Azure VM Software Inventory Not Collecting Data — Managed Identity Missing

Symptoms

Azure VMs show Software Inventory as enabled in the portal, but no data appears in the connected Log Analytics workspace. The ConfigurationData and ConfigurationChange tables stay empty even hours after enablement. The Change Tracking extension appears provisioned with no obvious errors.

On the VM itself, the Azure Monitor Agent (AMA) logs repeat the following errors every 4-5 minutes:

Failed to find an output stream for: ""
Error sending kusto telemetry data through output handler.
socket/pipe Error while sending request data
Error while reading settings  dial unix @CAgentStream_CloudAgentInfo_config_default_fluent.socket: connect: connection refused

Root Cause

The Azure Monitor Agent cannot authenticate to Azure because the VM has no managed identity assigned.

AMA uses the VM's managed identity to get a token from the Azure Instance Metadata Service (IMDS) endpoint (http://169.254.169.254). This token is required to:

• Download the Data Collection Rule (DCR) configuration from Azure Monitor Configuration Service (AMCS)
• Send collected data to the Log Analytics workspace

Without a token, AMA starts but fails to initialize its data pipeline. The Unix socket that the ChangeTracking extension communicates through (@CAgentStream_CloudAgentInfo_config_default_fluent.socket) is never created, because it only exists once the pipeline is up. The ChangeTracking extension then loops retrying the socket connection indefinitely.

The error in /var/opt/microsoft/azuremonitoragent/log/mdsd.err confirms this:

Failed to get MSI token from IMDS endpoint: http://169.254.169.254 ErrorCode:-2146041343

Diagnosis Steps

1. Verify AMA is running but has no socket

systemctl is-active azuremonitoragent

# Check if the socket exists
ss -xlp | grep fluent

If AMA is active but the socket is missing, proceed to step 2.

2. Check AMA error logs

sudo tail -50 /var/opt/microsoft/azuremonitoragent/log/mdsd.err

Look for Failed to get MSI token from IMDS endpoint.

3. Confirm the VM has no managed identity

In the Azure portal: navigate to the VM → Security → Identity.

• System assigned tab: Status should be On
• User assigned tab: should list at least one identity

If both are empty/off, the managed identity is missing.

4. Confirm IMDS is reachable but returns no identity

Run this from inside the VM:

curl -s -H "Metadata: true" \
  "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://monitor.azure.com/"

A VM with no managed identity returns an error response rather than an access token.

5. Verify DCR config was never downloaded

ls /etc/opt/microsoft/azuremonitoragent/config-cache/configchunks/

The directory will be empty, confirming AMA never reached the configuration service.

Fix

Enable system-assigned managed identity on the VM:

Azure portal: VM → Security → Identity → System assigned → set Status to On → Save

Azure CLI:

az vm identity assign -g <resource-group> -n <vm-name>

After saving, restart AMA:

sudo systemctl restart azuremonitoragent

Within 2-3 minutes, verify the socket is created:

ss -xlp | grep fluent

And confirm AMA is downloading its configuration:

ls /etc/opt/microsoft/azuremonitoragent/config-cache/configchunks/

Health Check After Fix

1. Check AMA service is running: systemctl status azuremonitoragent
2. Confirm the socket exists: ss -xlp | grep fluent
3. Verify DCR config downloaded: ls /etc/opt/microsoft/azuremonitoragent/config-cache/configchunks/
4. No new errors in: /var/opt/microsoft/azuremonitoragent/log/mdsd.err

References

• Azure Monitor Agent troubleshooting — Linux
• Configure managed identities on Azure VMs
• Enable Change Tracking and Inventory for Azure VMs