Azure Update Management


One of the key aspects in managing the costs in cloud is to consume cloud native solutions and not to replicate the On-Premises components in cloud. A simple example is to use Azure Bastion host PaaS (Platform as A Service) instead of traditional RDP server farms for remote connectivity to Virtual machines in all possible scenarios.

Windows OS Patching is one of the key areas in managing application and infra servers. The Infra team spends lot of time in keeping the servers up to date with critical and security patches. With malwares and ransomware posing serious threat to various organizations, it is imperative for the SecOps team to track the patching updates for all the servers in the environment.

Traditionally System Center Configuration Manager (SCCM) servers were used to keep the virtual machines up to date. Extending the same to Azure environment shall be cumbersome and adds the cost of product and management as well.

Hence the solution of Azure Update Management …

Azure Update Management:

Microsoft Azure offers a free cloud native solution based on Azure automation for patch management of Windows and Linux Virtual Machines (VM) in cloud

Azure Update Management helps to manage operating system updates for the Windows and Linux virtual machines in Azure, physical or virtual machines in on-premises environments, and in other cloud environments.

We can quickly assess the status of available updates and manage the process of installing required updates for the virtual machines reporting to Update management.

Azure Update Management – Schematic Diagram (Courtesy: MS Docs)


One of the common project scenarios is that the customers having Azure virtual machines in both workgroup and domain environment due to various requirements. Often the workgroup VMs patching is difficult and could lead to low Azure Secure Score and hence posing the immediate challenge to act and remediate the VMs missing critical patches.

Extending On-Premises SCCM servers or WSUS is used in few organizations which adds up to management and cost overhead. Azure Update Management comes handy in such use cases.

Advantages of Azure Update Management:

  • Works for both workgroup and domain joined VMs
  • Supports Linux and Windows VMs
  • Free of Cost
  • Scheduled deployments with no reboot option
  • Include or exclude selected patches with KB number
  • Pre and post patching tasks using scripts
  • Dashboard for easy reporting
  • Option to install critical and security patches and all other patches in same or different schedules

Components in Azure Update Management:

  • Azure Automation Account
  • Log Analytics workspace

Azure Automation Account:

Azure Automation delivers a cloud-based automation and configuration service that supports consistent management across the Azure and non-Azure environments. It comprises process automation, configuration management, update management, shared capabilities and heterogenous features. Automation gives you complete control during deployment, operations and decommissioning of workloads and resources

Log Analytics Workspace:

Azure log analytics workspace is the logical storage unit where log data is collected and stored. It can be considered as the basic management unit of Azure monitor logs. It is used to collect data from various sources such as Azure Virtual machines, Windows or Linux virtual machines, Azure resources in a subscription etc.

Implementation Workflow:


Supported Operating System:


  • Windows Server 2019 (Datacenter/Standard including Server Core)
  • Windows Server 2016 (Datacenter/Standard excluding Server Core)
  • Windows Server 2012 R2(Datacenter/Standard)
  • Windows Server 2012    
  • Windows Server 2008 R2 (RTM and SP1 Standard)


  • CentOS 6, 7, and 8
  • Oracle Linux 6.x, 7.x, 8x
  • Red Hat Enterprise 6, 7, and 8
  • SUSE Linux Enterprise Server 12, 15, and 15.1
  • Ubuntu 14.04 LTS, 16.04 LTS, 18.04 LTS, and 20.04 LTS

Update Management does not support safely automating update management across all instances in an Azure virtual machine scale set. Automatic OS image upgrades is the recommended method for managing OS image upgrades on your scale set.

Step by Step Demo:

  1. The first step is to have an automation account. This account does NOT need any additional privilege such as “Run As” permission to update the OS of Azure VMs. We need to plan the deployment in such a way that the Automation account resides in the desired Azure region
Creating Automation Account

2. Then proceed with the creation of a Log Analytics workspace (LAW) account. The number of logs stored by the VMs in the LAW account is minimal and this is chargeable my Microsoft though update management is free. It is also very important to plan the same Azure region for the automation account and LAW account.

Creation of Log Analytics Workspace

3. Then proceed with mapping the Automation Account to the Log analytics workspace account.

Mapping Automation Account to Log Analytics Workspace Account

4. The next step is to connect the virtual machines to the log analytics workspace account. All the needed VMs and the automation account shall be connected to the same LAW account. Select the LAW account and then click on the VMs that need to be connected. This step can be automated using an Azure shell script.

VMs not connected to any LAW connection
Connecting one VM to the new LAW account
VMs connected to the LAW account

5. All the VMs shall communicate with the LAW account with the help of LAW agent. The agent can be installed on the VMs manually or automated. In this case, we are using “Auto-Provisioning” option under Microsoft Defender for Cloud -> Environment Settings -> Setting

Auto provisioning of LAW agent

6. Now it is time to add the VMs into the Update Management section of the Automation account. Once added we can see the rich dashboard with information regarding the patching compliance and number of updates missing. However, this process shall take few hours and a VM which is shut down shall not report any data.

Adding VMs to Update Management
Update management auto populates VMs based on LAW account mapped to VMs and Automation Account
Azure Update Management Dashboard

7. The last step is to create a deployment schedule as per the requirements. In my test case, I have a weekly recurring schedule for non-critical updates and daily recurring schedule for security patches and critical updates. The scheduling gives us a lot of flexibility to carry out pre and post patching tasks, include or exclude patches and the most important aspect of rebooting or no reboot of VMs post patching.

Creating a new update deployment schedule
Daily Schedule for Critical and Security Updates
Daily Schedule Timing
Option to select Reboot
Weekend Schedule for all other patches
Deployment Schedules
Snapshot of all executed Jobs
VMs marked compliant after the successful patching by Azure Update Management

Thus we have covered the entire demo of a simple deployment of Azure Update Management. Apart from Azure Update Management, MS offers Azure VM Guest patching and Azure Update Center as the alternate and the upcoming options for patch management.

Links to refer:


Adding Custom Domain Names to Office 365

Due to the multi-tenant nature of office 365, all the tenants in Office 365 by default have a domain name like <Company Name>

  • The customers would like to retain their email address domain name even after migration to Office 365
  • When we migrate mailboxes from On-Premises to Office 365, one of the first steps involved is to add the domain name (SMTP domain) of the customer in Office 365.

This article describes the step by step approach to add a custom domain name to Office 365 tenant.

First navigate to Office 365 admin center with the URL

The interface of Office 365 has been recently upgraded and I am have followed the latest UI in this article.


We need to select “Add Domain” option either from “Home Screen” of “Office 365 Admin Center” or from the “Settings” option in the left pane of “Office 365 Admin Center”





After we click on “Add domain”, we get the below console where the default Office 365 domain name is present. In this case, it is Click on “Add domain” button in the below console.



Now the “New domain” wizard appears. It is a fairly simple process in which the below steps are carried out.

  1. Add our custom domain name
  2. Verify that the domain name is owned by the tenant
  3. Setup online services like Skype, Sharepoint, Exchange etc
  4. Update relevant DNS records

In this case, I am entering the domain name as “” which is a domain I own.



Now the critical part of verifying the domain name comes to picture. We cannot add a domain name to our tenant unless until we own that particular domain.

Hence we need to verify/prove that we own the domain name via below methods.

  1. TXT record
    1. By adding a custom TXT value presented in “New Domain” addition wizard on the DNS server of the domain we own. In most cases, we can update the TXT record via browser. In our demo, we will be adding which is a domain name provided by and I own that particular domain.
  2. MX record
    1. This option can be used if we have currently published an MX record under the domain name. This is mostly used if an existing On-Premise Exchange server uses the domain name we are trying to add to the Office 365 domain.

We are going with the first option of verifying the domain name using TXT record.

We need to add the below TXT record (MS=ms31321414) to the DNS server where is hosted. Also the TXT record would vary for requests from individual tenants and hence it is unique to your domain.


Before we click on the “Verify” button, we need to add the TXT record in the Internet DNS server. I am going to add the value as given in below snaps which are taken from since is provided to me by WordPress.

Note: You can always click on Your DNS host” (highlighted in blue in above snap) to check for the various DNS hosts directly supported by Office 365 which will make your domain verification much easier. Unfortunately, WordPress provider is not one among them and hence we do all the steps in this demo manually.


Adding TXT records in’s DNS server for



Once the TXT record is added, click on the “Verify” button under “Verify domain” window mentioned in Step 4.


Once the domain name is verified, we need to setup the various DNS records for all the services/offerings provided by Office 365. If we don’t register the below records, the internet mail delivery to the custom domains would be affected.


Since I have a website with, I am going to update the DNS records manually. In most cases if you have purchased the domain from GoDaddy, MyHosting etc, you can go with first option and authorize Office 365 to make the changes directly on the DNS server which is a very easy process.

Records Needed for Office 365 Services:



Records added in DNS server:


For adding records, I have just repeated the steps mentioned in Step 5 but chosen appropriate record types like A, CNAME, SRV etc as mentioned in the above snap.

Voila 🙂 We are done 🙂

Final snaps after the DNS records are updated.


In this article, we have learnt how to add a custom domain name to an existing Office 365 tenant.

Single Tenant Vs Multi Tenant

Single Tenant Vs Multi Tenant:

From an Exchange Admin perspective, We often come across the term “Multi Tenant” when Office 365 is discussed.

Many of us think that Cloud Offerings are Multi Tenant in nature and On premise models are based on Single Tenant all the time. This assumption is very wrong!

Let us explore further.

Assume that I am working as an Exchange Admin for an organization named The organization uses Exchange Server 2013 SP1. This company has two major LOBs as msmessaging and ldkmstech. The AD domain name is

  1. Half of the employees need to have an email address ending with
  2. Rest of the employees need to have an email address ending with

In this case, I can create multiple Accepted Domains, Email Address Policies, Address Books and optionally add UPNs in the AD Domain & Trusts console to create Multi Tenancy in an On Premise AD & Exchange Setp.

In short, multiple organizational units or LOBs depending on a Single Exchange setup will result in the demand for creating Multi Tenancy even in an On Premise setup.

Let us conclude this way ….

Single Tenant:

If an Exchange or On Premise application serves a single organization or having a single accepted domain name will result in Single Tenant Setup. In other words, each customer will have a dedicated Hardware & Software setup.

Multi Tenant:

If an application or Service supports multiple organizations and multiple domain names within the same Infrastructure, we call it a Multi Tenant Architecture. The hardware & Application Infrastructure will be effectively shared among multiple customers. This forms the core concept of Cloud Computing.



Microsoft Office 365 has a common infrastructure which is multiple datacenters spread across various geographies and a common application provided as a “Service” to all the customers. Hence Office 365 implements the concept of Multi-Tenancy.

  • Hence any customer would have the email address or MS Online User ID ending with
  • Each customer tenant is considered more like an “Organizational Unit” with corresponding accepted domain and email address policy.
  • Of course we can add “domain names” that an organization owns to its own tenant component. Each admin of the Office 365 tenant will have access only to his own tenant and no access to underlying hardware since Office 365 is a typical SaaS offering

What is Office 365 ?

What is Office 365 and the growth of Office 365:

Cloud computing is the buzz word in IT industry now. Every major IT product company is trying to provide the best cloud solutions to its consumers.

Cloud computing can be classified into the below 3 models.

  1. IaaS [Infrastructure as a Service]
  2. PaaS [Platform as a Service]
  3. SaaS [Software as a Service]

A great Cloud offering under the model SaaS from Microsoft is “Office 365”.

In the recent days, I found lot of misconceptions about Office 365 among the Exchange admins and the end users alike.

One of my friends recently asked “what is Yammer?”. One of the organizations recently provided Office 365 business plan subscriptions to its employees and many asked if it would allow them to access mails in their mobile device because the very word cloud means mobile access to many. Most Exchange admins feel that Office 365 is only Exchange Online and they often fail to understand the underlying AD Azure.

So in my words, here it goes ….

Office 365 is a brilliant cloud offering from Microsoft which refers to “subscription plans” that include access to “Office Applications” and major “Productivity Services” that are enabled over the Internet (cloud services) like Exchange Online, Lync Online, Sharepoint Online, OneDrive for business etc.

From an enterprise IT admin perspective, Office 365 has two major classifications:

  1. Business
  2. Enterprise

Business plans basically provide access to Office Applications via Internet to the business users. The applications can be installed (Click To Install over Cloud) in one or more devices (smartphone, tablet & computers) or accessed online via various browsers like IE, Chrome, Safari etc. The office applications included are MS Excel, MS Word, MS PowerPoint, OneDrive and MS Outlook. (Skype for business & OneNote are included in some plans)

Enterprise Plans provide both Office applications & Productivity services over internet. The productivity services from Office 365 are Exchange Online, Lync Online, SharePoint Online, Delve (Information Discovery within Office 365), Sway (Digital story telling app), Yammer (Social network in a professional environment similar to “Facebook At Work”) & OneDrive for business (Cloud Storage like DropBox).

Hence an organization can use Office apps from Office 365 subscription & the email service can be from On-Premise Exchange Server 2013. Some organizations can completely use Office 365.

The authentication for Office 365 users are provided by Azure Active Directory (AAD) similar to Exchange users getting authenticated by On Premise Domain Controllers running Active Directory.

More info on …

Growth of Office 365:

Cloud offerings from Microsoft has picked up a great momentum in the last financial year and it is growing even faster this year. In the last 2 years, I have witnessed 80,000+ mailboxes of an IT organization getting migrated to Office 365 within 6 months and one more organization embracing Office 365 Office apps for the whole organization. A humongous scale of adoption for MS cloud platform clearly indicates the reliability, scalability, business continuity provided by Microsoft Cloud Platform.

The earnings release data from Microsoft release for Q1 FY16 clearly shows the industry acceptance trend for Microsoft Cloud offerings like Office 365 & Azure. A few Excerpts are given below.

  1. Office 365 consumer subscribers increased to 18.2 million, with approximately 3 million subscribers added in the quarter
  2. Office commercial products and cloud services revenue grew 5% in constant currency with Office 365 revenue growth of nearly 70% in constant currency and continued user growth across our productivity offerings
  3. Commercial cloud annualized revenue run rate exceeds $8.2 billion

With fast track deployments and easy to migrate options, Office 365 is equally embraced by Start Ups in India and enterprises across the globe. Thus Exchange Administrators like me are all geared up to embrace cloud faster than ever before having 18.5 million users already in Office 365!

Why wait to experience Office 365 …. Follow the below link …

Office 365 Guide for Exchange Admins