries of On-Demand Assessments. Your Azure subscription owner needs to provide the access.

When granting @microsoft.com users access to your Azure Log Analytics workspace, we recommend you add users as a Log Analytics Reader. They won't have access to your Azure subscription.

Note

This step is not required for self-consumption of assessments without CSA-led delivery.

To provide access to the Log Analytics workspace, add an account and grant access to Azure Portal, then to All Resources. Select the Azure Log analytics workspace you linked by when you followed the steps in Create a New Azure Log Analytics Workspace from Azure.

To navigate to the access pane:

  1. Go to the Azure Log Analytics portal. Navigate to the menu, then select "Access control (IAM)".

  2. Add a role assignment by selecting the blue "Add" button in the center of your dashboard.

  3. In the right-hand pane, choose Role type from the dropdown and select a role type.

  4. Select "Save" to add the role assignment.

    The Microsoft Azure portal showing selectable role types.

    The On-Demand Assessments - Access Control (IAM) view.

You should give Engineers (and optionally CSAMs) the Log Analytics Reader role.

If the portal doesn't let you invite the email ID you're trying to add, your Azure Active Directory Global Administrator might have blocked the Invite Guest Users feature. For more information, see Invite Guest users to your Azure AD.

How assessments work

When you select the Assessment link on the Microsoft Engage Center home page, it redirects you to the Services Hub Connector Page in the Azure portal.

Create a new Services Hub Connector

To create a Services Hub Connector:

  1. In the Subscription dropdown, select your subscription. You must have already registered the "Microsoft ServicesHub" Resource Provider for the subscription you select.

  2. In the Resource Group dropdown, select a Resource Group.

  3. In the Region dropdown, select the appropriate region.

  4. In the Connector name field, enter a name for your new Connector resource.

  5. For Agreement Type, select "MCA".

    The Create Services Hub Connector view displaying the Basics tab.

Complete the Log Analytics tab

Completing the Log Analytics tab connects your Microsoft Engage Center Space to your Log Analytics workspace. It also allows you to run On-Demand Assessments.

The Create Services Hub Connector view displaying the Log analytics tab.

  1. In the Log analytics workspace subscription dropdown, select the subscription your Log Analytics workspace exists under.

  2. In the Log analytics workspace dropdown, select your Log Analytics workspace.

Add tags (optional)

Tags are typically used for resource organization and allow you to assign arbitrary metadata to your Azure resources. You can assign tags while creating your Services Hub Connector or assign them later on.

Review and create your Connector

  1. Review the your Services Hub Connector resource's details.

  2. If everything appears correct, select "Create" to create your new Services Hub Connector.

    The Create Services Hub Connector view displaying the Review + create tab.

When you select "Create" to create a new Services Hub Connector, you are redirected to a Deployment Status page. Wait for the deployment to finish. Once it completes:

  1. Select the "Go to resource" button.

    A deployment status page where deployment is complete.

    The "Go to resource" button takes you to the Overview page for your new Services Hub Connector resource.

  2. Select the "On-Demand Assessments" menu item.

    The On-Demand Assessments Services Hub Connector view.

    The AMATesting On-Demand Assessments view.

Azure Role Requirements

The minimum roles required to perform all required operations are Services Hub Operator and Log Analytics Contributor.

You can apply these roles at the subcription or resource group level. Users with these roles can create a new Services Hub Connector and perform all other related operations.

The following sections list operation-specific reqirements.

Create new Connector

  • Owner, Contributor, or Services Hub Operator on Subscription

    AND

  • Owner, Contributor, Reader, Log Analytics Contributor or Log Analytics Reader on Log Analytics Workspace Subscription/ResourceGroup/Resource (this dropdown is optional during creation; if you choose to not select a Log Analytics workspace during creation, you don't need this permission)

Change the Connection to Log Analytics workspace for an existing Services Hub Connector

  • Owner, Contributor, Reader, Log Analytics Contributor or Log Analytics Reader on Log Analytics Workspace Subscription/ResourceGroup/Resource

    AND

  • Owner, Contributor or Services Hub Operator on Services Hub Connector Subscription/ResourceGroup/Resource

Create new Log Analytics workspace and Connect Log Analytics to Services Hub Connector

  • Owner, Contributor or Log Analytics Contributor on Subscription/ResourceGroup the new Log Analytics workspace is being created under

    AND

  • Owner, Contributor or Services Hub Operator on Services Hub Connector Subscription/ResourceGroup/Resource the Services Hub Connector is created under

Add assessments to Services Hub Connector

  • Owner, Contributor or Services Hub Operator on Services Hub Connector Subscription/ResourceGroup/Resource

    AND

  • Owner, Contributor or Log Analytics Contributor on Log Analytics Workspace Subscription/ResourceGroup/Resource

View Services Hub Connector -> Overview

  • Owner, Contributor, Reader or Services Hub Operator on Subscription/ResourceGroup/Resource the Services Hub Connector is created under

View Services Hub Connector -> On Demand Assessments Blade

  • Owner, Contributor, Reader or Services Hub Operator on Services Hub Connector Subscription/ResourceGroup/Resource

    AND

  • Owner, Contributor, Reader, Log Analytics Contributor or Log Analytics Reader on Log Analytics Workspace Subscription/ResourceGroup/Resource

View Assessment Results in Log Analytics Workspace

  • Owner, Contributor, Reader, Log Analytics Contributor or Log Analytics Reader on Log Analytics Workspace Subscription/ResourceGroup/Resource

Run an assessment

For information on how to run an on-demand assessment, see Get Started with On-Demand Assessments.