6 min read

Azure Arc for Servers Extensions - Making it easier to manage your servers

Azure Arc for Servers Extensions - Making it easier to manage your servers


Azure Arc-connected nodes enable you to deploy and manage different Azure VM extensions that streamline server management across hybrid-cloud deployments. The extensions provide a unified experience for managing server settings, configurations, and updates across hybrid-cloud.

You can manage these extensions using Azure Portal, Azure CLI, Azure PowerShell, or Azure Resource Management templates.


In my previous posts, I have been focusing on agent deployments and configuration but not that much about the extensions. This time let’s take a closer look at what these extensions offer and how to manage these.

Before you continue reading, I recommend reading my previous Azure Arc-related posts:

Today Microsoft offers different extensions for Windows and Linux operating systems.

Windows extensions

  • Microsoft Defender for Cloud integrated vulnerability scanner
    • Qualys vulnerability scanner
  • Antimalware Extension
  • Custom Script extension
    • Custom PowerShell scripts
  • Log Analytics agent
    • Microsoft Monitoring Agent
  • Azure Monitor for VMs (insights)
    • Microsoft Dependency Agent
  • Azure Key Vault Certificate Sync
    • Provides automatic refresh of certificates stored in an Azure key vault
  • Azure Monitor Agent
  • Azure Automation Hybrid Runbook Worker extension
    • Azure Automation Hybrid Runbook Worker for hybrid clouds
  • Azure Extension for SQL Server
  • Windows Admin Center
  • Defender for Endpoint
    • Defender for Endpoint extension from Defender for Cloud
  • Azure Update Management Center
    • New Update Management service
  • OpenSSH

Linux extensions

  • Microsoft Defender for Cloud integrated vulnerability scanner
  • Custom Script extension
  • Log Analytics agent
  • Azure Monitor for VMs (insights)
  • Azure Key Vault Certificate Sync
  • Azure Monitor Agent
  • Azure Automation Hybrid Runbook Worker extension
  • Defender for Endpoint
  • Azure Update Management Center
  • OpenSSH

When you deploy the Azure Arc-connected agent, you will most likely end up with different extensions that you want to enable. If you are going to use PowerShell for example, then after the agent onboarding you can use the New-AzConnectedMachineExtension command-let to add the extension. The New-AzConnectedMachineExtension command is part of the Az.ConnectedMachine PowerShell module. You can download that from the PowerShell Gallery.

How to get started with Azure Arc for Servers Extensions

Manage Azure Arc extensions from the Azure portal

Before you are going to deploy the extension(s) make sure to check the documentation to see if the actual operating system is supported for that extension. I assume you have already completed the agent onboarding and can see the server object in the Azure portal.

Azure Arc Connected node

From the above screenshot, you can see that server ADFS01 is onboarded and connected. By default, you don’t have any extensions installed, except if you haven’t enabled any Azure Policies for Azure Monitoring Agent deployment or Defender for Cloud policies to auto-provision Defender for Endpoint etc.

You can find all assigned extensions, their statuses, and versions by selecting Extensions from the same page.

Installed Extensions

Click +Add and list all extensions you can deploy through the portal. Today there are some exceptions that you can’t deploy all the extensions through the portal.

Extension installation through Azure Portal

Different extensions may need additional input. Let’s take the Custom Script Extension for Windows extension. This extension allows us to assign custom PowerShell scripts. Before we can do that, we need to provision an Azure Storage account. The script must be uploaded to the storage account and then we can send it out.

For this post, I prepared a simple example. The following script downloads and installs the 7-ZIP Application.

$7ZIPURL = 'https://www.7-zip.org/a/7z2201-x64.exe'
$SourceFolder = 'C:\Windows\Temp\7z2201-x64.exe'
Invoke-WebRequest -Uri $7ZIPURL -OutFile $SourceFolder

Start-Process -FilePath 'C:\Windows\Temp\7z2201-x64.exe' -ArgumentList "/S"

Upload the script to your storage account. You will probably want to create a separate storage account for management scripts.

Script upload

Browse the script and click Review +Create and Create. If everything went correctly, you should see the following message.


Now log on to the test server and browse the C:\ProgramData\GuestConfig\extension_logs\Microsoft.Compute.CustomScriptExtension folder.


Under that folder, you have different log files and CustomScriptHandler.log log file.


That log file shows you the storage account and script we previously added and deployed. You can read the state.json file using PowerShell and see some additional data.


The second file is under the C:\ProgramData\GuestConfig\extension_reports\CustomScriptExtension_report.txt folder and you can read that file using PowerShell too.


We can see that the Custom Script Extension status is a success. From the start menu, we can see that the 7-ZIP is installed successfully.

7-ZIP installed

The extension is also listed under my ADFS server in the Azure Portal.

Manage Azure Arc extensions using PowerShell

Now that we know how to add the Custom Script Extension for Windows extension through the Azure portal, let’s try to do the same exercise through PowerShell. In Az.ConnectedMachine PowerShell module we have three different command-lets around extension management.

  • Get-AzConnectedMachineExtension
    • Allows you to query connected agent installed extensions
  • New-AzConnectedMachineExtension
    • Allows you to add extensions
  • Remove-AzConnectedMachineExtension
    • Allows you to remove the extension

Get-AzConnectedMachineExtension command output.


You can also specify the extension Name parameter and then you can retrieve only that extension information.

Get-AzConnectedMachineExtension -MachineName ADFS01 -ResourceGroupName "RG-PROD-IT-ARC" -Name CustomScriptExtension | Select-Object *

As you see from the above screenshot, we can see the following information:

  • Installation status
  • Storage account address (cut out from this screenshot)
  • Version
  • Location
  • Auto upgrade status
  • Resource Group name

Let’s remove the same extension and try to add it back. To remove the extension, run the following command:

Remove-AzConnectedMachineExtension -MachineName ADFS01 -ResourceGroupName "RG-PROD-IT-ARC" -Name CustomScriptExtension -Verbose

Remove-AzConnectedMachineExtension allows you to specify -nowait parameter. You can use this parameter to execute the command and continue immediately, otherwise the command will wait until the job is complete.

Now that the script extension is removed let’s add it back. Before you can add the custom script extension again, you need to generate the script SAS read token and then copy the URL to this script.

$Settings = @{
    fileUris = @("MY SCRIPT PATH TO STORAGE")
    commandToExecute = "powershell -ExecutionPolicy Unrestricted -File Install-Arc7ZIP.ps1"

$CustomScriptProperties = @{
    MachineName = "ADFS01"
    Name = "CustomScriptExtension"
    ResourceGroupName = "RG-PROD-IT-ARC"
    Publisher = "Microsoft.Compute"
    ProtectedSetting = $Settings
    Location = "West Europe"
    ExtensionType = "CustomScriptExtension"

New-AzConnectedMachineExtension @CustomScriptProperties -Verbose

Run the below code and it should download the same 7-ZIP script from the storage account and install it.

New-AzConnectedMachineExtension command

If everything went correctly, then you see a success message.


Azure Arc will simplify your day-to-day administration. If you haven't yet tested Azure Arc, I strongly recommend doing one POC.

Need assistance implementing Azure Arc, let me know.