Introduction
Azure VM extensions provide post-deployment configuration, monitoring, and security capabilities. When extensions fail, VMs may lack required configurations, monitoring agents, or security tools, affecting operations and compliance.
Symptoms
Extension provisioning failed:
```bash $ az vm extension list \ --vm-name my-vm \ --resource-group my-rg \ --query "[?provisioningState=='Failed'].{Name:name,State:provisioningState,Message:instanceView.statuses[0].message}"
# Shows extension in failed state ```
Extension timeout:
{
"status": "error",
"message": "Extension installation timed out after 900 seconds"
}Dependency error:
{
"code": "ExtensionDependencyFailure",
"message": "Extension 'Microsoft.Compute.CustomScriptExtension' depends on 'VMAccessExtension' which failed"
}Common Causes
- 1.Extension script error - Custom script has syntax or runtime errors
- 2.Network connectivity - Extension can't reach required resources
- 3.VM agent not running - Guest agent offline or unhealthy
- 4.Settings misconfiguration - Invalid extension settings
- 5.Timeout exceeded - Extension takes too long to complete
- 6.Resource not found - Referenced storage account or file missing
- 7.Permission denied - Extension lacks required permissions
Step-by-Step Fix
Step 1: Check Extension Status
```bash # List all extensions on VM az vm extension list \ --vm-name my-vm \ --resource-group my-rg \ --query '[].{Name:name,State:provisioningState,Version:typeHandlerVersion}'
# Get detailed extension status az vm extension show \ --vm-name my-vm \ --resource-group my-rg \ --name CustomScriptExtension \ --query '{State:provisioningState,Status:instanceView.statuses}' ```
Step 2: Check VM Agent Status
bash
# Check VM agent status
az vm get-instance-view \
--name my-vm \
--resource-group my-rg \
--query 'instanceView.extensions[?name==VMAgent`].statuses'
# If agent not running, restart it # Linux: sudo systemctl restart waagent
# Windows: net stop WindowsAzureGuestAgent net start WindowsAzureGuestAgent ```
Step 3: View Extension Logs
```bash # Linux extension logs # SSH to VM: ls -la /var/log/azure/ cat /var/log/azure/custom-script/handler.log
# Windows extension logs # RDP to VM: # C:\WindowsAzure\Logs\Plugins\Microsoft.Compute.CustomScriptExtension\ ```
Step 4: Check Extension Settings
```bash # View extension settings az vm extension show \ --vm-name my-vm \ --resource-group my-rg \ --name CustomScriptExtension \ --query 'settings'
# Common issues: # - Invalid fileUris # - Missing commandToExecute # - Invalid storage account access ```
Step 5: Reinstall Extension
```bash # Remove failed extension az vm extension delete \ --vm-name my-vm \ --resource-group my-rg \ --name CustomScriptExtension
# Reinstall with correct settings az vm extension set \ --vm-name my-vm \ --resource-group my-rg \ --name CustomScriptExtension \ --publisher Microsoft.Compute \ --version 1.10 \ --settings '{"fileUris":["https://mystorage.blob.core.windows.net/scripts/script.sh"],"commandToExecute":"sh script.sh"}' ```
Step 6: Fix Network Connectivity
bash
# If extension can't reach storage or download files
# Check NSG rules allow outbound HTTPS
az network nsg show \
--name my-nsg \
--resource-group my-rg \
--query 'securityRules[?direction==Outbound`]'
# Add outbound rule if needed az network nsg rule create \ --nsg-name my-nsg \ --resource-group my-rg \ --name AllowHTTPS \ --direction Outbound \ --priority 100 \ --source-address-prefixes '*' \ --destination-port-ranges 443 \ --protocol Tcp \ --access Allow ```
Step 7: Use Managed Identity for Storage
```bash # Enable managed identity on VM az vm identity assign \ --name my-vm \ --resource-group my-rg
# Grant storage permissions VM_PRINCIPAL_ID=$(az vm show --name my-vm --resource-group my-rg --query identity.principalId -o tsv)
az role assignment create \ --assignee $VM_PRINCIPAL_ID \ --role "Storage Blob Data Reader" \ --scope /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.Storage/storageAccounts/mystorage
# Use managed identity in extension az vm extension set \ --vm-name my-vm \ --resource-group my-rg \ --name CustomScriptExtension \ --publisher Microsoft.Compute \ --protected-settings '{"managedIdentity":{"clientId":"CLIENT_ID"}}' ```
Step 8: Increase Extension Timeout
```bash # For long-running scripts, increase timeout az vm extension set \ --vm-name my-vm \ --resource-group my-rg \ --name CustomScriptExtension \ --publisher Microsoft.Compute \ --settings '{"commandToExecute":"sh long-script.sh"}' \ --no-auto-upgrade true
# Default timeout: 90 minutes # Can be extended by using async execution in script ```
Step 9: Debug Custom Script
```bash # Run script manually to debug # SSH to VM: sudo sh /var/lib/waagent/custom-script/download/script.sh
# Check script syntax bash -n script.sh
# Run with verbose output bash -x script.sh ```
Step 10: Monitor Extension Health
```bash # Set up alert for extension failures az monitor metrics alert create \ --name vm-extension-failures \ --resource-group my-rg \ --scopes /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.Compute/virtualMachines/my-vm \ --condition "count ExtensionStatus == 0 where ExtensionStatus == 'Failed'" \ --window-size 5m
# Check extension activity az monitor activity-log list \ --resource-group my-rg \ --resource Microsoft.Compute/virtualMachines/my-vm \ --query "[?contains(operationName.value, 'extension')].{Time:eventTimestamp,Operation:operationName,Status:status.value}" ```
Common Azure VM Extensions
| Extension | Purpose | Common Errors |
|---|---|---|
| CustomScript | Run scripts | File not found, timeout |
| VMAccess | Reset password | Permission denied |
| AzureMonitor | Monitoring agent | Network blocked |
| AzureDiskEncryption | Encrypt disks | Key Vault access |
| DependencyAgent | Service mapping | VM agent down |
Verification
```bash # After reinstalling extension az vm extension show \ --vm-name my-vm \ --resource-group my-rg \ --name CustomScriptExtension \ --query '{State:provisioningState,Status:instanceView.statuses[0].displayStatus}'
# Should show: # State: Succeeded # Status: Provisioning succeeded
# Check extension output az vm extension show \ --vm-name my-vm \ --resource-group my-rg \ --name CustomScriptExtension \ --query 'instanceView.substatuses' ```
Prevention
To prevent Azure VM extension failed issues from recurring, implement these proactive measures:
1. Monitor Extension Health
groups:
- name: azure-vm-extensions
rules:
- alert: AzureVMExtensionFailed
expr: |
azure_vm_extension_provisioning_state != "Succeeded"
for: 5m
labels:
severity: warning
annotations:
summary: "Azure VM extension provisioning failed"2. Test Extension Deployment
```bash # Test extension in staging VM first az vm extension set \ --vm-name test-vm \ --resource-group staging-rg \ --name CustomScriptExtension \ --publisher Microsoft.Compute \ --version 2.1 \ --settings '{"fileUris":["https://test.blob.core.windows.net/scripts/test.sh"]}' \ --protected-settings '{"commandToExecute":"./test.sh"}'
# Verify success before production deployment ```
3. Maintain Extension Versions
```bash # Track extension versions az vm extension image list \ --publisher Microsoft.Compute \ --name CustomScriptExtension \ --query '[].{Version:version,Date:date}' -o table
# Use stable versions, avoid latest in production az vm extension set \ --vm-name my-vm \ --resource-group my-rg \ --name CustomScriptExtension \ --publisher Microsoft.Compute \ --version 2.1 # Fixed version ```
Best Practices Checklist
- [ ] Monitor extension health
- [ ] Test extension in staging first
- [ ] Use stable extension versions
- [ ] Ensure VM agent is running
- [ ] Check network connectivity
- [ ] Document extension configurations
Related Issues
- [Fix Azure VM Not Starting](/articles/fix-azure-vm-not-starting)
- [Fix Azure Disk Encryption Failed](/articles/fix-azure-disk-encryption-failed)
- [Fix Azure Custom Script Extension Failed](/articles/fix-azure-custom-script-extension-failed)
Related Articles
- [Technical troubleshooting: Fix Azure Aks Pod Crashloopbackoff Issue in Azure](azure-aks-pod-crashloopbackoff)
- [Technical troubleshooting: Fix Azure Api Management Policy Expression Runtime](azure-api-management-policy-expression-runtime-error)
- [Technical troubleshooting: Fix Azure App Configuration Feature Flag Not Refre](azure-app-configuration-feature-flag-not-refreshing)
- [Technical troubleshooting: Fix Azure App Service 503 Always On Disabled Issue](azure-app-service-503-always-on-disabled)
- [Technical troubleshooting: Fix Azure Application Gateway Err SSL Unrecognized](azure-application-gateway-err-ssl-unrecognized-name-alert)
<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "Fix Azure VM Extension Failed", "description": "Troubleshoot Azure VM extension failures. Check extension status, review logs, and reinstall extensions with correct settings.", "url": "https://www.fixwikihub.com/fix-azure-vm-extension-failed", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2026-04-03T02:39:37.987Z", "dateModified": "2026-04-03T02:39:37.987Z" } </script>