You dont have javascript enabled! Please enable it! How To Enable Automatic Upgrades For AMA Extension Easily - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

How To Enable Automatic Upgrades For AMA Extension Easily

5 Min. Read

Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of Azure and non-Azure machines and delivers it to Azure Monitor for use by features, insights, and other services, such as Microsoft Sentinel and Microsoft Defender for Cloud. Azure Monitor Agent (AMA) replaces all of Azure Monitor’s legacy monitoring (OMS/MMA) agents which will reach the end of support by August 2024.

In this article, we will show you how to enable automatic upgrades for AMA, the Azure Monitor Agent extension for Azure VMs, and Azure Arc Servers using Azure PowerShell.

Introduction

The Azure Monitor Agent (AMA) is the future for many Azure services that covers Azure VMs and non-Azure machines, the AMA agent is more efficient, more supportable, and more reliable.

In February 2022, Microsoft announced that Azure Monitor Agent (AMA) extension support for automatic upgrade extension feature. This new feature experience is available for Azure virtual machines and scale sets on both Windows and Linux, as well as for Azure Arc servers.

Enable Azure Monitor Agent automatic upgrade
Enable Azure Monitor Agent automatic upgrade

Updating the Azure Monitor Agent is important because it will include security fixes and further enhancements, so you want to keep it up-to-date without relying on manual update activities.

Now, when you install the Azure Monitor Agent, usually Microsoft will also enable automatic extension upgrade if the agent supports automatic upgrade, in this case, AMA. However, this is not always the case, I have seen this disabled in different environments.

The recommendation is to enable Automatic Extension Upgrade which may take up to 5 weeks after a new extension version is released for it to update installed extensions to the released (latest) version across all regions. Upgrades are issued in batches, so you may see some of your virtual machines, VM Scale-Sets, or Arc-enabled servers get upgraded before others. And if you want, you can manually upgrade the extension immediately, by using Azure PowerShell, Azure CLI, or the REST API.

Now if you onboarded non-Azure machines via Azure Arcs, you have the possibility to also enable automatic extension upgrades directly from the Azure Arc | Servers blade as shown in the figure below. At the time of this writing, the current Azure Monitor Agent for Windows is version 1.12.1.0.

AMA - Enable automatic upgrade for Azure Arc Servers
AMA – Enable automatic upgrade for Azure Arc Servers

And for Linux OS, the current Azure Monitor Linux Agent version is 1.25.1.0.

Azure Monitor Linux Agent
Azure Monitor Linux Agent

Now, if you have many servers deployed across many environments, then it’s not efficient to go through all of your servers and check if the Automatic Extension Upgrade is enabled.

Automation to the rescue!

Prerequisites

To follow this article, you need to have the following:

1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.

2) Log Analytics workspace – To create a new workspace, follow the instructions here Create a Log Analytics workspace.

3) One or more Azure VMs and/or one or more servers onboarded to Azure Arc.

4) Azure PowerShell installed locally on your machine or using the Cloud Shell.

Enable Automatic Upgrades For AMA

To enable automatic upgrades for the AMA extension, you need to connect to Azure with a user account that has permission for Microsoft.Compute/virtualMachines/extensions/write, or  Microsoft.HybridCompute/machines/extensions/write (for Azure Arc machines).

You have a couple of options to run the script, you can either use Azure Cloud ShellVisual Studio Code, or Windows Terminal. The Script works with PowerShell 5.1 or PowerShell 7.3.x (core) with the Az module.

Assuming you have all the required permissions in place, you can run the following command to enable automatic upgrades of the AMA extension for both, Azure VMs and Azure Arc Servers.

.EXAMPLE

.\Enable-AutomaticUpgradeAMA.ps1 -environment [AzVM, AzArc] -Verbose

PowerShell Code

The complete script is detailed below to enable automatic upgrade for the Azure Monitor Agent extension:

<#
.SYNOPSIS
Enable automatic upgrade for Azure Monitor Agent (AMA) extension.

.DESCRIPTION
How to enable automatic upgrade for Azure Monitor Agent (AMA) extension for Azure VMs and Azure Arc Servers.

.NOTES
File Name : Enable-AutomaticUpgradeAMA.ps1
Author    : Microsoft MVP/MCT - Charbel Nemnom
Version   : 1.0
Date      : 23-February-2023
Updated   : 24-February-2023
Requires  : PowerShell 5.1 or PowerShell 7.3.x (Core)
Modules   : Az.Accounts, Az.Compute, Az.ConnectedMachine

.LINK
To provide feedback or for further assistance please visit: https://charbelnemnom.com 

.EXAMPLE
.\Enable-AutomaticUpgradeAMA.ps1 -environment [AzVM, AzArc] -Verbose
This example will connect to your Azure account, then loop through all the subscriptions that you have, 
And then check the Azure Monitor Agent for Windows and Linux VMs that have AMA extension installed but automatic upgrade is NOT enabled.
#>

param (
    [Parameter(Mandatory)]    
    [ValidateSet("AzVM", "AzArc")]
    [String]$Environment = 'AzVM'   
)

#! Install Az Module If Needed
function Install-Module-If-Needed {
    param([string]$ModuleName) 
    if (Get-Module -ListAvailable -Name $ModuleName -Verbose:$false) {
        Write-Host "Module '$($ModuleName)' already exists, continue..." -ForegroundColor Green
    } 
    else {
        Write-Host "Module '$($ModuleName)' does not exist, installing..." -ForegroundColor Yellow
        Install-Module $ModuleName -Force  -AllowClobber -ErrorAction Stop
        Write-Host "Module '$($ModuleName)' installed." -ForegroundColor Green
    }
}

#! Install Az Accounts Module If Needed
Install-Module-If-Needed Az.Accounts

#! Install Az Compute Module If Needed
Install-Module-If-Needed Az.Compute

#! Install Az ConnectedMachine Module If Needed
Install-Module-If-Needed Az.ConnectedMachine

#! Check Azure Connection
Try { 
    Write-Verbose "Connecting to Azure Cloud..." 
    Connect-AzAccount -ErrorAction Stop -WarningAction SilentlyContinue | Out-Null 
}
Catch { 
    Write-Warning "Cannot connect to Azure Cloud. Please check your credentials. Exiting!" 
    Break 
}

$azSubs = Get-AzSubscription

foreach ( $azSub in $azSubs ) {
    $azSubName = $azSub.Name
    Write-Verbose "Set the Azure context to the subscribtion name: $($azSubName)"
    Set-AzContext -Subscription $azSub | Out-Null
    
    If ($environment -eq "AzVM") {
        $azVMs = Get-AzVM -ErrorAction SilentlyContinue        
        If ($azVMs) {
            Write-Verbose "Get the list of all Azure VMs that have AMA extension installed and Automatic Upgrade is NOT enabled..."
            $amas = @()
        
            foreach ($azVM in $azVMs) {        
                $amas += Get-AzVMExtension -VMName $azVM.Name -ResourceGroupName $azVM.ResourceGroupName | `
                    Where-Object { $_.Publisher -eq "Microsoft.Azure.Monitor" -and $_.EnableAutomaticUpgrade -eq $False }
            }

            If ($amas) {
                foreach ($ama in $amas) {
                    Write-Verbose "Enable Automatic Upgrade for the AMA extension for the Azure VM: $($ama.VMName)"
                    $ama | Set-AzVMExtension -EnableAutomaticUpgrade $True | Out-Null   
                }
            }
            else {
                Write-Verbose "All Azure VMs have Automatic Upgrade Extension enabled for AMA!"
            }
            
        }
        else {
            Write-Verbose "No Azure VMs found for the subscribtion name: $($azSubName)!"
                  
        }   

        If ($environment -eq "AzArc") {
            $azVMs = Get-AzConnectedMachine -ErrorAction SilentlyContinue
            If ($azVMs) {
                Write-Verbose "Get the list of all Azure Arc Servers that have AMA extension installed and Automatic Upgrade is NOT enabled..."
                $amas = @()
                
                foreach ($azVM in $azVMs) {        
                    $amas += Get-AzConnectedMachineExtension -MachineName $azVM.Name -ResourceGroupName $azVM.ResourceGroupName | `
                        Where-Object { $_.Publisher -eq "Microsoft.Azure.Monitor" -and $_.EnableAutomaticUpgrade -eq $False }
                }

                If ($amas) {
                    foreach ($ama in $amas) {
                        $machineName = $ama.id.Split('/')[-3]
                        Write-Verbose "Enable Automatic Upgrade for the AMA extension for Azure Arc Server: $($machineName)"
                        $ama | Update-AzConnectedMachineExtension -EnableAutomaticUpgrade | Out-Null          
                    }
                }
                else {
                    Write-Verbose "All Azure Arc Servers have Automatic Upgrade Extension enabled for AMA!"
                }
            }
            else {
                Write-Verbose "No Azure Arc Servers found for the subscribtion name: $($azSubName)!"
            }
        
        }    
    }
}

Here is an example of the output once you run this script:

Enable-AutomaticUpgradeAMA.ps1
Enable-AutomaticUpgradeAMA.ps1

Switching to the Azure portal, VM Extensions blade, we can confirm that the Azure Monitor Agent has automatic upgrade enabled now.

Disable Azure Monitor Agent automatic upgrade
Disable Azure Monitor Agent automatic upgrade

That’s it there you have it!

Summary

In this article, we showed you how to automate and enable automatic upgrades for Azure Monitor Agent (AMA) extension for Azure VMs and Azure Arc Servers using Azure PowerShell.

Azure Monitor agent supports data collection for various Log Analytics solutions and Azure services such as Microsoft Defender for Cloud and Microsoft Sentinel. AMA supports now many extensions, check the list of all AMA extensions that are currently available.

The AMA agent is only required to collect data from the operating system and workloads in virtual machines located in Azure and non-Azure machines (other clouds/on-premises).

The AMA replaces the legacy Log Analytics agent, the Azure Diagnostics extension, and the Telegraf Agent. The AMA offers a lower footprint, providing enhanced filtering features, scalable deployment management, and configuration using Data Connection Rules (DCR) and Data Connector Rules Association (DCRA), and Azure policies.

While the AMA hasn’t yet reached full parity with the old Microsoft Monitoring Agent (MMA), Microsoft continues to add features and support, and the MMA will be retired on August 31, 2024.

> Learn more on how to update the Microsoft Sentinel DNS extension for Azure VMs and Azure Arc Servers at scale.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 20+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.
Previous

How to Update Microsoft DNS AMA Extension For Azure VMs Easily

8 Best Practices To Secure Domain Controller

Next

Let me know what you think, or ask a question...