Ability to apply updates on VMs in multiple subscriptions
Our large enterprise customers has large number of VMs in large number of subscriptions. We manage automation via a central Azure Automation accounts. Currently Update Management appears to work only on VMs in the subscription containing Azure Automation account. Ability is needed so that we can target Azure Automation Update Management to work on VMs in multiple subscription.
You can now enroll machines from multiple subscriptions into a single Automation Account. https://docs.microsoft.com/en-us/azure/automation/automation-onboard-solutions-from-browse
However, we still have the requirement that machines enrolled in Update Management only enroll into a single Log Analytics workspace.
I agree that there should not be a requirement that the Log Analytics workspace be in the same subscription as the VMs you are managing.
It is a common configuration to have multiple subscriptions.
It is also a best practice to have a "single pane of glass" for Log analytics and patch management of all VMs in your environment.
This limitation makes it so that we cannot use the solution.
Pirmin Felber commented
It's a big Issue that we can manage any VM (On-prem, AWS...) except those who run in an Azure-Subscription bound to a different AzureAD tenant.
Is there no workaround to treat Azure VMs the same way as we do non-Azure VMs?
However, any News on that would be great.
I am very interested in the Sony 385 (I know you have the 285, fan and sharpness should be the same as 385) but I have concerns if you are not seeing a visible improvement when watching a 4k UHD disc over your previous Epson. Also need to understand low lamp fan noise better. In order to compare
I don't think this work around is a very good one, especially if the other subscriptions have automation accounts and hybrid workers. I tried to onboard a hybrid worker system onto my subscription for patching, and the OMS client kept throwing a "HybridWorker Machine is already registered to different account" error. Meaning this system cannot be patched by OMS patching.
Steve Keeler commented
Have 3 subscriptions with VMs in each and would like to setup 1 Update Management solution in one of those subscriptions (OMS/Log Analytics & Automation in that subscription), then add VMs from all 3 subscriptions. Doesn't look like it is currently possible via the portal, and I don't think the workaround mention applies either. What is the timeframe for the Planned solution, and will it support this scenario?
Followed the guide and it's not possible to add VMs from other subscriptions in the Automation Account under Update Management.
We wanted to use a single solution for our hybrid environment, but multi subscription update management is a must for this. What is the estimated timeline for a solution?
Thanks for the additional details. You're correct in that we don't have a good multi-tenant solution today. Multi-tenant work is on our backlog.
John S commented
The workaround is not feasible when the subscriptions reside in a different Azure Tenant than the Automation Account does.
We have onboarded multiple Virtual Machines from different subscriptions in different tenants already, however, trying to create an update schedule with Azure VMs in subscriptions within a different tenant then the Automation Account will generate the error: the current tenant 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is not authorized to access linked subscription 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.. (linked subscription is in different tenant).
John S commented
As a Cloud Solution Provider, we manage multiple Azure Tenants. We connect all Virtual Machines from different tenants with the same Log Analytics workspace and have succesfully been able to deploy Windows Updates from a central OMS interface.
We would like to migrate to Update Management within Azure Automation. This works perfectly for Azure VMs within subscriptions in our own tenant and for Non-Azure VMs everywhere. It's just Azure VMs in subscriptions that reside in other Azure AD tenants that we cannot manage like this, if we use the 'old' method in OMS this is not an issue.
Please make it possible to provide Update Management from Azure Automation for Azure VMs connected with our OMS workspace, that reside in subscriptions from different Azure AD Tenants.
The error shown when trying to create an update schedule with Azure VMs in a different tenant is: the current tenant 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is not authorized to access linked subscription 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'..
Joe Zuchora commented
We manage 40+ subscriptions and need programmatic access to schedule and monitor