Monitoring Azure Resources with SCOM

Have any of you been tasked with monitoring "Azure" but are unfamiliar with it?  As the SCOM guru, [I hope!] you are familiar with SCOM but may have had little exposure to Azure (and it's hard to monitor something you've never seen or used!)  This is a primer for those trying to monitor what they've never seen....

First off, you don't monitor Azure -- it's an abstract entity.

You do monitor infrastructure, applications, etc.  Azure is a collection of servers, services, networking equipment, and storage that can be virtually configured to meet your needs.  Need a beefy SQL box?  Need thin, load-balanced web servers?  Need a huge data drive?  All are possible in the Azure cloud.....

Azure is managed from a console; below is a screenshot from the classic Azure Console.

A few key things:

  • Subscriptions - A administrative and billing "bucket".  Everything you create is associated with a subscription, but as subscriptions have size limits many organizations will have multiple subscriptions active a time.
  • Virtual Machine Tab- These are the servers you are responsible for the OS on (IaaS)
  • You can't see these details from the client side, details are exposed via the Azure console or Azure Powershell

So how to I monitor all this stuff?


To monitor servers you maintain in Azure (IaaS or Infrastructure as a Service), treat them like any DMZ (if in a different domain) or offsite server -- put an agent on the server.


If you want to monitor PaaS (Platform as a Service) and lower-level Azure components hosted there, you need to use Azure MPs such as the following:

Because this is PaaS, you don't get to see everything but can tell is the Azure backend supporting your PaaS apps is healthy.

To do this, you need to setup a connection for each subscription you have servers associated with (see my example below).  You’ll need a certificate to be uploaded to each subscription (each subscription can have multiple certs uploaded) – this won’t create any issues for the subscription or impact how it currently works.


  1. Create a certificate using makecert -sky exchange -r -n "CN=<CertificateName>" -pe -a sha1 -len 2048 -ss My "<CertificateName>.cer" -- this will end up in your computer's certificate store.
  2. Export it as a .cer (for upload to your Azure subscriptions) and again as a .pfx with a password (for use in the SCOM wizard)
  3. Upload the .cer to your subscription(s) you want to monitor
  4. Copy the .pfx to the computer you'll be running the SCOM wizard from (won't work with network drives in my experience)


To monitor SaaS (Software as a Service), look for MPs.  With SaaS, Microsoft supports the infrastructure and application.  There is really very little left for you to monitor.....

Keep in mind, Azure Log Analytics (formerly OMS) has access to the Azure fabric and will often be superior for Azure (not OS/application) monitoring.  It's still a case of SCOM + Log Analytics are "better together."

Comments (4)

  1. hyo says:

    For SaaS, your developers will continue to deploy web applications to it. You as a SCOM admin, you are required to monitor the availability of your company web applications that are deployed to SaaS.

    Information you need to report on are….
    1. Is your endpoint throwing response other than http status 200
    2. What inter-process application errors does your web application encounter
    3. What is the CPU / Memory related issues does your SaaS application encounter.
    4. What system errors does your SaaS application encounter.

    If you think SaaS is a “magical” thing Microsoft handle for you on its own… well, you are in for a rude awakening.

    1. Nicole Welch says:

      Unfortunately we’re back to picking the cloud offering that fits you best. SaaS gives less visibility to and customization of the underlying OS, applications, etc. If you require that, PaaS or IaaS may be a better fit. Think about it this way, no one expects to monitor Gmail but many businesses rely on its service offering(s). You trade control/oversight for lower costs.

  2. Mo says:

    Hi Nicole,
    Many thanks for your precious page! I just have a little question. in IaaS infrastruture, can I put a different agent like ITM6 or VCops to monitore some logs etc…
    Merci !

    1. Nicole Welch says:

      I’m not familiar with those products in particular, but you can run SCOM, SCCM, SEP, McAfee, etc. so I see no reason why not. Azure is just another data center…you still own the OS and up.

Skip to main content