How should DCR association work with VMSS Flexible that only supports User-Assigned MI

Question

How should DCR association work with VMSS Flexible that only supports User-Assigned MI

PLADASLO 0

Data Collection Rule (DCR) association with Virtual Machine Scale Set (VMSS) in Flexible orchestration mode fails due to two distinct issues related to Managed Identity handling and Private Link configuration.

Issue 1: DCR forces System-Assigned Managed Identity on VMSS Flexible

Problem Description

When associating a Data Collection Rule with a VMSS in Flexible orchestration mode, the DCR association process attempts to enable System-Assigned Managed Identity on the VMSS. However, VMSS Flexible only supports User-Assigned Managed Identity.

Expected Behavior

DCR association should detect the VMSS orchestration mode and use the existing User-Assigned Managed Identity instead of attempting to enable System-Assigned MI.

Actual Behavior

The operation fails with the following error:

HTTP Status Code: 400 Bad Request

{
  "error": {
    "code": "InvalidParameter",
    "target": "identity",
    "message": "The value 'SystemAssigned' of parameter 'identity' is not allowed. Allowed values are: UserAssigned, None."
  }
}

Comparison with VMSS Uniform

VMSS Mode	System-Assigned MI	User-Assigned MI	DCR Association
Uniform	Supported	Supported	Works
--------	--------	--------	--------
Uniform	Supported	Supported	Works
Flexible	Not Supported	Supported	Fails

Issue 2: Azure Monitor Agent fails to retrieve configuration via Private Link

Problem Description

After manually assigning a User-Assigned Managed Identity to the VMSS Flexible and installing the AzureMonitorLinuxAgent extension, the agent installs successfully but fails to retrieve DCR configuration.

Error from Agent Log:

Response Code: 403
Response: {
  "error": {
    "code": "InvalidAccess",
    "message": "Data collection endpoint must be used to access configuration over private link."
  }
}

Current RBAC Configuration for User-Assigned MI

The User-Assigned Managed Identity has the following role assignments:

Role Resource Type	Resource Type
Log Analytics Contributor	Log Analytics Workspace
Monitoring Metrics Publisher	Data Collection Rule

Expected Behavior

The Azure Monitor Agent should use the User-Assigned MI credentials to authenticate and retrieve DCR configuration, then start sending logs to the Log Analytics Workspace.

Actual Behavior

Agent extension installs successfully
Agent fails to authenticate/retrieve configuration
No logs are being sent to Log Analytics Workspace

Is VMSS Flexible orchestration mode officially supported with Data Collection Rules?
How should DCR association work with VMSS Flexible that only supports User-Assigned MI?
- Is there a workaround to specify User-Assigned MI during DCR association?
- Can DCR be configured to use existing User-Assigned MI instead of forcing System-Assigned MI?
Private Link error:
- Is a Data Collection Endpoint (DCE) required for VMSS Flexible even without Private Link?
- What additional RBAC permissions are required on the DCE for User-Assigned MI?
- Should the DCE be explicitly configured in the agent extension settings?
What is the recommended configuration for DCR + VMSS Flexible + User-Assigned MI + Private Link environment?

PLADASLO 0 Reputation points

2026-01-29T13:33:59.3766667+00:00
Thank you for your response. However, the suggestions provided do not address our actual issues. We have already implemented everything you described, and the problems persist.

ComponentStatusDetailsUser-Assigned Managed IdentityConfiguredumi assigned to VMSS FlexibleUser-Assigned Managed IdentityConfiguredumi assigned to VMSS FlexibleData Collection Endpoint (DCE)Configureddce exists and is accessibleData Collection Rule (DCR)ConfiguredAssociated with VMSSRBAC PermissionsConfiguredSee table belowAll resources in same RGYesMI has access to all componentsRBAC Permissions Already Assigned to User-Assigned MI:

ResourceRoleStatusData Collection EndpointMonitoring Metrics PublisherAssignedData Collection RuleMonitoring ContributorAssignedLog Analytics WorkspaceLog Analytics ContributorAssignedIssue 1: AMA Installation on Existing VMs (UNRESOLVED)

Your suggestion:

"Assign User-Assigned MI to VMSS Flexible and Install Azure Monitor Agent (AMA)"

This does NOT work for existing VMs in VMSS Flexible.

The Problem:

ScenarioAMA InstallationResultNew VM created after DCR associationAutomaticAMA installs automaticallyExisting VM in VMSS FlexibleNo mechanismAMA is NOT installed, no documented method existsWhat We Need:

How do we install AMA on existing VMs in VMSS Flexible?

There is no az vmss extension set command that works for Flexible mode individual VMs

The extension is only applied to newly scaled-out instances

We cannot manually install AMA on existing instances

Is there a way to force AMA installation on all current instances?

Scale-in and scale-out is not acceptable in production

We need a non-disruptive method

Issue 2: DCR Does Not See Individual VMs (UNRESOLVED)

Even when we successfully get AMA installed on a new VM in VMSS Flexible

The Problem:

DCR Association Target: VMSS (vmss-flexible-test)

DCR sees: VMSS resource only

DCR does NOT see: Individual VM instances

Result: No log collection occurs

Evidence:

New VM is created in VMSS Flexible

User-Assigned MI is inherited by new VM

AMA extension is installed on new VM

AMA agent starts successfully

Agent fails to retrieve configuration

No logs flow to Log Analytics

Error from Agent :

<personal info>

This error persists even though DCE is configured.

Please Provide step-by-step instructions for configuring DCR + DCE + AMA with VMSS Flexible that actually works

please escalate to Azure Monitor product team if this is a known gap in VMSS Flexible resource and please provide a workaround for collecting logs from VMSS Flexible VMs
Himanshu Shekhar 5,140 Reputation points Microsoft External Staff Moderator

2026-02-03T01:06:02.4766667+00:00

@PLADASLO

To associate DCR with VMSS flexible, the DCRA should be at VM level. It cannot be as VMSS flexible level. Pls. refer the note for VMSS flexible here - Manage data collection rule associations in Azure Monitor - Azure Monitor | Microsoft Learn

Yes, with AMPLS, DCE is required. Pls see Network Isolation for Azure Monitor Agent via Private Link - Azure Monitor | Microsoft Learn
Himanshu Shekhar 5,140 Reputation points Microsoft External Staff Moderator

2026-02-04T04:42:02.5933333+00:00

@PLADASLO - Just checking if provided response was helpful! please let me know if you have any queries.

1 answer

Your answer

Himanshu Shekhar 5,140 Reputation points Microsoft External Staff Moderator

2026-02-03T01:06:02.4766667+00:00

@PLADASLO

To associate DCR with VMSS flexible, the DCRA should be at VM level. It cannot be as VMSS flexible level. Pls. refer the note for VMSS flexible here - Manage data collection rule associations in Azure Monitor - Azure Monitor | Microsoft Learn

Yes, with AMPLS, DCE is required. Pls see Network Isolation for Azure Monitor Agent via Private Link - Azure Monitor | Microsoft Learn
Himanshu Shekhar 5,140 Reputation points Microsoft External Staff Moderator

2026-02-04T04:42:02.5933333+00:00

@PLADASLO - Just checking if provided response was helpful! please let me know if you have any queries.

Answer 1

@PLADASLO

Associating a DCR at the VMSS Flexible resource level is not supported, as each VM in a flexible scale set is treated as a standalone resource.

Please refer to the VMSS Flexible note in the following documentation:

Manage data collection rule associations in Azure Monitor https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-associations

Additionally, when Azure Monitor Private Link Scope (AMPLS) is used, configuring a Data Collection Endpoint (DCE) is mandatory, as Azure Monitor Agent traffic must route through private endpoints.

This requirement is documented here: Network Isolation for Azure Monitor Agent via Private Link : https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-private-link

If you have any further queries, let us know

Share via

How should DCR association work with VMSS Flexible that only supports User-Assigned MI

1 answer

Your answer