Skip to content

enable-cross-subscription-patching.md

Latest commit

 

History

History
57 lines (41 loc) · 3.09 KB

enable-cross-subscription-patching.md

File metadata and controls

57 lines (41 loc) · 3.09 KB
title Enable cross-subscription patching in Azure Update Manager
description Learn how to enable cross-subscription patching in Azure using CLI or portal. Register resource providers, assign roles, and schedule updates with Update Manager.
ms.service azure-update-manager
author habibaum
ms.author v-uhabiba
ms.date 03/13/2025
ms.topic how-to
ms.update-cycle 1095-days

Enable cross subscription patching in Azure Update Manager

Applies to: ✔️ Windows VMs ✔️ Linux VMs ✔️ On-premises environment ✔️ Azure Arc-enabled servers.

This article describes how to enable cross-subscription patching either through Azure CLI or Azure portal.

Enable resource providers in your subscription

  1. You can register the necessary resource providers to your subscription through Azure CLI or manually via the Azure portal.

    Azure CLI

    Open your Azure CLI and run the following commands:

      az provider register--namespace "Microsoft.Insights"
  az provider register--namespace "Microsoft.Maintenance"

    Azure portal

    1. Sign in to the Azure portal and go to your subscription.
    2. Under Settings, select Resource providers.
    3. Activate both Microsoft.Insights and Microsoft.Maintenance.

    :::image type="content" source="./media/enable-cross-subscription-patching/select-resource-providers.png" alt-text="Screenshot that shows how to select the resource providers from subscription." lightbox="./media/enable-cross-subscription-patching/select-resource-providers.png":::

  1. Grant necessary roles to your managed identity

    • Assign the appropriate roles to your Azure VM and Arc assets to ensure scheduled patching is managed effectively. The required roles are:
      • Scheduled patching contributor
      • Reader
    • These roles can be granted on the Resource Group or at the Subscription level if you have resources spread among multiple resource groups and want to include them all at once.
    • If you have a smaller scope and plan to manage it with a dedicated admin or group, these two roles can be granted to a user or a security group (SG). If you are envisioning a larger scope with automation in place, ensure to grant these roles to the API and Service Principal Name (SPN) you use.

  2. Scheduling using maintenance configurations

    To schedule updates, see Schedule recurring updates on a single VM.

Next steps